Why are users redirected to the logout URL when authenticating via SSO with SAML?
The common reason for this behavior is the update or change of your server's SSL Certificate, the SSL installed on your SSO server side.
Because the certificate has a new fingerprint, you need to update the existing one from your Support account.
If you don't have access to the data of the new certificate, decode the new SSL using an online tool, such as CSR Decoder And Certificate Decoder. Then, grab the new SHA2 fingerprint that looks similar to this:
- In Admin Center, navigate to Account > Security > Single sign-on.
- Select SAML.
- Update the Certificate fingerprint field and Save.
I'm facing a similar issue, when i configure Zendesk SSO with Auth0. Users that are created in Auth0 could not login in Zendesk, i'm always redirected to logout url.
However, if a user is created in both places Auth0 and Zendesk the login through SSO is effective.
Could it be that Zendesk is not able/configured to create user profiles dynamically, based on information in the SAML assertion ?? (I followed the recommendation in this zendesk article but did not work)
Any help would be appreciated. Thanks
For the people that run into the same issue. Check in Customers settings that you don't have a "Allowlist" that accepts only users from the domains configured in that list.
Are there any other solutions to this? I am using Google as my IDp and Ive checked the SHA2 and the Customers settings. We can log in if the request is from Google but not directly from the url as we run into this error.
My name is Tod, and I am with the Zendesk Customer Advocacy Team.
I see this ticket was opened, but that you'd actually had this issue resolved on another ticket, #9953237 with Oscar.
As such, I am going to set this ticket to Solved.
Hello Tod Brown the ticket you linked does not exist anymore.
Would you please share the actual solution here?
We are having issues where just a specific user is not able to login, they are automatically redirected to the logout URL as soon as they try to login.
My apologies for any confusion I may have caused here.
Regarding that ticket, you would not have access to that ticket, due to not being the Requester. My apologies, as I had been replying to the requester of this post, via the ticket.
However, the solution that was offered was to look at the ACS URL, to see if there is a / at the end of the address.
If there is, remove that.
If that isn't the case, I'd recommend submitting a ticket to Support regarding this matter.
One other cause for this symptom (for others who find this post) can be when we're deferring to a third party for authentication (in my case Auth0), but you're not actually listening to their response for this type of user. I reproduced this symptom when I'd only enabled SSO for end users and then tried to log in with my Zendesk admin (a team member). We redirected to Auth0 where I entered the user/password crews, it did a successful login, redirected to Zendesk, but then redirected to the auth0 logout endpoint because I hadn't had Team Members configured to use SSO. Once I enabled Team Members to use my SSO configuration, they were no longer logged out and proceeded to Zendesk as expected.
Please sign in to leave a comment.