Enabling SAML single sign-on (Professional and Enterprise) Follow

Comments

35 comments

  • Avatar
    Alan Zych

    In particular, for folks who are using a SAML provider to provision user accounts in Zendesk, it would be really nice to call out to admins here that if you do this you also need to ensure that in Zendesk the "Also send a welcome e-mail when a new user is created by an agent or admin" and the "Allow users to change their passwords" checkboxes are both unchecked in Customers section of the Zendesk admin console.

    You could probably also call this info out on the Customers section of the Zendesk admin console.

    Otherwise every user created by provisioning from a SAML provider will get an e-mail notifying them to verify their e-mail address and create a username and password.

    Speaking from experience this would have been nice to know.

  • Avatar
    Jessie - Community Manager

    Hey Alan!

    Thanks for bringing that up! You make a good point. I'm going to pass this along to our Documentation team to see if we can make the docs on this more clear.

  • Avatar
    Maxim Mazin
    I've got the question as Renato Martins [March 24, 2015 14:32]. According to SAML specification my code sends on a logout request from Zendesk, but then Zendesk just sends me another logout request provoking a redirect loop.
  • Avatar
    Renato Martins
    Hi Maxim, this might help you if you're using simpleSAMLphp (it's part of the handling of requests, you should be able to find the right place to put it): http://pastebin.com/6eLaF3Rk Good luck!
  • Avatar
    Maxim Mazin
    @Renato, unfortunately I use Java OpenSAML and was hoping that Zendesk has somehow addressed the issue. But anyway it looks like your code will help me to implement my own workaround. Thank you very much! Hopefully Zendesk will fix the issue one day.
  • Avatar
    Sam Michaels

    Hi guys, as James Peterson mentioned above, the only official, supported way to log a user out is by sending them to the access/logout endpoint. As you have noticed, SLO is not officially supported. One possible workaround might be to set your SSO logout URL to your IDP's logout endpoint, which will redirect the user there after ZD logout and the IDP can take it from there (keeping in mind that the IDP should not redirect back to access/logout, or a redirect loop might occur!)

    As for the issue at hand, I highly recommend letting our product team know about your issue and why you would like to see this functionality in the future. You can do this in our product feedback forum: https://support.zendesk.com/hc/en-us/community/topics/200132066-Product-feedback

    Thanks!

    Sam

  • Avatar
    Jcwk

    The original post about SAML was written in 2011. I'm hoping for an update. Does ZenDesk support true-multilateral federation? This means consuming central federation metadata (such as provided by one of the many national federations here (https://refeds.org/federations/federations-map);  discovery for users where there might be hundreds of Identity Providers to choose from (https://discovery.refeds.org/guide/).

  • Avatar
    Jcwk

    Anyone have success with ZenDesk and multilateral federations like InCommon? Anyone? Bueller?

  • Avatar
    Jessie - Community Manager

    Hey Jcwk! Sorry we didn't get back to you on this sooner. I'm following up to see what I can find out. :)

  • Avatar
    Alexander Popa

    Hi Jcwk!

    Zendesk does support InCommon Federation Attributes to set user attributes as part of the sign in process; for example, you can set up the ou (organization unit), or the displayName. You can find more details about these attributes on this page - InCommon Federation Attribute Summary.

    Please let us know if this helps!

  • Avatar
    Jcwk

    Alexander, That's great to hear. Before we can get to attribute release, we need to know if the ZenDesk service provider (SP) is able to consume multi-entity SAML metadata. Most international federations produce an aggregate of IdPs and SPs. Here's an example of InCommon's: https://spaces.internet2.edu/display/InCFederation/Metadata+Consumption .  Does ZenDesk consume multi-entity SAML metadata and provide a way (like a discovery service linked to in my comment above) for more than just 3 or 4 Identity Provider choices? Thanks so far!

  • Avatar
    Alexander Popa

    @Jcwk - Thank you for your additional questions! I have created this ticket #1675584 to further check your specific workflow. Would it be OK to join us in the ticket? Thank you very much!

  • Avatar
    Robert Fernandes

    Question about organization IDs.  Based on the documentation organization/organizations explicitly state that external_id is not supported when syncing users to orgs based on their SAML response.  However, it is not clear if external_id does or does not work with organization_id/organization_ids.

    Obviously what we would most prefer is to join users based on external_id, otherwise, what is the point and purpose of having the external_id on the org in the first place, if we cannot use it to join up users to orgs, based on the IDs we know on our side.  If external_id is not supported in any SAML field, then we have to make sure we keep and store Zendesk IDs on our side and keep them in sync with our known IDs for the orgs and this is rather suboptimal, for hopefully obvious reasons.

    Hoping that the answer is external_id can in fact be referenced in the organization_id field, so we can sync up users to IDs based on our known set of org IDs, internally.  If not, then we need to scope out how much effort it will take for us to store/sync with Zendesk org IDs as well.

  • Avatar
    Joseph May

    Hi there Robert-

    Thanks for writing in, and please feel free to correct me if I misunderstood. Based on what I am reading, it sounds like the path of least resistance here would be to first create these organizations in Zendesk with your system's external_id values, to  then retrieve the organization_id value Zendesk generates for use in a given SAML payload. You outlined it yourself more or less, and I understand the reasoning for looking for a workaround

    To be 99.99% sure I tested with some simple cURL calls to be sure there wasn't a way around this (at least that I could find).

    Another item of note is that if the org doesn't exist to begin with we will scrap that payload attribute, more reason to simply create the organizations with no members to begin with. Then, as your users log in, they should be added automatically, or added should you bulk import/update. This choice is one of what will scale better based on your own needs.

    Lastly, should the value of the external_ID in your own system change, it can be updated quite easily. More on that here in our REST API documentation.

  • Avatar
    Robert Fernandes

    Joseph,

    Thanks for the reply, and let me try to clarify slightly...

    As far as Organization go, sure assume we have already imported and loaded all our Orgs, with external_id values specified, that has already been completed.

    Given that, from what I understand given the documentation, the SAML payload can reference the Org(s) a user belongs to  and that can be specified in either the organization OR the organization_id field.

    Am I correct in assuming that the organization_id field cannot reference the external_id field, in order to sync/join up the User to their Organizations.  If this is a correct assumption, then yes we need to do some work on our side...  the docs for organization field explicitly states no external_id, but does organization_id disallow or does it allow external_id, it's not stated.

    If external_id can be used in neither organization nor organization_id, and we always need name (which is brittle and subject to change) or it has to be the internally assigned Zendesk ID...  then yes we need to do some work to store that / align that somehow.  But hoping we can somehow use external_id.  If not, so be it, we'll sort it out.  Just want to be sure I have my facts straight before we do any potentially unnecessary work.

  • Avatar
    Jarkko Selkäinaho (Edited )

    In "Zendesk expects a SAML assertion that looks like this", the example SAML seems to be broken at the moment. The samlp:StatusCode is the last element shown, samlp:Status is not closed and there is no Assertion at all.

    Could you fix / update this SAML snippet, please?

  • Avatar
    Alexander Popa

    Hey Jarkko - good eye! I'm going to ask our Documentation team to update the snippet. Thank you so much for noticing it.

  • Avatar
    tim

    Hi, I believe the example SAML assertion/response is incomplete or inaccurate. There is no <samlp:Assertion> element included in the example, which doesn't seem right. Hoping to get an update to clarify what a real SAML response should look like? In addition are their any required attribute claims?

  • Avatar
    Alexander Popa

    Hi Tim! I've created the following ticket: #3104525 to check this further for you. Please join me in that ticket. Thank you!

  • Avatar
    Kartik Subramanian

    Hi there! Thanks for the elaborate tutorial on setting this up. I've been receiving an error when trying to use Okta as my IdP. I see that I'm logged out as soon as I provide my details on the Okta Login Page and click on Login. I tried debugging the request with OneLogin's SAML Developer Tools, but it tells me that the Issuer param in Zendesk's SAML Request is Invalid. 

    Can someone please guide me as to where am I going wrong ? 

  • Avatar
    Jessie - Community Manager

    Welcome to the Community, Kartik! I'm sorry for the delayed response here!

    I'm going to see if I can find somebody to answer this for you, since I'm not very well versed in SAML. Stand by!

  • Avatar
    Fred Thomas

    @ Kartik,

    The issue you raised here would be best investigated via a support ticket. I have created a support ticket so that we may collect a few more details from you, most of which are quite sensitive in nature that we would certainly not want to post here.

     

    I look forward to joining you in your support ticket!

  • Avatar
    Paul Moran

    I tried to use organization_id to associate a user with an organization. It didn't work, but using organization_ids does work. 

  • Avatar
    Shlomi Cohen

    First i want to join Robert comment about external_ids - this feature looks quite mandatory when provisioning users through SAML assertion , which i believe most customer will want .

    second i want to join others comments about the SAML response example.

    there are fields in the example , which do not exist in the table , e.g givenName and surName

    also i have tried to set the role and custom_role_id , and got redirected to the login page.

    and last about the redirect loop - we also suffer from this , and i think that Zendesk should not 

    add SAMLRequest to the redirection cause this one causes the whole loop.

    Shlomi

  • Avatar
    Saurabh Saxena

    Thanks to Shlomi, infact i have struglled for this external id how to pass where to pass etc etc; now finally sso is done by figuring out the https://d16cvnquvjw7pr.cloudfront.net/resources/documentation/Zendesk_Admin_Guide.pdf by setting the attribute <saml2:Attribute Name="external_id"><saml2:AttributeValue>your unique identifier (typically GUID)</saml2:AttributeValue></saml2:Attribute>.......

    but i was figuring out the logout and its seems zendesk supports rich saml logout which I need to implement: can you please let me know whether logout is SP initiated or IDP initiated;

    if it is SP init then why I am getting 404 when clcking my mvc app link zendesk/logout (and this link aspects post parameter)

    if it is IDP init then how I will sign the logout request the post to this url because my customer is using zendesk and does not share certificate for signing.

     

    any help would be greatly appreciated...

  • Avatar
    Saurabh Saxena

    Sam Michaels thanks for the logout implementation hint. but when we are hitting our SAML provider (who is using zendesk enterprise setup) we are getting "The requested resource could not be found."

    Can you help me how to properly call logout link.

    We are able to do sso but slo is being tricky.  the SSO is happenning on IDP initiated sending SAML response to zendesk ACS (HttpPost) link with external_id. The logout is also HttpPost link but what ever (LogoutRequest signed, unsigned, external_id order in attribute etc etc) is send it always say 404.

    Any help / guidance would be very helpful.

  • Avatar
    Mathieu Nicolaizeau

    Hi Saurabh! I've created the support ticket #3774586 to check this with you. Please join me in that ticket. Thank you!

  • Avatar
    Jørgen Sivesind (Edited )

    Hi all!

    So, when everything goes well, there is a SAML assertion returned to ZenDesk, but what happens if there is an error that the authentication provider can't deal with?  Is there such a thing as a SAML Error / Exception?

    We are having this situation: Users sign up and get a verification e-mail, but not all check their mail and try to sign in before having verified their user.

    When they do this, there is an error message from the authentication provider saying:

    Please verify your email before logging in.

    This is not presented to the user (like a "wrong e-mail or password" message is), instead, the session is redirected to ZenDesk, with the error in the URL.  Then, as soon as ZenDesk see that the user is not logged in, the session is again redirected to the authentication provider, which presents the user with the regular login-screen, without further notice of the error.  -  So the error message is never presented to the user.  According to the authentication provider, this is how the OAuth 2.0 specification, section 1.7 and 5.2 requires it to be.

    Is this correct?  Does ZenDesk have a way of displaying error messages from SAML?  Should they?

  • Avatar
    Joe Beaudoin

    Hi Jorgen!

    Thanks for your post!

    It sounds like most of the issues in the flow are outside of Zendesk, as the authentication process is determined by the SAML provider. As such, it makes it relatively difficult to confirm or deny the normalcy of the behavior in question.

    My suggestion is to create a ticket with a HAR file of the flow so we can see timestamps and errors in the order they occur with the navigation steps in order:

    https://support.zendesk.com/hc/en-us/articles/204410413-Generating-a-HAR-file-for-troubleshooting

    This would at least provide us with a starting point to troubleshoot further.

    Hopefully this proves helpful!

  • Avatar
    Jørgen Sivesind (Edited )

    Hi Joe!

    Thanks for your feedback.  I probably gave too much information in my message, but what I really wanted to know was this:  Does ZenDesk have a way of receiving error message from SAML and displaying them?

    (The authentication provider is saying that the OAuth 2.0 spec is requiring errors to be handled by redirects, back to the app, with the error message.  However, this seems a little strange, as there are other error messages that are treated by the authentication provider, so I am trying to understand what the spec says, and what the possibilities are, so I can direct my support-ticket to the right place.)

    Kind regards,

    Jørgen

Please sign in to leave a comment.

Powered by Zendesk