Enabling SAML single sign-on

Return to top
Have more questions? Submit a request


  • Joe Beaudoin

    Hi Jorgen!

    Thanks for your reply.

    Zendesk doesn't have a way of "receiving error messages" from SAML, but you could always search for error messages within the console when the redirect occurs. If the customer in question isn't checking their email for the verification update, perhaps it's doubtful that they're checking their console for errors, so I know assuming the individual in question will be able to determine what's happening when they can't successfully login might be an effort in vain.

    With that being said, my suggestion to help out your customers would be to create a help center article that outlines the steps necessary to successfully authenticate in, as well as the kind of scenarios that might arise if/when they forget to (say) verify themselves via email.

    If you're unfamiliar with creating help center content and would like more information on articles, feel free to reference the following:


    Fingers crossed this provides you with a satisfactory workaround!

  • Jørgen Sivesind

    Hi Joe!

    For now, the authentication provider have actually accepted my suggestion as a feature request, that since they do display error messages like "incorrect e-mail / password combination", they should also display the verify your e-mail error message.

    Thanks for your feedback.  It makes the most sense to me, that the authentication provider is responsible here, but since I do not know the details of the spec, I could be wrong, so I needed to check this out a little more in-depth.

  • Jørgen Sivesind

    Hi again, Joe!

    Not sure if this discussion should continue publically, or if I should create a support-ticket, but since we started here, I think it is good to continue here to keep the history.

    Can you explain what ZenDesk does when SAML returns an error instead of an authenticated user?

  • Joe Beaudoin

    Hello again, Jørgen!

    No sweat, I can answer this one here!

    One example of what happens when SAML returns an error is that the user stays on the login page. The script written may do any number of things insofar as a redirect or navigation is concerned, but I think the important detail here is that until SAML successfully identifies and authenticates the user's credentials, Zendesk doesn't really "do" anything; we just keep waiting for the authentication to pass.

    Hopefully that helps! If you want to have a more in depth conversation about this, you can certainly send us a request as a ticket!

  • Jørgen Sivesind

    Thanks, Joe!

    This is exactly what I observe, and I do think the lack of a mechanism to deal with SAML errors is a problem.

    I have submitted a support-ticket with a HAR file and other info.  :)


  • Timothy Rogers

    Hello All, I am having an issue with getting SAML SSO setup. I have the entries in the SSO SAML Security area, but when the SSO login displays and we enter ID and password, with no logout URL, the system keeps trying to login over and over again. If I add a logout URL, the user is sent to the Logout page after they login. I am trying to find out why we are getting the continual loop.

  • Brett - Community Manager
    Zendesk Community Team

    Hey Timothy,

    We'll most likely need to take a look at how you have SAML set up on your account so we can help troubleshoot this issue. I'm going to create a ticket on your behalf and send this over to our Customer Advocacy team so they can assist further. Once you receive the follow-up email stating your ticket has been generated feel free to reply back to that email with any additional information you have.


  • iwb.agents



    I am creating a app and i want only my zendesk user can have access it. so i tried authentication using JWT but it doesnt work for me. Can any one tell me how can i do so.

     I just want to get zendesk session so that when i open zendesk url in next tab i will get zendesk page.


  • Joey

    Hi there-

    To be clear, you want to create a Zendesk app that will appear for only one user, am I correct?

  • Charles Larry

    Regarding this from the article:

    Another supported workflow is giving users access to Zendesk after they sign in to your company's website. When a user signs in to the website using their website credentials, the website sends a request to the identity provider to validate the user. The website then sends the provider's response to the SAML server, which forwards it to your Zendesk account, which grants a session to the user.

    That's what I am interested in doing.  Is there a tutorial that specifies how to implement that within a website?

  • Bryan - Community Manager
    Zendesk Developer Support

    Hi Charles. Single sign-on can get technical, especially with SAML. There's not a tutorial that covers all scenarios, but here are a couple that may help and are a complement to the above article...

    Here's a tutorial on setting up SAML with ADFS: Setting up single sign-on using Active Directory with ADFS and SAML

    There's also this integration walkthrough with Okta that might provide some insights: Setting up SAML single sign-on with Okta 

  • Roberto Delgazo

    If a user is removed from company's system then how long they will be able to access zendesk? Since they are  alre already logged in. Is there a workarround for this?

  • Frank Le

    Hi Zendesk,

    I'm trying to configure SSO SAML with JumpCloud but Zendesk is not provisioning the user therefore cannot log into Zendesk. If I manually create the user in Zendesk and then try to log into Zendesk via JumpCloud SSO, it logs in fine and attaches to the matching existing user. I would like Zendesk to provision the user for us.

  • Joe Beaudoin

    Hi Frank,

    Thanks for your question.

    The user needs to have a role specified in your Identity Provider, and that role needs to be sent to Zendesk in the SAML assertion's attribute statement. That way, when the user attempts to login to Zendesk and kicks off the SAML authentication workflow, the packet of information that gets sent back to Zendesk from your Identity Provider brings with it the necessary information for us to confirm the user and move forward with provisioning/authenticating. Without a role specified, the SAML SSO attempt will result in neither a user provisioning nor a successful login attempt.

    Here's the section of the assertion attribute statement from the very last section of the above article:



    If we receive your SAML assertion with the user's role specified and that role has SAML as the method of authentication set in your Zendesk settings (with the appropriate Identity Provider's details), you should be good to go!

    Let us know if you have any other questions about this!

  • Bryan - Community Manager
    Zendesk Developer Support

    On top of what Joe accurately stated, with JumpCloud, you set these attributes under the Zendesk SAML 2.0 Connector Application that you provisioned. Example:

    On my test account, I also had to include a "brand_id" value for the agent to be successfully provisioned.

    Since it seems like on JumpCloud that these attributes can only be set at the "Application" level (not user level), and since Zendesk Support only allows one SAML provider to be configured for both end users and agents, this may not be an option for you. The workaround, as you found out, is to provision and sync your agents first in Zendesk (maybe in an automated way, using the /api/v2/users.json API) and forego setting these attributes in JumpCloud for automatic agent provisioning.

  • VladN


    Have question about assertion encryption.

    Does Zendesk support it?


    Best Regards


  • Devan - Community Manager
    Zendesk Community Team

    Hello VladN,

    If you are referring to X509 cert not only to we support it, we require it. I hope that helps clear things up and let us know if there is anything else we can assist with. 

    Best regards. 

  • VladN

    Hello Devan - Community Manager


    I asking about SAMLResponce that Zendesk send to IDP. It's encoded as base64 but does Zendesk support encryption data inside response or could it support it?

    I know that it's additional security layer and I need then certificate form Zendesk to decript it but in general is it possible with Zendesk?

  • Nick Malone

    Hello Vlad,

    Unfortunately, Zendesk does not support encrypted SSO payloads for SAML or JWT.

  • Marc Schildt


    i Try to setup SAML with simplesamlphp as IdP.

    i do a IdP initiated login.

    My saml Response got everything i need according to the "Troubleshooting the SAML configuration for Zendesk" part.

    <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_096f0c7cd4c251b07dc66b62bda567d4591be86caf" Version="2.0" IssueInstant="2020-01-30T12:25:07Z" Destination="https://mysandbox.zendesk.com/access/saml/">


    <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status>


    <saml:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">user.name </saml:AttributeValue>

    </saml:Attribute> <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">user.name@mydomain.de </saml:AttributeValue>

    </saml:Attribute> </saml:AttributeStatement>

    After the saml Response i get immediately two LogoutRequests:
    <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="samlr-a947d3f6-435b-11ea-8695-222a27c1143f" IssueInstant="2020-01-30T12:25:55Z" Version="2.0"> <saml:Issuer>mysandbox.zendesk.com</saml:Issuer> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> </samlp:LogoutRequest>

    does anyone have an idea?

  • Luis Gutierrez

    When configuring the entity provider, the entity ID indicates it should be https://your_subdomain.zendesk.com

    Does this need to be the default brand?  if we have multiple brands, and a user is trying to log in from one of the brands that is not the default, would it work or do we need to do something else?


  • Gail L
    Zendesk Community Team

    Hi Luis,

    The entity ID will be the original subdomain the account was registered with (which is probably your default brand, but which brand is the default can be updated so I would double-check). The original subdomain is always going to be the entity provider in SAML. For the configuration with multiple brands use RelayState parameters to send different groups of users to the correct brands url. 


Please sign in to leave a comment.

Powered by Zendesk