Mapping attributes from Active Directory with ADFS and SAML

Have more questions? Submit a request

8 Comments

  • Nathaniel Erlandson
    Comment actions Permalink

    Hello,

    Are we able to map an attribute to place an agent in a certain zendesk group? I'm guessing this may be an issue because the agent role needs to be given first, but I'm curious on what's possible. I haven't seen any examples in the documentation regarding mapping an attribute for group access, just for organization.

    Also, I'm guessing in order to map the agent role from an AD group, I need the agent signin switched over to SSO? I've only tried having a user sign-in via the help center, but authentication fails when I have the rule to map the role set in ADFS. Any info would be appreciated. Thanks

     

     

    0
  • Garrick Rohm
    Comment actions Permalink

    Hi Nathaniel,

    Table 1 in the following article outlines supported user attributes for SAML SSO - unfortunately group isn't included.

    Using SAML for single sign-on (Professional and Enterprise)

    Regarding updating an agent's role, you're correct - in order to update their role via SSO you'll need to enable SAML SSO for agents and admins.

    0
  • John Christian
    Comment actions Permalink

    Hi,
    how do I add the SAML attribute for light agents and group membership?

    1
  • Shera Esquivel
    Comment actions Permalink

    Hello John!

    Since light agents are also agents, you may use this same guide for adding SAML. And for group membership, the steps are provided in this page too.

    Role

    Setting the role of a user based on their membership in a group is a two-step process. First, you create a new rule using the Send Group Membership as a Claim template. Second, you modify the definition generated by that rule slightly to create a custom rule that correctly passes the information to Zendesk.

    Please let us know if you have any further questions.

    0
  • John Christian
    Comment actions Permalink

    Hi Shera!

    What parameters do I use for the custom rule for the light agents?

    Does the light agent still have the role (the claim) "agent" as the normal agents, or should they only have this custom rule?

    And what parameters do I use for the custom rule for the group membership?

    0
  • Shera Esquivel
    Comment actions Permalink

    Hello John,

    I'm so sorry for the delay in my response, for the custom rule you may set up with the attribute: Role=Agent and Custom_role:{{custom_role_unique_id}}.


    I hope this helps!

    0
  • John Christian
    Comment actions Permalink

    Hi Shera!

    I found the custom_role_unique_id with the api (https://developer.zendesk.com/rest_api/docs/support/custom_roles), and it works if the user is already registered as an light agent. But if the user doesn't exist or is already registered as a end user the login fails (the user is just logged out again).

    The custom_role_id claim is after the role claim in the ADFS config.

    Shouldn't the user be able to be created when the user logs in for the first time?

    0
  • Brett - Community Manager
    Comment actions Permalink

    Hey John,

    Do you have the user already set up in your ADFS config as a light-agent? I believe as long as they are set up correctly there, once they attempt to log in they should be created as a light-agent in the Support account.

    Let me know if that's still not working after checking your ADFS config and I can create a ticket on your behalf.

    Thanks!

    0

Please sign in to leave a comment.

Powered by Zendesk