If your organization uses Microsoft ADFS, you can configure Zendesk Sell for SSO. This article explains how to set up the ADFS connection, create claim rules in Sell, edit your trust settings, and configure SSO in Sell.
This article contains the following sections:
- Setting up a relying party trust
- Creating claim rules
- Setting the secure hash algorithm
- Configuring SSO in Sell
Setting up a Relying Party Trust (RPT)
The connection between ADFS and Sell is defined using a Relying Party Trust (RPT). You set this up in ADFS using a wizard.
Set up an RPT
- Launch Microsoft AD FS Management. From the Actions side bar, select the Relying Party Trusts folder, and click Start. This starts the configuration wizard for a new trust.
- In the Select Data Source screen, select the last option, Enter Data About the Party Manually, and click Next.
- Enter a display name that you'll recognize in the future, and any notes, and click Next.
- Select AD FS profile, and click Next.
- Click Next to keep the default certificate settings.
- Check Enable support for the SAML 2.0 WebSSO protocol.
The service URL is your Zendesk Sell Service Provider Assertion Consumer Service URL, which you can find in Settings >Single Sign On.Note: Remove any trailing slash at the end of the URL.
Add a Relying party trust identifier using your Zendesk Sell Service Provider Issuer ID, which you can find in Settings >Single Sign On, and click Next.
Select whether you want to configure multi-factor authentication and click Next.
Select the option to permit all users to access this relying party, and click Next.
On the next two screens, the wizard displays an overview of your settings. Click through to the final screen, and click Close to save and exit and open the Claim Rules editor.
Creating claim rules
You can create the claim rules and update the RPT with minor changes that you did not configure in the previous wizard. Configure the claim rules according to your current ADFS setup.
Setting the secure hash algorithm
Set the secure hash algorithm for the RPT
- In Microsoft AD FS Management, from the Actions side bar, select Properties while you have the RPT selected.
- Select the Advanced tab and set SHA-256 or SHA-1 as the secure hash algorithm.
Configuring SSO in Sell
The final task is to configure SSO in Sell.
Set up SSO in Sell
- Go to Settings >Single Sign On, Configure, and select Manual Setup.
- Enter an Identity Provider Issuer ID, for example, http://yourdomain/adfs/services/trust
- Enter an Identity Provider SSO URL, for example, https://yourdomain/adfs/ls
- Enter an Identity Provider certificate fingerprint. This is the SHA-1 fingerprint of the token signing certificate installed in the ADFS instance.
Your configuration is complete.