How to configure Zendesk as a SAML Service Provider

Owned by Keith Uber
2019-04-03

Zendesk is a SaaS help desk software provider. To allow single sign-on to Zendesk, use the following settings.

General

Zendesk does not support metadata exchange and requires manual configuration.

Zendesk instructions are published at https://support.zendesk.com/hc/en-us/articles/203663676-Enabling-SAML-single-sign-on-Professional-and-Enterprise-

Please note at the time of writing, the Zendesk account must be a Professional or Enterprise level account.

Application Configuration in Zendesk

In the Zendesk settings screen, the the following information is required:

  1. For SAML SSO URL, enter the SingleSignOnService URL of SAML server - replace UAS_URL with your own value:  https://UAS_URL/uas/saml2/SingleSignOnService
  2. For Certificate fingerprint., calculdate the fingerprint using the following instructions Get the signing certificate fingerprint.
  3. For Remote logout URL, enter a logout URL where Zendesk can redirect users after they sign out of Zendesk. If you want to initiate logout from the Ubisecure identity Server, enter the URL https://UAS_URL/uas/logout or  https://UAS_URL/uas/logout?returnurl=https://example.com to continue after logout to another URL

SAML SSO can be enabled for either end customers, agents or both.

Attempting to login to an Agent account if SAML is not enabled for Agents will result in an error.

Attempting to login to a Customer account if SAML is not enabled for customers will result in an error.

Application Configuration in Ubisecure Management

  1. Create an application of type SAML2
  2. Activate the application

Zendesk do not provide preconfigured metadata.

Replace the word YOURACCOUNTNAME in the example below with your own Zendesk account name

Model metadata for Zendesk
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://YOURACCOUNTNAME.zendesk.com">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://YOURACCOUNTNAME.zendesk.com/access/saml" index="1"/>
</SPSSODescriptor>
</EntityDescriptor>

Activate this metadata in the Application configuration screen of Ubisecure Management.

3. The following Application Compatibility Flags must be used:

Compatibility Flags for Zendesk
AuthnRequestSign AuthnRequestValidate AssertionSignCertificate

Zendesk does not sign authentication requests and expects that the Assertion is sgined and includes a copy of the signer certificate in X.509 format.

4. Create and assign an appropriate authorization policy.

The NameID is expected to be the user email address.

The authorization policy must contain at minimum the following values and settings:

NameValueMandatorySingle-value
SetNameIDtoEmailAddress${nameID.value(user.mail[0]).format('emailaddress')}

name${user.givenName[0].concat(' ').concat(user.sn[0])}(tick)(tick)
emailuser:mail(tick)(tick)

Other attributes may be sent and are listed on the Zendesk support pages.

5. Set the allowed authentication methods under Allowed Methods

6. Set the allowed user groups under Allowed To

7. Ensure the application is enabled

8. To test, press the "Sign In" button from Zendesk. The user should be redirected to the Ubisecure sign in screen to sign in.

9. Verify logout works as configured.



Ubisecure Privacy Policy & Cookie Statement