「SAMLでSSO経由で認証を行ったときにユーザーがログアウトURLにリダイレクトされるのはなぜですか？」

Are there any alternative solutions to this? I'm using Google as my IdP and have already verified both the SHA2 fingerprint and the customer settings. We’re able to log in successfully when the request is initiated through Google, but if we try to access the login URL directly, we encounter this error.

Another possible cause of this issue (for anyone else running into it) is when you're using a third-party authentication provider like Auth0 but haven’t fully configured it for all user types. In my case, I had SSO enabled only for end users, but I attempted to log in as a Zendesk admin (a team member). The login flow redirected me to Auth0, where I successfully entered my credentials. It then redirected back to Zendesk, but immediately kicked me out by hitting Auth0’s logout endpoint. The problem was that I hadn’t configured SSO for team members. Once I updated the settings to include them in the SSO configuration, the login process worked correctly and I was no longer logged out.

We´re also facing the issue with AzureAD but only some of our B2B Guests in AAD. 

For internal Users as well as B2B Guests with an own AAD it works without any issue, but with AAD B2B Guests which are using an "Microsoft Account" as issuer those are logged out immediately. 

Tod Brown Alexander Popa Any idea what the issue could be? I´ve already double checked the Certificate fingerprint

Edit: Found the solution, we had to change the nameidentifier for guests from UPN to user.mail. The UPN for AAD Guest accounts is the onmicrosoft.com address. 

One other cause for this symptom (for others who find this post) can be when we're deferring to a third party for authentication (in my case Auth0), but you're not actually listening to their response for this type of user. I reproduced this symptom when I'd only enabled SSO for end users and then tried to log in with my Zendesk admin (a team member). We redirected to Auth0 where I entered the user/password crews, it did a successful login, redirected to Zendesk, but then redirected to the auth0 logout endpoint because I hadn't had Team Members configured to use SSO. Once I enabled Team Members to use my SSO configuration, they were no longer logged out and proceeded to Zendesk as expected. 

Hi Lucas,

My apologies for any confusion I may have caused here.

Regarding that ticket, you would not have access to that ticket, due to not being the Requester. My apologies, as I had been replying to the requester of this post, via the ticket.

However, the solution that was offered was to look at the ACS URL, to see if there is a / at the end of the address.

If there is, remove that.

If that isn't the case, I'd recommend submitting a ticket to Support regarding this matter.

Best regards,

Tod

Hello Tod Brown the ticket you linked does not exist anymore.

Would you please share the actual solution here?

We are having issues where just a specific user is not able to login, they are automatically redirected to the logout URL as soon as they try to login.

Thanks

Are there any other solutions to this? I am using Google as my IDp and Ive checked the SHA2 and the Customers settings. We can log in if the request is from Google but not directly from the url as we run into this error. 

For the people that run into the same issue. Check in Customers settings that you don't have a "Allowlist" that accepts only users from the domains configured in that list.

Hello,

I'm facing a similar issue, when i configure Zendesk SSO with Auth0. Users that are created in Auth0 could not login in Zendesk, i'm always redirected to logout url.
However, if a user is created in both places Auth0 and Zendesk the login through SSO is effective.
 
Could it be that Zendesk is not able/configured to create user profiles dynamically, based on information in the SAML assertion ?? (I followed the recommendation in this zendesk article but did not work)

Any help would be appreciated. Thanks