Question
Why are users redirected to the logout URL when authenticating via SSO with SAML?
Answer
The common reason for this behavior is the update or change of your server's SSL Certificate, the SSL installed on your SSO server side.
Because the certificate has a new fingerprint, you need to update the existing one from your Support account.
If you don't have access to the data of the new certificate, decode the new SSL using an online tool, such as CSR Decoder And Certificate Decoder. Then, grab the new SHA2 fingerprint that looks similar to this:
2E:7E:41:27:0F:E0:D9:A8:E4:5E:68:DC:89:64:5F:A5:D0:FB:47:BF
- In Admin Center, navigate to Account > Security > Single sign-on
- Select SAML
- Update the Certificate fingerprint field and Save
8 comments
Selim Yanat
Hello,
I'm facing a similar issue, when i configure Zendesk SSO with Auth0. Users that are created in Auth0 could not login in Zendesk, i'm always redirected to logout url.
However, if a user is created in both places Auth0 and Zendesk the login through SSO is effective.
Could it be that Zendesk is not able/configured to create user profiles dynamically, based on information in the SAML assertion ?? (I followed the recommendation in this zendesk article but did not work)
Any help would be appreciated. Thanks
0
Selim Yanat
For the people that run into the same issue. Check in Customers settings that you don't have a "Allowlist" that accepts only users from the domains configured in that list.
0
Moxie Pest Control LP
Are there any other solutions to this? I am using Google as my IDp and Ive checked the SHA2 and the Customers settings. We can log in if the request is from Google but not directly from the url as we run into this error.
0
Tod Brown
My name is Tod, and I am with the Zendesk Customer Advocacy Team.
I see this ticket was opened, but that you'd actually had this issue resolved on another ticket, #9953237 with Oscar.
As such, I am going to set this ticket to Solved.
Best regards,
Tod
0
Lucas Bertoni
Hello Tod Brown the ticket you linked does not exist anymore.
Would you please share the actual solution here?
We are having issues where just a specific user is not able to login, they are automatically redirected to the logout URL as soon as they try to login.
Thanks
0
Tod Brown
Hi Lucas,
My apologies for any confusion I may have caused here.
Regarding that ticket, you would not have access to that ticket, due to not being the Requester. My apologies, as I had been replying to the requester of this post, via the ticket.
However, the solution that was offered was to look at the ACS URL, to see if there is a / at the end of the address.
If there is, remove that.
If that isn't the case, I'd recommend submitting a ticket to Support regarding this matter.
Best regards,
Tod
0
Diane Kaplan
One other cause for this symptom (for others who find this post) can be when we're deferring to a third party for authentication (in my case Auth0), but you're not actually listening to their response for this type of user. I reproduced this symptom when I'd only enabled SSO for end users and then tried to log in with my Zendesk admin (a team member). We redirected to Auth0 where I entered the user/password crews, it did a successful login, redirected to Zendesk, but then redirected to the auth0 logout endpoint because I hadn't had Team Members configured to use SSO. Once I enabled Team Members to use my SSO configuration, they were no longer logged out and proceeded to Zendesk as expected.
0
IT Bot
We´re also facing the issue with AzureAD but only some of our B2B Guests in AAD.
For internal Users as well as B2B Guests with an own AAD it works without any issue, but with AAD B2B Guests which are using an "Microsoft Account" as issuer those are logged out immediately.
Tod Brown Alexander Popa Any idea what the issue could be? I´ve already double checked the Certificate fingerprint
Edit: Found the solution, we had to change the nameidentifier for guests from UPN to user.mail. The UPN for AAD Guest accounts is the onmicrosoft.com address.
0