Your security is important to us. While Zendesk does not have visibility into your specific configuration, we recently became aware of a potential risk involving customers who do not verify users’ email addresses through their identity provider when enabling single sign-on (SSO) as an authentication method. As a result, a user could self-register with an identity provider and possibly leave accounts exposed to risk.
What is the risk?
When using SAML or JWT for SSO at Zendesk, it is your responsibility to verify the identity of your administrators, agents, and end users to ensure that only verified users have access to your Zendesk Support account or to your Help Center.
If users are able to register to your SSO solution with an email of their choosing, and the email of the newly-created account is not verified by the identity provider, it’s possible to authenticate to Zendesk with that account via your SSO solution. A user could then use the unverified account to gain access to Zendesk tickets that may be associated with the unverified account’s email address.
What should I do?
We strongly recommend partnering with your third-party identity provider or the developer of your current SSO configuration to ensure that email verification is in place for end user, agent, and administrator account registration.
When users register with you, it's important to require them to verify that they own the email address. Typically, this is done by sending the user an email with a link to confirm the email address they are registering with.
Some Identity Providers can be configured to enforce email verification. Below, we’ve included instructions on how to verify email addresses in some well-known identity providers and SSO solutions:
- Auth0
- Use the email verified rule to force email verification. For more information, see: https://auth0.com/rules/email-verified
- Okta
- Be sure that the setting User must verify the email address to be activated is enabled when you configure your self-registration workflow. For more information, see: Enable and configure a self-service registration policy
- LogMeOnce
- When you set up Zendesk with LogMeOnce, make sure Yes is selected for Only Verified Accounts.
2 comments
James Weatherly
The link to Okta documentation isn't working, I'm seeing a page not found error.
0
Brett Bowser
Thanks for the heads up! I was able to track down this documentation which I think is what you're looking for: Enable and configure a self-service registration policy
I hope this helps!
0