Zendesk supports single sign-on (SSO) logins through SAML 2.0. A SAML 2.0 identity provider (IDP) can take many forms, one of which is a self-hosted Active Directory Federation Services (ADFS) server. ADFS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials.
Requirements
To use ADFS to log in to your Zendesk instance, you need the following components:
- An Active Directory instance where all users have an email address attribute.
- A Zendesk instance.
- A server running Microsoft Server 2012 or 2008. This guide uses screenshots from Server 2012R2, but similar steps should be possible on other versions.
- A SSL certificate to sign your ADFS login page and the fingerprint for that certificate.
- If you're using host mapping in your Zendesk instance, an installed certificate for hosted SSL.
After you meet these basic requirements, you need to install ADFS on your server. Configuring and installing ADFS is beyond the scope of this guide, but is detailed in a Microsoft KB article.
When you have a fully installed ADFS installation, note down the value for the 'SAML 2.0/W-Federation' URL in the ADFS Endpoints section. If you chose the defaults for the installation, this will be '/adfs/ls/'.
Step 1 - Adding a Relying Party Trust
At this point you should be ready to set up the ADFS connection with your Zendesk account. The connection between ADFS and Zendesk is defined using a Relying Party Trust (RPT).
Select the Relying Party Trusts folder from AD FS Management, and add a new Standard Relying Party Trust from the Actions sidebar. This starts the configuration wizard for a new trust.
- In the Select Data Source screen, select the last option, Enter Data About the Party Manually.
- On the next screen, enter a Display name that you'll recognize in the future, and any notes you want to make.
- On the next screen, select the ADFS FS profile radio button.
- On the next screen, leave the certificate settings at their defaults.
- On the next screen, check the box labeled Enable Support for the SAML 2.0 WebSSO protocol. The service URL will be https://subdomain.zendesk.com/access/saml, replacing subdomain with your Zendesk subdomain. Note that there's no trailing slash at the end of the URL.
- On the next screen, add a Relying party trust identifier of subdomain.zendesk.com, replacing subdomain with your Zendesk subdomain.
Note: If you enter subdomain.zendesk.com, and receive a request failure error, you may need to enter your subdomain as https://subdomain.zendesk.com.
- On the next screen, you may configure multi-factor authentication but this is beyond the scope of this guide.
- On the next screen, select the Permit all users to access this relying party radio button.
- On the next two screens, the wizard will display an overview of your settings. On the final screen use the Close button to exit and open the Claim Rules editor.
Step 2 - Creating claim rules
Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard. By default the claim rule editor opens once you created the trust. If you want to map additional values beyond authentication, refer to our documentation.
- To create a new rule, click on Add Rule. Create a Send LDAP Attributes as Claims rule.
- On the next screen, using Active Directory as your attribute store, do the following:
1. From the LDAP Attribute column, select E-Mail Addresses.
2. From the Outgoing Claim Type, select E-Mail Address.
- Click on OK to save the new rule.
- Create another new rule by clicking Add Rule, this time selecting Transform an Incoming Claim as the template.
- On the next screen:
1. Select E-mail Address as the Incoming Claim Type.
2. For Outgoing Claim Type, select Name ID.
3. For Outgoing Name ID Format, select Email.
Leave the rule to the default of Pass through all claim values.
- Finally, click OK to create the claim rule, and then OK again to finish creating rules.
Step 3 - Adjusting the trust settings
You still need to adjust a few settings on your relying party trust. To access these settings, select Properties from the Actions sidebar while you have the RPT selected.
- In the Advanced tab, make sure SHA-256 is specified as the secure hash algorithm.
- In the Endpoints tab, click on add SAML to add a new endpoint.
- For the Endpoint type, select SAML Logout.
- For the Binding, choose POST.
- For the Trusted URL, create a URL using:
1. The web address of your ADFS server
2. The ADFS SAML endpoint you noted earlier
3. The string '?wa=wsignout1.0'
The URL should look something like this: https://sso.yourdomain.tld/adfs/ls/?wa=wsignout1.0.
- Confirm you changes by clicking OK on the endpoint and the RPT properties. You should now have a working RPT for Zendesk.
Note: Your instance of ADFS may have security settings in place that require all Federation Services Properties to be filled out and published in the metadata. Check with your team to see if this applies in your instance. If it is, be sure to check the Publish organization information in federation metadata box.
Step 4 - Configuring Zendesk
After setting up ADFS, you need to configure your Zendesk account to authenticate using SAML. Follow the steps in Enabling SAML single sign-on. You'll use your full ADFS server URL with the SAML endpoint as the SSO URL, and the login endpoint you created as the logout URL. The fingerprint will be the fingerprint of the token signing certificate installed in your ADFS instance.
You can get the fingerprint by running the following PowerShell command on the system with the installed certificate:
C:\> Get-AdfsCertificate -Thumbprint
Look for the SHA256 thumbprint of the Token-Signing type certificate.
After you're done, the Security > Single sign-on page in the Zendesk Admin Center should look like this:
You should now have a working ADFS SSO implementation for Zendesk.
Switching authentication methods
Important: If you use a third-party SSO method to create and authenticate users in Zendesk, then switch to Zendesk authentication, these users will not have a password available for login. To gain access, ask these users to reset their passwords from the Zendesk sign in page.
38 Comments
If anyone wants to quickly setup a simple one node ADFS server from single script . It requires only to provide communication certificate thumbprint details. And as a bonus it deploys MFA feature for ADFS with OTP codes. There is a information how to Install ADFS Demo with OTP under following link: https://www.securemfa.com/downloads/mfa-otp#h.p_0CFeLwIix8Fa
Hey everybody, I have implanted all in this article but, when sso zendesk page load and a try to make logon winth active diretory credencials an error appears, can yours help me with this issue?
Ocorreu um erro
does anybody know how to setup SAML / SSO for zendesk with Azure AD/auto user provisioning?
i have it configured that the user can sign in ok and the account gets created in zendesk... but no roles are assigned
so basically the account has no access to anything except the help area... no agent or custom roles are being applied.
anybody have this working?
Hey Adam,
Excellent question! We've added this to our Weekly Digest to help provide some visibility for you.
Hopefully others can jump in here and offer up some guidance.
Cheers!
Hello,
I have set up ADFS and am trying to use it for my users. However, When I have it enabled and I go to my support page at https://mydomain.zendesk.com, I get taken directly to the logout page. I have read through all these comments but still no joy.
Any thoughts would be appreciated. Thanks.
Hey Michael,
I see you haven't received a response regarding your ADFS issue. Are your users still being directed to the logout page when navigating to your account? If so, I'll need to create a ticket on your behalf so we can dig into this further.
Let me know!
Hello,
My users are still not able to log in using ADFS. Can you please open a ticket? Thank you.
BTW, I'm out of the office until next week.
Hi Michael -
I've gone ahead and gotten a ticket started for you, so it'll be ready when you're back in the office.
Please sign in to leave a comment.