Zendesk supports single sign-on (SSO) logins through SAML 2.0. A SAML 2.0 identity provider (IDP) can take many forms, one of which is a self-hosted Active Directory Federation Services (ADFS) server. ADFS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials.
Requirements
To use ADFS to log in to your Zendesk instance, you need the following components:
- An Active Directory instance where all users have an email address attribute.
- A Zendesk instance.
- A server running Microsoft Server 2012 or 2008. This guide uses screenshots from Server 2012R2, but similar steps should be possible on other versions.
- A SSL certificate to sign your ADFS login page and the fingerprint for that certificate.
- If you're using host mapping in your Zendesk instance, an installed certificate for hosted SSL.
After you meet these basic requirements, you need to install ADFS on your server. Configuring and installing ADFS is beyond the scope of this guide, but is detailed in aMicrosoft KB article.
When you have a fully installed ADFS installation, note down the value for the 'SAML 2.0/W-Federation' URL in the ADFS Endpoints section. If you chose the defaults for the installation, this will be '/adfs/ls/'.
Step 1 - Adding a Relying Party Trust
At this point you should be ready to set up the ADFS connection with your Zendesk account. The connection between ADFS and Zendesk is defined using a Relying Party Trust (RPT).
Select theRelying Party Trustsfolder fromAD FS Management, and add a newStandard Relying Party Trustfrom theActionssidebar. This starts the configuration wizard for a new trust.
- In theSelect Data Sourcescreen, select the last option,Enter Data About the Party Manually.
- On the next screen, enter aDisplay namethat you'll recognize in the future, and any notes you want to make.
- On the next screen, select theADFS FS profileradio button.
- On the next screen, leave the certificate settings at their defaults.
- On the next screen, check the box labeledEnable Support for the SAML 2.0 WebSSO protocol. The service URL will be https://subdomain.zendesk.com/access/saml, replacingsubdomainwith your Zendesk subdomain. Note that there's no trailing slash at the end of the URL.
- On the next screen, add aRelying party trust identifierofsubdomain.zendesk.com, replacingsubdomainwith your Zendesk subdomain.
Note:If you entersubdomain.zendesk.com, and receive a request failure error, you may need to enter your subdomain as https://subdomain.zendesk.com. - On the next screen, you may configure multi-factor authentication but this is beyond the scope of this guide.
- On the next screen, select thePermit all users to access this relying partyradio button.
- On the next two screens, the wizard will display an overview of your settings. On the final screen use theClosebutton to exit and open the Claim Rules editor.
Step 2 - Creating claim rules
Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard. By default the claim rule editor opens once you created the trust. If you want to map additional values beyond authentication, refer to ourdocumentation.
- 创建一个新的规则,click onAdd Rule. Create aSend LDAP Attributes as Claimsrule.
- On the next screen, usingActive Directoryas your attribute store, do the following:
1. From theLDAP Attributecolumn, selectE-Mail Addresses.
2. From theOutgoing Claim Type, selectE-Mail Address. - Click onOKto save the new rule.
- Create another new rule by clickingAdd Rule, this time selectingTransform an Incoming Claimas the template.
- On the next screen:
1. SelectE-mail Addressas theIncoming Claim Type.
2. ForOutgoing Claim Type, selectName ID.
3. ForOutgoing Name ID Format, selectEmail.
Leave the rule to the default ofPass through all claim values. - Finally, clickOKto create the claim rule, and thenOKagain to finish creating rules.
Step 3 - Adjusting the trust settings
You still need to adjust a few settings on your relying party trust. To access these settings, selectPropertiesfrom theActionssidebar while you have the RPT selected.
- In theAdvancedtab, make sureSHA-256is specified as the secure hash algorithm.
- In theEndpointstab, click onadd SAMLto add a new endpoint.
- For theEndpoint type, selectSAML Logout.
- For theBinding, choosePOST.
- For theTrusted URL, create a URL using:
1. The web address of your ADFS server
2. The ADFS SAML endpoint you noted earlier
3. The string '?wa=wsignout1.0'
The URL should look something like this: https://sso.yourdomain.tld/adfs/ls/?wa=wsignout1.0. - Confirm you changes by clickingOK端点和RPT属性。你应该now have a working RPT for Zendesk.
Note: Your instance of ADFS may have security settings in place that require all Federation Services Properties to be filled out and published in the metadata. Check with your team to see if this applies in your instance. If it is, be sure to check thePublish organization information in federation metadatabox.
Step 4 - Configuring Zendesk
After setting up ADFS, you need to configure your Zendesk account to authenticate using SAML. Follow the steps in支持SAML单点登录. You'll use your full ADFS server URL with the SAML endpoint as the SSO URL, and the login endpoint you created as the logout URL. The fingerprint will be the fingerprint of the token signing certificate installed in your ADFS instance.
You can get the fingerprint by running the following PowerShell command on the system with the installed certificate:
C:\>Get-AdfsCertificate [-Thumbprint] []
Look for the SHA256 thumbprint of the Token-Signing type certificate.
After you're done:
- InAdmin Center, click theAccounticon () in the sidebar, then selectSecurity > Single sign-on.
The page should look like this:
你应该now have a working ADFS SSO implementation for Zendesk.
Switching authentication methods
Important: If you use a third-party SSO method to create and authenticate users in Zendesk, then switch to Zendesk authentication, these users will not have a password available for login. To gain access, ask these users to reset their passwords from the Zendesk sign in page.
0 Comments
Pleasesign into leave a comment.