Implement SSO for Zendesk using WSO2 Identity Server
Implementing SSO for Zendesk Customer Support Ticket System using WSO2 Identity Server.
Zendesk is one of the major support, sales, and customer engagement software that enables businesses to quickly implement and easily scales to meet changing needs. But as providing support is a part of your business, your organization might have plenty of other applications that are used by your employees or users regularly apart from the Zendesk system. Hence, implementing a single point of authentication (Single Sign-On — SSO) with Zendesk and other applications will enhance the user experience heavily for your users, and it has become an obligatory requirement in the world. That’s where the WSO2 Identity Server comes into play with plenty of other Identity and Access Management solutions! We can integrate SSO for Zendesk easily using the WSO2 Identity Server just like adding a service provider.
Zendesk provides the SSO feature through SAML and JWT SSO protocols. This article focuses on implementing SSO for Zendesk using the JWT SSO protocol. If you want to implement SSO for Zendesk using the SAML protocol, you may refer to the below documentation.
Wanna know how the JWT SSO works?
Let’s start with configuring the Zendesk application
- In your Zendesk site, click the Zendesk Products icon in the top bar and select Admin Center.
- Click the Security icon in the left sidebar or click on the Security settings and select the Single sign-on tab.
- Click Edit/ Configure for JSON Web Token.
- Select the Enabled checkbox.
- Enter the below URL for the Remote login URL. Wondering how this jwtRP=zendesk jump into here? No worries, that’s the Relying Party name, which we’re going to configure in the WSO2 Identity Server!
https://localhost:9443/identity/jwtsso?jwtRP=zendesk6. Enter the below URL for the Remote logout URL.
https://localhost:9443/identity/jwtsso/logout?jwtRP=zendesk7. Make a copy of the shared secret and Save your changes. If the Shared secret is not in plain text (It’ll be masked once you saved your changes), you’ll have to click Edit/ Configure next to JSON Web Token again to reopen the configuration and will have to disable and enable the JSON Web Token configuration.
8. Select the End users tab on the same page (Security settings) and enable external authentication by selecting the External authentication checkbox.
9. Save the changes.
Take a note of the below and we’ll be using it when we configure the Service Provider in the WSO2 Identity Server.
1. Site URL
The site URL of your Zendesk application. It will look something like below.
https://subdomain.zendesk.com2. API Key (Shared Secret)
The Shared secret we’ve obtained above when we enabling the JSON Web Token SSO on the Zendesk application.
You may refer below for more details on enabling SSO for Zendesk.
Let’s configure WSO2 Identity Server
It’s time to get WSO2 Identity Server 5.10 if you haven’t done yet.
Get the connector from the WSO2 IS connector store.
Let’s download the jar file and place it inside the below directory.
<IS_HOME>/repository/components/dropinsAdd the configuration below in deployment.toml file resides in <IS_HOME>/repository/conf directory and start the server (restart if the server is already up and running).
[[resource.access_control]]
context="/identity(.*)"
secure="false"
http_method="GET"If you’re new to WSO2 Identity Server, you may refer below to run the product.
Once the server is up and running, access the management console at https://localhost:9443/carbon and login with the admin credentials (The default credentials would be admin:admin).
Let’s configure the service provider as depicted below.
Navigate to Main ➜ Service Providers ➜ Add and register a new service provider in the WSO2 IS management console.
Then navigate to Inbound Authentication Configuration ➜ JWT SSO Configuration. The JWT SSO Configuration is the one we’ve added newly by placing the jar in the dropins directory.
Enter zendesk for Relying Party and enter the Endpoint API and the API Key (Shared secret) which we’ve obtained from Zendesk portal.
Enter a Logout URL to redirect the user after the successful logout in the WSO2 Identity Server.
The below table describes the properties used in the JWT SSO inbound authenticator and the sample values related to those properties.
Once you’ve completed configuring the JWT SSO configuration, we have to configure the claims required by Zendesk to create and identify the user. As per the Zendesk documentation, the below claims are mandatory and you may refer to the Zendesk documentation for other supported attributes.
- email (required) - Email of the user being signed in, used to uniquely identify the user record in Zendesk Support.
- name (required) - The name of this user. The user in Zendesk Support will be created or updated in accordance with this.
Apart from the above claims, the iat and the jti attributes are mandatory which are always included in the JWT token generated by the JWT SSO authenticator by default.
Let’s configure the claims in the WSO2 Identity Server SP claims configuration as follows.
- Navigate to the Service Provider you’ve created earlier and expand the Claim Configuration section.
- Select Define Custom Claim Dialect as the Claim mapping Dialect.
- Define the Service Provider Claims (as required by Zendesk) and the related Local Claims (Claims available in WSO2 Identity Server) as below. (This is required to include the user claims in the JWT token; otherwise, no attributes will be included in the JWT token apart from the default attributes such as exp and iat.) Also, mark those claims as Requested Claim and Mandatory Claim so that the user will be prompted to add the claim value if it is not set for the particular user.
That’s! We’re good to start testing!
Let’s try to authenticate to Zendesk by clicking the Login button of Zendesk. You should be prompted with the login page of WSO2 Identity Server if you’re not already authenticated and once you’re authenticated, you should directly be redirected to the Zendesk application without prompting the Login page of Zendesk. Further, if you do not have an account on Zendesk with the provided email, an account will be created for you (user will be provisioned) by Zendesk with the claim values we’ve configured above.
In case if you had any issues with signing into your application due to any invalid configurations, you’re still able to login to Zendesk by accessing the below URL.
https://subdomain.zendesk.com/access/normalAlso, test the logout flow by Signing out from the Zendesk application. Once you click on the Sign out button in Zendesk, your session should be terminated from WSO2 Identity Server as well as from the Zendesk. You can verify whether your session on WSO2 Identity Server is terminated by making the authentication request again and you should be prompted with the login page of WSO2 Identity Server if the session is terminated successfully.
If you got any error message in Zendesk after the successful authentication in WSO2 Identity Server, there is a high chance you haven’t configured the claims properly in the claim configuration section of the service provider. However, if you got any errors in WSO2 Identity Server during the authentication process, you’ll have to refer to the below section too!
Having any issues? Let’s debug!
If you got any error while testing the flow, an error log or an exception should be logged in the wso2carbon log which will help you identify the cause for the issue. If you’re running the server as a background process or as a system service, you may have a look at the wso2carbon log file as follows.
tail -f <IS_HOME>/repository/logs/wso2carbon.logHowever, if you’re still unclear on the error, we may dig a little deeper into the flow of the authentication process by enabling the debug level logs.
1. Add the below lines in the log4j2.properties file resides in <IS_HOME>/repository/conf directory.
2. Append the org-wso2-carbon-identity-sso-jwt to loggers variable as follows.
That’s it! The loggers will be updated in the runtime (Restart is not required) and you’ll see the debug level logs printing in the wso2carbon log when you try the flow again. I believe it’ll help you find the cause of the issue.
If all goes well, we’re done implementing SSO for Zendesk using WSO2 Identity Server!
Find this on my blog!
Cheers!
