Zendesk supports Secure Assertion Markup Language (SAML) 2.0, which allows you to provide single sign-on (SSO) for your Zendesk using enterprise identity providers such as Active Directory and LDAP. Single sign-on using SAML 2.0 is available to Plus and Enterprise accounts.
Implementing single sign-on via SAML means that the log in process and user authentication are handled entirely outside of your Zendesk. Your users will not directly visit your Zendesk web portal to log in. Instead users log in to the corporate system (authenticated by Active Directory or LDAP for example) and click a link to access Zendesk and are automatically logged in. No need to enter separate login credentials for Zendesk.
You can build a SAML server in-house (using OpenAM, for example) or choose a SAML service such as Okta, OneLogin, and PingIdentity. You'll need to set these up yourself outside of Zendesk. What you enable in Zendesk is the option to use SAML for single sign-on (see Enabling SAML single sign-on in your Zendesk below).
After you've enabled SAML (by building a SAML server yourself or by using one of the SAML services), all user management and authentication is handled outside of your Zendesk. However, changes made outside of your Zendesk are immediately synced back to your Zendesk. For example, if you add or delete a user in your internal Active Directory or LDAP authentication system, that change is synced back through your SAML provider, and the user is added to or deleted from your Zendesk.
The only user data that is stored in Zendesk is the user name and email address. However, you can also choose to sync the following user data: organization, phone, tags, given name, surname, role. You do this with by adding these attributes to your SAML assertion code. See User attributes that can be set in SAML. Zendesk does not store user passwords.
How SAML for Zendesk works
SAML for Zendesk works the way SAML does with all other service providers. The typical use case is that your users belong to a corporation and all user authentication is managed by your corporate authentication system (for example, Active Directory or LDAP), which is referred to generically as an identity provider (IdP). The service provider (SP), in this case of course Zendesk, establishes a trust relationship with IdP and allows that external IdP to authenticate users and then seamlessly log them in to Zendesk. In other words, a user logs in at work and then has automatic access to the many other corporate applications such as email, your CRM, and so on without having to login separately to those services. Aside from the convenience this provides to users, all user authentication is handled internally by a system that you have complete control over.
After you've enabled SAML as the type of single sign-on for your Zendesk, users who visit your Zendesk and attempt to log in are redirected to your SAML server for authentication. Your users' identities can be stored either on the SAML server or can be validated by an identity directory such as Microsoft Active Directory or LDAP. Once authenticated, users are redirected back to your Zendesk and automatically logged in.
Returning visitors are automatically authenticated if their SAML assertions are cached. Assertions are packets of security information that are used to make access-control decisions. When new users access your Zendesk a user profile created in Zendesk; however, since users are authenticated via SAML their Zendesk profiles do not contain a password.
Note: To access your Zendesk account from the Zendesk mobile app or many of the Zendesk integrations, or to do any development work with the Zendesk API or App framework, you will need a Zendesk password. Single sign-on will not work in these cases.
Configuring your SAML implementation
You have a number of options when considering a SAML service, including building a SAML server in-house (for example, OpenAM) or choosing a SAML service such as Okta, OneLogin, and PingIdentity.
To set up SAML in your Zendesk, you'll need the following:
A SAML server with provisioned users or connected to an identity repository such as Microsoft Active Directory or LDAP
The Remote Login URL for your SAML server (sometimes called SAML Single Sign-on URL)
The SHA1 fingerprint of the SAML certificate from your SAML server
After you have your SAML server properly configured, you use the remote login URL and the SHA1 fingerprint to configure SAML within your Zendesk.
Other SAML servers may require additional information
Other SAML servers may ask for the following information when configuring an integration with Zendesk:
With your SAML server configured and the information you need for setting up SAML in Zendesk at hand, log in to your Zendesk as an administrator and follow this procedure.
To enable SAML in your Zendesk
Click the Admin icon () in the sidebar, then select Security from the Settings category.
Zendesk Classic: Select the Setting menu, then select Security.
Select the Admins & Agents or End-users tab. You can enable SAML single sign-on only for end-users, only for agents, or for both groups. You can't enable SAML for one group if the JWT SSO option is enabled for the other group. If you want to use single sign-on for both groups, both must be SAML or both must be JWT.
Zendesk Classic: Next to the SAML option, click Edit, and then select Enabled.
In the SAML SSO URL input, enter the SAML login URL of your SAML server.
The Remote logout URL and IP ranges are both optional, but the Certificate Fingerprint is required for us to communicate with your SAML server.
Note: When you enable single sign-on via SAML (and JWT), be aware that passwords do not expire (even if your Zendesk password policy is set to High) because passwords are not stored in Zendesk. Additionally, if agents manually add a Zendesk password to their account, these passwords will not expire.
Troubleshooting your SAML configuration
If you have difficulty setting up SAML, you may find the following information helpful.