Forums/Documentation/User access, login, and security

Setting up SAML single sign-on with Okta (Plus and Enterprise)

Eric Shen
posted this on June 13, 2011 16:28

Okta supports single sign-on for Zendesk using SAML (Secure Assertion Markup Language). For many of the settings used to configure single sign-on in Okta, you'll find much more detailed information in the Okta user interface. Single sign-on using SAML is available to Plus and Enterprise accounts. For more about SAML support in Zendesk, see Using SAML for single sign-on (Plus and Enterprise).

Note: If you're not on the Plus or Enterprise plans, you can set up enterprise single sign-on using JWT (JSON Web Token) remote authentication. See Setting up single sign-on with JWT (JSON Web Token).

Configuring SAML must be done in both in your Okta account and in your Zendesk. You start in Okta first and get the SAML information you'll need to complete the configuration in your Zendesk.

Configuring SAML in Okta

Log in to Okta as an administrator and then follow the steps below.

To configure SAML for Zendesk in Okta

  1. Select Add Applications from the dashboard.
  2. Click Add Application, then search for and choose "Zendesk". The Add Zendesk wizard will be displayed.
  3. In the first screen (General Settings), add a name for the application and your Zendesk subdomain (for example: if your Zendesk URL is mycompany.zendesk.com, enter mycompany). Click Next.
  4. On the second screen (Sign-On Options), select SAML 2.0. This is where you'll find the SAML SSO URL, the Remote logout URL, and the Certificate fingerprint. You need this information to complete the SAML setup in your Zendesk.
  5. Click the SAML 2.0 setup instructions for Zendesk link and this page will be displayed in a new web browser window:

    These are instructions for configuring SAML in your Zendesk. (See Configuring SAML in Zendesk below for more up-to-date instructions.) For now, copy the SAML SSO URL, the Remote logout URL, and the Certificate fingerprint and then close this window and return to your Okta dashboard.
  6. The next step is User Management, which is optional. If you enable user management, you'll be able to import users from your Zendesk into your Okta account, provision new Zendesk accounts from Okta, and push Okta user profile updates and passwords to Zendesk. You'll find information about these Okta features in your Okta account and documentation.
  7. The final step (People) is also optional and allows you to select who in your Okta account has access to your Zendesk. This as well is beyond the scope of this article; you'll find information about these Okta features in your Okta account and documentation.
  8. When you've completed each step, click Next to complete and close the Zendesk configuration in Okta.

Login to your Zendesk as an administrator and follow the instructions in the next section.

Configuring SAML in Zendesk

With your Zendesk for Okta set up completed and the information you need for setting up SAML in Zendesk at hand, log in to your Zendesk as an administrator and follow the steps below.

To enable SAML in your Zendesk

  1. Click the Admin icon () in the sidebar, then select Security from the Settings category.
    Zendesk Classic: Select the Setting menu, then select Security.
  2. Select the Admins & Agents or End-users tab. You can enable SAML single sign-on only for end-users, only for agents and admins, or for all users.
    Zendesk Classic: Select the Single Sign-on tab.
  3. Select the SAML option.
    Zendesk Classic: Next to the SAML option, click Edit, and then select Enabled.
  4. Enter the SAML SSO URL, Remote logout URL, and the Certificate Fingerprint you saved from your Zendesk for Okta configuration settings.

  5. You can optionally add IP ranges if you'd like.
  6. Click Save.
Note: When you enable single sign-on via SAML (and JWT), be aware that passwords do not expire (even if your Zendesk password policy is set to High) because passwords are not stored in Zendesk. Additionally, if agents manually add a Zendesk password to their account, these passwords will not expire.
 

Comments

User photo
Byron Patrick

So I have setup OKTA SSO for Zendesk and it seems like it is almost working but when I click on Zendesk App or attempt the Zendesk login it keeps bring me back to the okta App Home page.  Am I missing something?

August 13, 2013 11:28
User photo
Guillaume Deleeuw
Zendesk

Hi Byron, Really sorry for the delay here, I am creating a ticket on your behalf with your email address as the requester so we can troubleshoot this issue further.

September 17, 2013 09:12
User photo
Rob Pannoni
irinsideview

We have OKTA working in ZenDesk. We want to use it to give our  company employees (light agents) access to agent-only sections of the Help Center.  However, OKTA drops them in the agent interface.  Locating the Help Center button is not easy because it is not labeled.  Is there anyway to tell ZenDesk to automatically redirect people to the Help Center page instead of the agent interface?

January 06, 2014 13:10
User photo
James Dietrich
Zendesk

@Rob,

In order to drop light agents to a specific URL by default, you'll need to be able to set a Relay State. It looks like Okta does a support Default Relay Sate in generic SAML 2.0 apps (documentation here), but it's not clear to me whether that functionality is available in the built-in Zendesk connector. If it turns out that the built-in Zendesk connector doesn't allow you to specify a Relay State, you could likely get what you're looking for by setting it up as a SAML 2.0 app.

If you run into trouble or if you have any questions, please let me know and I'll open a ticket for you.

January 18, 2014 07:22