Single Sign-On has long been a requirement for enterprise deployments of Znuny. Until now, making it work meant configuring an external Apache module — typically mod_auth_mellon or mod_auth_kerb — correctly wiring it to your Identity Provider, and then connecting the result to Znuny's auth pipeline. It worked, but the setup was sometimes fragile, hard to document, and entirely outside Znuny itself.
With Znuny 7.3, that changes. SAML 2.0 authentication is now built directly into the application. No additional web server modules. No Apache-specific configuration. Just Znuny, your Identity Provider, and a working SSO flow — for both agents and customer users.
Why This Matters
The traditional SAML approach in Znuny places significant responsibility on the system administrator and the web server. Modules like mod_auth_mellon would intercept the request before it reached Znuny, handle the SAML exchange with the IdP, and then inject the authenticated user identity via a header (typically REMOTE_USER). Znuny would then trust that header and proceed.
This approach had several real-world problems:
- It was agent-only. Most third-party SAML modules for Znuny did not support customer user authentication — a major gap for organizations using a unified IdP for both staff and customers.
- It was tightly coupled to Apache. Organizations running Znuny behind nginx, or in containerized environments, had no clean path to SSO.
- Debugging was painful. SAML errors surfaced in Apache logs, not in Znuny logs, making troubleshooting unnecessarily complicated.
- Maintenance was fragile. Module compatibility with Znuny versions had to be managed separately, and community modules were often behind or unmaintained.
What's New in Znuny 7.3
Znuny 7.3 introduces an integrated SAML 2.0 Service Provider implementation. The entire SAML handshake — AuthnRequest generation, assertion consumer endpoint, response validation, and user session creation — is handled within Znuny. The web server remains a transparent proxy.
Support for Both Agents and Customer Users
Both the agent interface (index.pl) and the customer portal (customer.pl) support SAML authentication independently. You can configure a single IdP for both, or use different IdPs per interface — for example, an internal corporate IdP for agents and a consumer identity platform for customers.
No Webserver Authentication Module Needed
Because Znuny now implements the SP logic directly, there is no requirement to install or configure mod_auth_mellon, mod_auth_kerb, or any equivalent module. Your web server configuration stays simple. Apache, nginx, and other reverse proxy setups are all supported without modification.
Configured Inside Znuny
SAML configuration is managed through Znuny's standard configuration system. IdP metadata, attribute mappings, and user provisioning behavior are all defined in a way that integrates naturally with the rest of Znuny's setup — and can be version-controlled alongside your configuration.
Identity Provider Compatibility
The built-in SAML implementation follows the SAML 2.0 standard and is compatible with all major Identity Providers, including:
- Microsoft Entra ID (formerly Azure AD)
- Okta
- Keycloak
- Active Directory Federation Services (ADFS)
- Google Workspace
- Any other SAML 2.0 compliant IdP
- News
- Product Updates