Setting up single sign-on using Active Directory with ADFS and SAML (Professional and Enterprise) Follow

Comments

15 comments

  • Avatar
    Chris Smith

    What if you need to do this setup for multiple organizations? Is there a better way to do this? From these instructions, it looks like you can only have 1 organization configured through ADFS?? Thoughts?

  • Avatar
    Benjamin Evans

    Hi Chris,

    There is a separate document on how to set up custom mappings between LDAP attributes and Zendesk using ADFS - https://support.zendesk.com/hc/en-us/articles/203663896-Mapping-attributes-from-Active-Directory-with-ADFS-and-SAML-Professional-and-Enterprise-. That document covers connecting both a static text field and a group membership.

  • Avatar
    Welly Lee

    Hi Ben,

    With the new changes in SAML SSO requirements (https://support.zendesk.com/hc/en-us/articles/219615248), how do we implement this on ADFS end?

    Thanks.

     

  • Avatar
    Nick Malone

    Hi Welly,

    If you followed this article, chances are this is already configured correctly.  For those that need to change it, I have found that going to the Endpoints tab of the Relying Party Trust settings window is where you would find any incorrect URLs that might be causing the wrong audience to be set.  I will create a ticket for you so we can check your specific subdomain to see if you are already sending in the proper audience.

  • Avatar
    Traci Gilasso

    We have ADFS up, and working for Zendesk. Is it possible to use this to sync users one time. We wanted to pre-load our users before we went active with Zendesk.

    I didnt want to have to setup JTW SSO to do this, since we already have ADFS setup and working.

    I tried to search for a document regarding this, but I could not locate one.

     

  • Avatar
    Nick Malone

    Hi Traci,

    Both SAML (ADFS) and JWT will only sync users on an individual basis when a user logs in. If you want to preload your users, I would suggest either using our Bulk Import feature or our Users API endpoint.

  • Avatar
    Martin Meraner

    Hi,

    If I go the SAML (ADFS) route and do not submit the role as SAML attribute, will I be able to simply change the role of a user in ZenDesk user administration? We currently have ZenDesk auth, but plan to switch to ADFS. I wouldn't want to lock myself out (as default for SAML role seems to be End-user. 

  • Avatar
    Nick Malone

    Hi Martin,

    If you attempt to log in using SAML SSO as a user that already exists we will keep whatever role they currently have set if you do not pass in a role attribute. If it is a new user being created and you don't send a role attribute, we will default to end-user.

  • Avatar
    Martin Meraner

    Hi, thanks for your answer. I have been in contact with support for another issue and would also like to add here as a suggestion that it would be great to have a possibility to add mappings from the AD to custom person fields in ZenDesk.

    I currently want to add the department and the job title of our end users, as this is handy when supporting our users. We do not want to have that many organisations in ZenDesk to map all the departments, and we use the tags field to assign values manually (so they would be overwritten on ADFS sync on login), so no way to add the job title.

  • Avatar
    Dorien “Pango” Takeshi

    Hi there, I've followed the instructions provided to configured Zendesk SSO with my client's ADFS servers, but the issue that we're running into, is that users once they've entered their login details, are being then forwarded directly to the Sign Out page.

  • Avatar
    Martin Meraner

    Hi, that happened to me if the AD user had no email attribute (and no mailbox accordingly). Reason being that our admin users have no mail account.

    Might be that one can use the UPN instead (which should always be given).

     

  • Avatar
    Mohammad Zaki

    Hi,

    I'm adding the https:///adfs/ls/?wa=wsignout1.0 URL as my logout URL. But its not log me out from the ADFS session. do you have any idea on this?

  • Avatar
    Alexander Popa

    Hi Mohammad!

    The logout URL should be set using the same subdomain and domain names which are configured for the SSO login address - i.e. https://sso.domain.tld/adfs/ls/?wa=wsignout1.0 . I hope this helps!

  • Avatar
    David Warby

    On the step to define the "Relying party trust identifier" the article states "On the next screen, add a Relying party trust identifier of subdomain.zendesk.com, replacing subdomain with your Zendesk subdomain.".  

    This was not working for me and was generating the following error in my Event Logs for ADFS 2.0.

    "A token request was received for a relying party identified by the key 'https://subdomain.zendesk.com', but the request could not be fulfilled because the key does not identify any known relying party trust.
    Key: https://subdomain.zendesk.com

    This request failed."

    To resolve this I had to add https://subdomain.zendesk.com as a relying party trust identifier.

    You might consider updating the article and screenshot to include this as well.

    -David

  • Avatar
    Jessie Schutz

    Thanks for the heads-up on this, David! I'll let our docs team know right away.

Please sign in to leave a comment.

Powered by Zendesk