I’ve been working to get a Zendesk helpdesk to talk to Microsoft ADFS for login – this has been a great process to see the possibilities in ADFS SSO and also quite challenging when my ADFS knowledge is a bit rusty and in the low end 🙂
First I created a Sandbox environment from the existing Zendesk setup we have, this is a great feature to test out new additional functionality without disturbing users and agents.
Once this was set up, I followed Zendesk own ADFS setup guide:
https://support.zendesk.com/hc/en-us/articles/203663886-Setting-up-single-sign-on-using-Active-Directory-with-ADFS-and-SAML-Plus-and-Enterprise-
This worked fine for the initial setup, but still something was not working, so I contacted Zendesk Support and hoped they could help. They pointed me in the direction that my fingerprint which is setup in the Zendesk interface was wrong:
In the requirements for ADFS and Zendesk to work, they state:
To me, this says that the SSL-cert I have on my ADFS login page is the one I need for my fingerprint value. From Zendesk support I got the first 4 digits of what they thought my fingerprint should be, that wasn’t correct either. But alas after asking Twitter – @MrADFS came to my rescue:
@danevald The thumbprint to configure on the Zen Desk side should be the token signing cert and not the SSL cert.
— Samuel Devasahayam (@MrADFS) August 20, 2015
This is pretty easy to find in ADFS 3.0 at least, run this on the ADFS server:
Get-ADFSCertificate –CertificateType “Token-Signing”
I took the thumbprint from here and copied it to my Zendesk settings and now it worked.
Another “issue” I was faced with, was that my production-Zendesk site, wasn’t running SSL, and this is required for getting SSO to work.
The way this works can be in 2 ways:
– If you are OK with your users seeing the true URL of you Zendesk, then they are just forwarded from the CNAME you’ve configured to yoururl.zendesk.com and switched to SSL here.
– If you want to stay at helpdesk.yourdomain.com, you have to provide Zendesk with a public SSL-cert, which can be bought at any cert-provider. The cert-request and deploy process is all done through the Security settings in Zendesk.
For me option 1 was OK, and I just switched on Regular SSL and ADFS now works.