Using SAML for single sign-on (Professional and Enterprise) Follow

Comments

15 comments

  • Avatar
    Alan Zych

    In particular, for folks who are using a SAML provider to provision user accounts in Zendesk, it would be really nice to call out to admins here that if you do this you also need to ensure that in Zendesk the "Also send a welcome e-mail when a new user is created by an agent or admin" and the "Allow users to change their passwords" checkboxes are both unchecked in Customers section of the Zendesk admin console.

    You could probably also call this info out on the Customers section of the Zendesk admin console.

    Otherwise every user created by provisioning from a SAML provider will get an e-mail notifying them to verify their e-mail address and create a username and password.

    Speaking from experience this would have been nice to know.

  • Avatar
    Jessie Schutz

    Hey Alan!

    Thanks for bringing that up! You make a good point. I'm going to pass this along to our Documentation team to see if we can make the docs on this more clear.

  • Avatar
    Maxim Mazin
    I've got the question as Renato Martins [March 24, 2015 14:32]. According to SAML specification my code sends on a logout request from Zendesk, but then Zendesk just sends me another logout request provoking a redirect loop.
  • Avatar
    Renato Martins
    Hi Maxim, this might help you if you're using simpleSAMLphp (it's part of the handling of requests, you should be able to find the right place to put it): http://pastebin.com/6eLaF3Rk Good luck!
  • Avatar
    Maxim Mazin
    @Renato, unfortunately I use Java OpenSAML and was hoping that Zendesk has somehow addressed the issue. But anyway it looks like your code will help me to implement my own workaround. Thank you very much! Hopefully Zendesk will fix the issue one day.
  • Avatar
    Sam Michaels

    Hi guys, as James Peterson mentioned above, the only official, supported way to log a user out is by sending them to the access/logout endpoint. As you have noticed, SLO is not officially supported. One possible workaround might be to set your SSO logout URL to your IDP's logout endpoint, which will redirect the user there after ZD logout and the IDP can take it from there (keeping in mind that the IDP should not redirect back to access/logout, or a redirect loop might occur!)

    As for the issue at hand, I highly recommend letting our product team know about your issue and why you would like to see this functionality in the future. You can do this in our product feedback forum: https://support.zendesk.com/hc/en-us/community/topics/200132066-Product-feedback

    Thanks!

    Sam

  • Avatar
    Jcwk

    The original post about SAML was written in 2011. I'm hoping for an update. Does ZenDesk support true-multilateral federation? This means consuming central federation metadata (such as provided by one of the many national federations here (https://refeds.org/federations/federations-map);  discovery for users where there might be hundreds of Identity Providers to choose from (https://discovery.refeds.org/guide/).

  • Avatar
    Jcwk

    Anyone have success with ZenDesk and multilateral federations like InCommon? Anyone? Bueller?

  • Avatar
    Jessie Schutz

    Hey Jcwk! Sorry we didn't get back to you on this sooner. I'm following up to see what I can find out. :)

  • Avatar
    Alexander Popa

    Hi Jcwk!

    Zendesk does support InCommon Federation Attributes to set user attributes as part of the sign in process; for example, you can set up the ou (organization unit), or the displayName. You can find more details about these attributes on this page - InCommon Federation Attribute Summary.

    Please let us know if this helps!

  • Avatar
    Jcwk

    Alexander, That's great to hear. Before we can get to attribute release, we need to know if the ZenDesk service provider (SP) is able to consume multi-entity SAML metadata. Most international federations produce an aggregate of IdPs and SPs. Here's an example of InCommon's: https://spaces.internet2.edu/display/InCFederation/Metadata+Consumption .  Does ZenDesk consume multi-entity SAML metadata and provide a way (like a discovery service linked to in my comment above) for more than just 3 or 4 Identity Provider choices? Thanks so far!

  • Avatar
    Alexander Popa

    @Jcwk - Thank you for your additional questions! I have created this ticket #1675584 to further check your specific workflow. Would it be OK to join us in the ticket? Thank you very much!

  • Avatar
    Robert Fernandes

    Question about organization IDs.  Based on the documentation organization/organizations explicitly state that external_id is not supported when syncing users to orgs based on their SAML response.  However, it is not clear if external_id does or does not work with organization_id/organization_ids.

    Obviously what we would most prefer is to join users based on external_id, otherwise, what is the point and purpose of having the external_id on the org in the first place, if we cannot use it to join up users to orgs, based on the IDs we know on our side.  If external_id is not supported in any SAML field, then we have to make sure we keep and store Zendesk IDs on our side and keep them in sync with our known IDs for the orgs and this is rather suboptimal, for hopefully obvious reasons.

    Hoping that the answer is external_id can in fact be referenced in the organization_id field, so we can sync up users to IDs based on our known set of org IDs, internally.  If not, then we need to scope out how much effort it will take for us to store/sync with Zendesk org IDs as well.

  • Avatar
    Joseph May

    Hi there Robert-

    Thanks for writing in, and please feel free to correct me if I misunderstood. Based on what I am reading, it sounds like the path of least resistance here would be to first create these organizations in Zendesk with your system's external_id values, to  then retrieve the organization_id value Zendesk generates for use in a given SAML payload. You outlined it yourself more or less, and I understand the reasoning for looking for a workaround

    To be 99.99% sure I tested with some simple cURL calls to be sure there wasn't a way around this (at least that I could find).

    Another item of note is that if the org doesn't exist to begin with we will scrap that payload attribute, more reason to simply create the organizations with no members to begin with. Then, as your users log in, they should be added automatically, or added should you bulk import/update. This choice is one of what will scale better based on your own needs.

    Lastly, should the value of the external_ID in your own system change, it can be updated quite easily. More on that here in our REST API documentation.

  • Avatar
    Robert Fernandes

    Joseph,

    Thanks for the reply, and let me try to clarify slightly...

    As far as Organization go, sure assume we have already imported and loaded all our Orgs, with external_id values specified, that has already been completed.

    Given that, from what I understand given the documentation, the SAML payload can reference the Org(s) a user belongs to  and that can be specified in either the organization OR the organization_id field.

    Am I correct in assuming that the organization_id field cannot reference the external_id field, in order to sync/join up the User to their Organizations.  If this is a correct assumption, then yes we need to do some work on our side...  the docs for organization field explicitly states no external_id, but does organization_id disallow or does it allow external_id, it's not stated.

    If external_id can be used in neither organization nor organization_id, and we always need name (which is brittle and subject to change) or it has to be the internally assigned Zendesk ID...  then yes we need to do some work to store that / align that somehow.  But hoping we can somehow use external_id.  If not, so be it, we'll sort it out.  Just want to be sure I have my facts straight before we do any potentially unnecessary work.

Please sign in to leave a comment.

Powered by Zendesk