Using SAML for single sign-on (Professional and Enterprise) Follow

Comments

12 comments

  • Avatar
    Alan Zych

    In particular, for folks who are using a SAML provider to provision user accounts in Zendesk, it would be really nice to call out to admins here that if you do this you also need to ensure that in Zendesk the "Also send a welcome e-mail when a new user is created by an agent or admin" and the "Allow users to change their passwords" checkboxes are both unchecked in Customers section of the Zendesk admin console.

    You could probably also call this info out on the Customers section of the Zendesk admin console.

    Otherwise every user created by provisioning from a SAML provider will get an e-mail notifying them to verify their e-mail address and create a username and password.

    Speaking from experience this would have been nice to know.

  • Avatar
    Jessie Schutz

    Hey Alan!

    Thanks for bringing that up! You make a good point. I'm going to pass this along to our Documentation team to see if we can make the docs on this more clear.

  • Avatar
    Maxim Mazin
    I've got the question as Renato Martins [March 24, 2015 14:32]. According to SAML specification my code sends on a logout request from Zendesk, but then Zendesk just sends me another logout request provoking a redirect loop.
  • Avatar
    Renato Martins
    Hi Maxim, this might help you if you're using simpleSAMLphp (it's part of the handling of requests, you should be able to find the right place to put it): http://pastebin.com/6eLaF3Rk Good luck!
  • Avatar
    Maxim Mazin
    @Renato, unfortunately I use Java OpenSAML and was hoping that Zendesk has somehow addressed the issue. But anyway it looks like your code will help me to implement my own workaround. Thank you very much! Hopefully Zendesk will fix the issue one day.
  • Avatar
    Sam Michaels

    Hi guys, as James Peterson mentioned above, the only official, supported way to log a user out is by sending them to the access/logout endpoint. As you have noticed, SLO is not officially supported. One possible workaround might be to set your SSO logout URL to your IDP's logout endpoint, which will redirect the user there after ZD logout and the IDP can take it from there (keeping in mind that the IDP should not redirect back to access/logout, or a redirect loop might occur!)

    As for the issue at hand, I highly recommend letting our product team know about your issue and why you would like to see this functionality in the future. You can do this in our product feedback forum: https://support.zendesk.com/hc/en-us/community/topics/200132066-Product-feedback

    Thanks!

    Sam

  • Avatar
    Jcwk

    The original post about SAML was written in 2011. I'm hoping for an update. Does ZenDesk support true-multilateral federation? This means consuming central federation metadata (such as provided by one of the many national federations here (https://refeds.org/federations/federations-map);  discovery for users where there might be hundreds of Identity Providers to choose from (https://discovery.refeds.org/guide/).

  • Avatar
    Jcwk

    Anyone have success with ZenDesk and multilateral federations like InCommon? Anyone? Bueller?

  • Avatar
    Jessie Schutz

    Hey Jcwk! Sorry we didn't get back to you on this sooner. I'm following up to see what I can find out. :)

  • Avatar
    Alexander Popa

    Hi Jcwk!

    Zendesk does support InCommon Federation Attributes to set user attributes as part of the sign in process; for example, you can set up the ou (organization unit), or the displayName. You can find more details about these attributes on this page - InCommon Federation Attribute Summary.

    Please let us know if this helps!

  • Avatar
    Jcwk

    Alexander, That's great to hear. Before we can get to attribute release, we need to know if the ZenDesk service provider (SP) is able to consume multi-entity SAML metadata. Most international federations produce an aggregate of IdPs and SPs. Here's an example of InCommon's: https://spaces.internet2.edu/display/InCFederation/Metadata+Consumption .  Does ZenDesk consume multi-entity SAML metadata and provide a way (like a discovery service linked to in my comment above) for more than just 3 or 4 Identity Provider choices? Thanks so far!

  • Avatar
    Alexander Popa

    @Jcwk - Thank you for your additional questions! I have created this ticket #1675584 to further check your specific workflow. Would it be OK to join us in the ticket? Thank you very much!

Please sign in to leave a comment.

Powered by Zendesk