Recent searches
No recent searches
SSO authentication logic is flawed
Posted Apr 08, 2024
Zendesk offers the possibility to have separate SAML configurations, one for team members (agents) and another for end users.
We would assume that each configuration should strictly authenticate users based on their SAML configuration -however this is not the case: If the same agent, is present on both IdPs, for team members and end-users, if they can sign in as end-user they can get logged in as an agent. This is wrong and raises security concerns. Zendesk should ensure that agent authentication is only permitted through the designated Agent SAML SSO setup.
Currently Zendesk does not honor the authentication method to validate agent's entry point. The reason is that although a separate SSO was introduced, the email is still the only key for identifying the user and totally ignores the IdP source.
In our system, we want end users to sign in with a simple IdP , while agents need to sign in with MFA.
That is not possible with current authentication logic of Zendesk, as agents can totally bypass the MFA by simply log-in from end user SSO.
Do you see the problem here?
Regards,
Haris
1
3 comments
Shawna James
Thank you for taking the time to provide us with your feedback. This has been logged for our PM team to review. For others who may be interested in this feature request, please add your support by upvoting this post and/or adding your use case to the comments below. Thank you again!
0
Caroline Kello
Hi Haris,
This is an improvement that we want to make (restricting the SSO method based on your role) but there's a few different pieces of work that we need to complete before we do that, most importantly removing the constraint that Google and Microsoft currently can't co-exist with other custom SSO methods for team members (that's work that we have in progress right now). Once that's available, we'll need to announce this as a breaking change with a slow rollout as a lot of users are going to be stopped from signing in as the SSO method they chose isn't assigned to them.
1
Charalampos Haris Matthaiou
Hi Caroline,
Thank you for the update. I am really happy that there is progress with this implementation.
Our Zendesk instance is eagerly waiting for this rollout and finally harden our security.
Is there a way we can participate in the early rollout when its available?
0