like what the title states, my zammad instance is using openid connect for single sign on. sso service is keycloak. in the new update, 6.5, the zammad team released functionality for this sso feature. i believe they had this in the past, but with the implementation of saml, they removed it. i am glad that it came back as i prefer oidc over saml. i suppose it is ‘easier’ to deploy, so that i do not have worry about certificates. otherwise, they published the documentation for oidc on their admin docs page.

i am using keycloak, so this is specific to it, but i am sure it can be transferable to any other identity provider. first go into the realm that you want oidc, which i created my own realm separate from the master realm. then you go to the client tab and create a new client. the client id can be whatever, just make sure to remember this string.

the valid redirect uris is set to this value:
https://zammad.domain.com/auth/openid_connect/callback

the valid post logout redirect uris is set to this value:
https://zammad.domain.com/*

web origins: +

there is a section in the documentation where it states the backchannel logout url, but i did not see where to configure that in keycloak. i just ignored it and it was functional. logouts were directed back to the base url.

zammad has support for pkce, which prevents authorization code injection. i am not sure what it exactly does, but after a quick read, it is not meant as a replacement for client secrets or form of client authentication. i recommend configuring this in keycloak for production/enterprise instances.

now onto the zammad configuration, it is fairly easy. navigate to the settings, then to security tab. under third-party applications, scroll down to openid connect, it is above saml. toggle the button to turn it on and fill in the boxes with these:

display name is whatever you want it to show up as on the login page.

identifier is the client id configured in keycloak.

uid and client scope field can be left defaults, but unless you have different configurations for your organization, change it here.

pkce depends on your idp configuration. currently sha256 is supported.

then the callback url is left greyed out.

one this is configured and saved, log out or go into a private window to the web ui. click on the sso button and confirm that it redirects to your idp. type in your credentials and login, it should redirect to zammad. logging out will return the user to the base url with a login prompt.

this was one of the things that i had struggles with, saml for whatever reason would redirect to the metadata page instead of the login page. i tried to open a ticket through their community forum, but no one responded. so this is a great win for enterprises and for me, i get a clean sso login and the logout redirect works flawlessly.