Single sign-on (SSO) helps simplify the login experience for users across multiple applications. It unifies the login experience so that users only need to sign in once and they gain access to multiple distinct services. It also reduces password-related security risks, makes phishing attacks less effective, and minimizes the attack surface that can be targeted by having fewer attack vectors.
A common example of an application that needs SSO is a ticketing platform like Zendesk. It can be used so that both customers and the agents responding to the tickets are able to simplify their login experience. It can also be used to require different levels of authentication based on the sensitivity of customer information that the agents can see.
In this blog, we will cover how to easily add Zendesk SSO with Descope and how to enforce MFA for specific users using flow conditions based on Zendesk permissions.
Adding Zendesk SSO to Descope
The first step in adding Zendesk SSO with Descope is creating a new application in the Descope Console. To do this, navigate to Applications and press the Create button in the top right. We will be using SAML as the authentication protocol. This will be used to connect Zendesk as a Service Provider to Descope.
For more about how to configure Descope as a SAML provider, read here.
Configuring the IdP in Zendesk
The next step is to create a Zendesk account for your business. SSO can also be used while still being under the free trial with Zendesk.
Enter the Admin Center in Zendesk and under the Account tab, navigate to Single-sign on.
Create a new SAML SSO configuration in the top right and enter the necessary information. This includes:
Configuration name
SAML SSO URL (found when editing the new SAML Application in Descope)
Certificate fingerprint
To get the certificate fingerprint, download the fingerprint hashes from the new application’s settings in the Descope Console as shown in the image below. In the IDP section of the settings, press the download Descope certificate button, then select fingerprint hashes.
Once downloaded, copy the sha256 fingerprint from the certificate to the new Zendesk SSO configuration. Now you can save the new SSO configuration and activate it.
Depending on who the SSO is configured for, you can enable it for team members or end users (customers). For team members, navigate to Team member authentication under Account in the Admin Center and for end users, go to End user authentication.
In either of the above cases, enable external authentication then select SSO. Use the new SSO configuration that you created.
SSO is now enabled on Zendesk! However, the Descope application still needs to be configured.
Configuring the SP in Descope
Under Service Provider in the application’s settings, enter the connection details as shown below:
ACS URL (https://yoursubdomain.zendesk.com/access/saml)
Entity ID (https://yoursubdomain.zendesk.com)
Also, select Email as the SAML Assertion Subject Type. Under SSO Mapping, make sure to map the Descope user attribute User ID to the SP user value NameID.
That’s all you need to configure Zendesk SSO with Descope!
By default, the sign-up-or-in flow that is seen on the Flows page in your Descope Console is used for authentication, but this can be changed by editing the Flow Hosting URL in settings for the application that was made.
The authentication process can also be altered by changing the flow in the console to allow whichever authentication methods you want. I am using magic links, social login with Google, or passkeys as the primary form of authentication and using OTP as a secondary form when a new user is being authenticated.
Adaptive MFA based on user roles
Now that SSO is configured on Zendesk, both team members and end users should be able to log in to Zendesk through the same flow. Zendesk handles redirecting the users properly so that agents go to the help center to respond to tickets and customers go to the portal to submit tickets.
However, what if you want to make the flow more secure for agents, especially those with access to sensitive information like customer billing? Taking a hypothetical, let’s say you have a certain set of agents in Zendesk with a “Billing” permission attached to their roles. This means only the aforementioned agents should be able to access billing information.
With Descope, you can check which groups the user is a part of in Zendesk and see if “Billing” is one of them. If this is true, you can enforce an MFA process (for example, with an OTP) every time a billing agent signs in.
First, add the user to the Billing group created in Zendesk. In the Zendesk Admin Center, navigate to People, then Groups. Create a new group named Billing and you can add whichever agents have higher permissions to it. This group can be used whenever a ticket is related to billing issues because not all agents should have access to that sensitive information.
Next, the user’s group information needs to be added to Descope so that it can be used whenever logging in. To do this, a request to the Zendesk API needs to be made to gather the user’s information. This can be done using Descope’s Generic HTTP Connector.
Make a request to your Zendesk subdomain using a custom Authorization header. We used an API token in this example. It can be created from the Zendesk Admin Center in Apps and integrations under Zendesk API. When using the API token, a specific format is required for the header, which is:
Authorization: Basic {base-64-encoded token}Use base64 encoding on the your_admin_email/token:your_api_token string then include it as the value to the header as the Basic token.
Now that the connector is configured, a query can be made to the Zendesk API to get the user’s ID in Zendesk. This is needed to find the groups that the user is in. The query used is:
https://descope.zendesk.com/api/v2/users/search.json?query=email:{{user.email}}Using the JSON this returns, the user ID can be found and used to make a request to the API to get the user’s groups. The URL for the request is:
https://descope.zendesk.com/api/v2/users/{{id}}/groupsThe JSON this returns will include the groups the user is a part of. If Billing is one of them, you can require an MFA check. Using Scriptlets in Descope Flows, you can search through the group results quickly. In a flow, you can add the Scriptlets step by pressing the button in the top left to add an action. Scriptlets allows you to run JS code during the script and access context keys used in the flows.
The output of this script, scripts.billing, can be used as a context key in a condition for the flow.
Now, users are given the Billing role on Descope if the Billing group exists in their Zendesk account. MFA can now be required only for billing agents using conditions in the Descope Flow to check if the user has the Billing role on Descope. This can be achieved not only through Groups on Zendesk, but also through any permissions or organizational structures that the agent is associated with on the platform.
Conclusion
Single sign-on (SSO) simplifies authentication for your users across multiple services. For a ticketing service like Zendesk, it allows agents and customers to log in through the same portal while still redirecting them to the right place.
In this article, you learned how to use Descope as a SAML SSO provider for Zendesk and how to use Zendesk account information to enforce stricter authentication for certain users through Descope Flows.
Sign up for a Descope account and request a demo to learn more.
