Enabling SAML single sign-on



image avatar

Charles Nadeau

Zendesk Documentation Team

Edited Nov 15, 2024


11

49

49 comments

Great post & thank you for sharing, one of the good blogs to read about enabling SAML single sign on

 

0


Hi

I am setting up SAML SSO with Azure and when testing I am getting an error that identifier is wrong. I have configured according to guidelines (https://subdomain.zendesk.com) as indicated in table 6 of the page. Any ideas what might be wrong.

Thanks

0


Hello Aggelos!

I understand you've chatted with our colleague regarding this issue and was able to resolve it on your own.  If you have any tips on what you did to resolve it, we'd love to know! 

0


I had to remove the https part from the URL. Then a little hack to land in the correct page for sign in. In Azure use the target of the Sign In button as the sign on URL.

0


 Thank you for this information! 

0


Can we update the End users alias via the SSO JWT flow? 

It allows for updating any custom field but since the Alias isn't custom it's almost the only thing the documentation is missing.

 

1


I have set up SAML SSO with my IdentityProvider4 and am able to sso in fine. Is there a way to use my system's GUID to identity a zendesk user, instead of email?

I see API PUT/POST calls to update/add User Identity type to email, twitter, etc., but nothing regarding a generic ID.

Possibly external_id, but how can I specify Zendesk to accept this?

0


image avatar

Sergey

Zendesk Customer Care

Hi James,

Users in Zendesk are identified with email by default and email attribute is required when we talk about SSO authentication. 

external_id will accept any values (numbers and characters) and you can pass this attribute in your SAML assertion payload (see above section of "Obtaining additional user data"), but it cannot be used as users primary identity.

0


Hello. We are using okta to sign-in into Zendesk. I also wanted to pass on 3 fields from okta profile onto Zendesk profile for users (manager, manager email, department) so i made 3 user fields with those names. When setting up in Okta admin, do i need to map manager to manager, or manager to user_field_manager (as per this passage :

user_field_<key> A value for a custom user field in Zendesk Support. See Adding custom fields to users. The <key> is the field key assigned to the custom user field in Zendesk Support. Example: user_field_employee_number where employee_number is the field key in Zendesk. Sending a null value or an empty string in the attribute value will remove any custom field value set in Zendesk Support.

0


image avatar

Sabra

Zendesk Customer Care

Hey Victor! You'll want to map manager to user_field_manager assuming that manager is the key associated with the user field. 

0


Hi SAbra, so we are doing provisioning from okta and we are running into a problem. Okta is trying to push Role , Custom Role and Ticket Restriction to Zendesk and its not passing on (we are getting error). Is there a way to turn this off (is is needed to edit the saml insertion for this)?

I wonder is it possible to arrange a video call with Zendesk and Okta support to help us  figure this out? 

0


image avatar

Cheeny Aban

Zendesk Customer Care

Hi Viktor

I suggest that you capture a har file with timestamp and initiate a conversation with us so we can further check your SSO set up. 

0


Hi,  We need to update our SSO SAML config/Cert.  Do you know if saving an update to the config will negatively impact anyone logged in currently? 

For example would it kick agents out of the system and force them to re-authenticate? 

0


image avatar

Charles Gresula

Zendesk Customer Care

Hi Andrew,

As documented here, Browsers use cookies (files containing user data) placed in your computer’s cache (temporary data storage space) to store website information on your computer, so web pages and components can load quickly. Zendesk uses this ability as well to deliver the best possible performance.

When you update your SSO SAML config/Cert, your cache and cookies can become outdated, which may cause issues and unwanted behavior when your browser tries to use older versions. To fix this, you just need to clear your cache and cookies.

0


Hi, 

Does Zendesk support multiple sites from a Single Federation? 

Thanks, 

Stefan 

0


Hi,

 

While setting up SAML SSO with Azure, I am getting the error that Identifier(Entity ID) in Azure doesn't match the Issuer attribute sent from the application(Zendesk). 

Can you please confirm the Issuer attribute Zendesk is sending so I can match in Azure? The Issuer attribute doesn't appear in Zendesk console so I cannot find.

 

Thanks.

 

1


image avatar

Dane

Zendesk Engineering

@Tony Kang,
 
It seems that you have already contacted us through Messaging and the value has already been provided. Please check the ticket #10173395 for more information. 

0


We have SAML set up with Azure and are getting the error AADSTS650056 - we have the SAML configured as per this guide, but cannot use it to get authenticated?

2


image avatar

Cheeny Aban

Zendesk Customer Care

Hi Claire, 

Error AADSTS650056 is a Misconfigured application as per this Microsoft documentation. I would suggest that you follow the suggested solution from the said article

0


We have followed the guides to enable SSO into Zendesk from our application. We have an additional requirement  to allow SSO from another application with a different user store to SSO into Zendesk. Is this currently possible ? We may also have a third. Wondering how we can support multiple SSO 

0


image avatar

Dane

Zendesk Engineering

Hi Allirah,
 
It is advisable to use just one SSO for your Zendesk login. However, you can follow the workaround discussed in How can I set up two Zendesk SSO integrations? to have a maximum of 2.

0


Hello,
1 - Does Zendesk support using the UPN instead of the email address as the unique identifier?  Sometimes user's email address doesn't match their username (UPN), and can make SSO logins confusing for them.  We're using Azure AD for SSO.

2- If it does not support UPN as the unique identifier, when configuring the App in Azure AD, the Name ID defaults to user.userprincipalname (UPN).  Should this be changed on the Azure AD side to user.mail instead?  Seems like this should default to user.mail in Azure AD if Zendesk is using email address as the unique Identifier. 

0


I have the assertion http://schemas.xmlsoap.org/ws/2005/05/identity/claims/organization: "someCompany" in my SAML however users are not being added to the organization. What am I doing wrong? 

 

Also, what does "Note that Zendesk only recognizes these additional user attributes if the attribute names outlined in the table below are used in the assertion's attribute statement; if you try to use the full namespace for these attributes, they'll be ignored." mean? What is a full namespace attribute versus user attribute?

0


I have found this statement to be incorrect under #3 of heading "Assigning SAML SSO to users"

Please confirm and update documentation.


"For end users, selecting the SSO option automatically deselects the Zendesk Authentication option if enabled."

This is incorrect - I have enabled SSO for end users in my Sandbox, and Zendesk Auth remains checked off (it does not auto disable).  I have also confirmed I'm able to log into Zendesk as a regular end user with SSO (primary) and with Zendesk Auth by going to the backdoor URL https://domain.zendesk.com/access/normal.

SSO is the primary method, since when going to our Zendesk URL and clicking "Sign In" it auto redirects to SSO (we use Azure AD).  So basically, the "Sign In" no longer provides a pop up for the user to log in whether it's a regular user or Agent.  But, Zendesk auth is still enabled and can be logged into if the end user (or agent) knows the backdoor URL.

 

 

 

0


image avatar

Kristie Sweeney

Zendesk Documentation Team

Hi Carmelo LoPresti -

Thank you for reporting the issue with the documentation. Our team is investigating.

0


Are we able to delete a SSO configuration? I am not seeing that option. It's not assigned to any users making it inactive, but there is no option to delete.

0


image avatar

Barkha Bhatia

Zendesk Product Manager

Sam Larson

We currently don't allow Deletion of SSO configurations, we want to allow that in future combined with logs and restoration feature to deal with accidental deletes. 

0


As others have already discovered and commented here, Zendesk's requirement that the identity provider use an email address to uniquely identify its users in the SAML subject's NameID element is problematic and a source of much frustration.

This requirement is bad practice because as an identity consumer, it's not Zendesk's role to determine the type or format of the user identifier. This decision actually belongs to the identity provider and Zendesk should be flexible enough to accept/use whatever type of unique identifier the IdP chooses to use. (For example, they may prefer to use some other type of unique identifier such as a GUID so that a user's account can persist if they ever change email addresses. Under your requirements a user must unnecessarily create a new account if they change email addresses.)

I better approach would be if Zendesk requires that an email address be provided as one of the user properities, but it shouldn't expect that the email address will be used as the IdP's unique identifier.

0


Hi Richard, for the best visibility to our product team, and to allow others to upvote and add their own comments on this idea, can you create a post in our Feedback - Ticketing System (Support) product feedback forum, using this template to format your feedback?

0


Has anybody managed to get this setup using Azure AD to create agents with a custom role?
We have added mappings for role (set to 'agent') and custom_role_id (set to the id of the custom role to assign) but users are always created as end-user rather than as agent.

Any ideas?
Thanks

0


Please sign in to leave a comment.