Purpose

Zendesk is one of the most widely used support & help center platforms in the world. A common use case for SSO into Zendesk would be to allow your partners to access a knowledge base/help center that is built into your Zendesk platform. The purpose of this article is to assist Allbound System Admins with implementing a SAML SSO from Allbound (Identity Provider) to Zendesk (Service Provider). 

Configuring Allbound

If you are an Allbound System Admin...

1. Go to Allbound Settings > SSO Configurations
2. Under the SAML tab, click "Add New Connection" 
3. Then, click "Create SP to Connect To"

Once you are viewing the SP configuration screen, please set the following configurations in the fields. Be sure to replace the "yoursubdomain.zendesk.com" with your existing Zendesk subdomain. 

According to the Zendesk SSO documentation, it utilizes the email address in the NameID as its unique identifier, so setting the "Name ID Format" to "Email" would be correct. Additionally, by default, Zendesk requires two attributes to be mapped in the attribute statement. It also requires them to utilize the full namespace when defining the attributes. With these two requirements being the case, the remaining configurations would be...

First Name => http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Last Name => http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Once your configurations are set, click "Update Settings." After your configurations are saved, navigate back to the configuration and open it to edit. Zendesk requires that you provide an SHA-256 certificate fingerprint instead of an X509 certificate which is what Allbound generates by default. To convert your X509 certificate to an SHA-256 fingerprint, you may use OpenSSL from your computer's console or use an online tool such as SAMLTool. To use the online tool, simply click in the certificate box on the Allbound configuration and CTRL+A to select all, and then CTRL+C to copy. 

Once your certificate is copied, paste it in the "X.509 cert" field, make sure the Algorithm is set to "sha256" then click "Calculate Fingerprint."

Once your fingerprint is created, we have everything set to go and configure Zendesk.

Configuring Zendesk

Now that we have Allbound configured and have the information required, we can configure Zendesk for a new identity provider. 

1. In Admin Center, click Account in the sidebar, then select Security > Single sign-on.
2. Click Create SSO configuration then select SAML.
3. Add a unique Configuration name
4. For the SAML SSO URL, this will be your Allbound instance URL with a query parameter with a key of "sso" and the value is the configuration ID on the Allbound SSO edit screen. You can find this value by navigating to SSO configurations and clicking on the link for the Zendesk configuration. The config_id will be at the end of the URL, and will look something like https://yoursubdomain.allbound.com/allbound-settings/sso/#/SAML/25 with 25 being the config_id. Once you have the config_id, navigate back to Zendesk Admin Center and add the SAML SSO URL of https://yoursubdomain.allbound.com/?sso=[[ config_id ]]
5. Lastly, add the fingerprint that you generated in the online SAMLTool utility and paste that into the "Certificate Fingerprint" field. 

Once you have made these configurations, save them, and then we can move on to testing.

Testing & Implementation

The best way to implement the SSO is through a Quick Link or a Dashboard Button. The link/button URL would be your SAML SSO URL that you configured in the last step. Create a navigation method and click it while logged out of Zendesk. If you are an agent or admin, the correct behavior should be that you go to Zendesk Support ticket view. If you are an end user, you should be navigated to Help Center. If you need additional assistance with testing, open a ticket with Allbound support.