Zoho Desk supports SAML 2.0 (Security Assertion Markup Language 2.0), which allows for the use of SSO (Single Sign-On) using enterprise identity providers such as Active Directory. Enabling SSO via SAML 2.0 means that user authentication is handled entirely outside of Zoho Desk.
ADFS is a service provided by Microsoft as a standard role for Windows Server that provides a web login using existing Active Directory credentials. This article explains how to configure the single sign-on integration of a self-hosted Active Directory Federation Services (ADFS) server and Zoho Desk.
You must work closely with your IT team to ensure all of the following prerequisites are met:
- A Zoho Desk org on the Standard, Professional or Enterprise plan
- Administrator level access to your help desk
- Log into your Zoho Desk account and keep the SAML setup page open
- An Active Directory instance has been set up, where all users under your account in Zoho Desk have an account, with the same email address
- You know your ‘SAML 2.0/W-Federation’ URL (found in ADFS Endpoints)
After you meet these prerequisites, you need to install ADFS on your server. Configuring and installing ADFS is beyond the scope of this help article, but is detailed in a Microsoft KB article here.
Step 1 - Adding a Relying Party Trust
The connection between ADFS and Zoho Desk is defined using a Relying Party Trust (RPT). The first step is to select the Relying Party Trusts folder from AD FS Management, and add a new Relying Party Trust from the Actions sidebar.
- Log in to the server where ADFS is installed.
- Launch the ADFS Management Console.
- On the left hand tree view, select “Relying Party Trusts”.
- Right click and select “Add Relying Party Trust…”.
- Select the Relying Party Trusts folder from AD FS Management, and add a new Add Relying Party Trust from the Actions sidebar on the right.
- On the Select Data Source screen, click Enter data about the relying party manually and click Next.
- Provide information for each screen in the Add Relying Party Trust wizard.
- Enter a Display name that you will recognize in the future (e.g. Zoho Desk Help Center Login), select AD FS profile, and then click Next.
- Skip the Configure Certificate screen by clicking Next.
- On the Configure URL, check the box labeled: Enable support for the SAML 2.0 WebSSO protocol. Copy-paste the SAML Response URL from the SAML screen of Zoho Desk as the service URL.
Note: There’s no trailing slash at the end of the URL.
- On the Configure Identifiers screen, enter the Relying party trust identifier. Enter "zoho.com" and then click Add. If your data is currently being hosted in the EU DC enter "zoho.eu." If in IN DC enter "zoho.in" and similarly for AU DC enter "zoho.au". Click Next.
- Skip the Configure Multi-factor Authentication screen (unless you want to configure this) by clicking Next.
- Skip the Choose Issuance Authorization Rules screen by clicking Next.
- On the Ready to Add Trust screen, review your settings and then click Next.
- On the final screen use the Close button to exit. This opens the Claim Rules editor.
Step 2 - Creating Claim Rules
After you create the relying party trust, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard.
- By default, the Claim Rules editor opens.
Click on Add Rule to create a new rule.
- In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next.
- On the next screen, using Active Directory as your attribute store, create the following rule:
- Enter a descriptive rule name
- Attribute Store: Active Directory
- Add the following mapping:
- From the LDAP Attribute column, select E-Mail Addresses.
- From the Outgoing Claim Type, select E-Mail Address.
- Click OK to save the new rule.
- Create another new rule by clicking Add Rule. This time select Transform an Incoming Claim as the template and then click Next.
- On the next screen do the following:
- Enter a descriptive rule name
- Select E-mail Address as the Incoming Claim Type.
- For Outgoing Claim Type, select Name ID.
- For Outgoing Name ID Format, select Email.
- Leave the rule to the default of Pass through all claim values.
- Finally, click OK to create the claim rule, and then OK again to finish creating rules.
Step 3 - Adjusting the Trust Settings
Some settings on your Relying Party Trust (RPT) will need to be adjusted. To access these settings, select Properties from the Actions sidebar on the right while you have the RPT selected.
- Go to AD FS Management window.
- In the Relying Party Trusts list, double-click the relying party object that you created
(or select Actions > Properties while you have the Relying Party Trust selected).
- Click the Advanced tab.
- Make sure SHA-256 is specified as the secure hash algorithm.
- In the Endpoints tab, click add SAML to add a new endpoint.
- For the Endpoint type, select SAML Logout.
- For the Binding, choose POST.
- For the Trusted URL, create a URL using:
- The web address of your ADFS server.
- The ADFS SAML endpoint you noted earlier.
- The string ‘wa=wsignout1.0’
- The Trusted URL should look something like this: https://sso.yourdomain.tld/adfs/ls/?wa=wsignout1.0
- Leave the Response URL blank.
- Click OK twice. You should now have a working relying party trust for Zoho Desk.
Step 4 - Exporting Certificate from the AD FS Server
You must now export the token-signing certificate as base-64 encoded. This certificate is used when configuring SAML authentication in Zoho Desk.
- Open AD FS 2.0 MMC and navigate to Service > Certificates.
Here, you will find the Token-signing certificate for your AD FS server that is used to authenticate your SAML connection from Zoho Desk.
- Under Token-signing, right-click the certificate and select View Certificate.
- Click the Details tab and then click Copy to File.
The Certificate Export Wizard opens.
- Click Next.
- In the Export File Format window, select the Base-64 encoded X.509 (.CER) option and click Next.
- Specify a name for the file you want to export and click Next. For example, TokenSigningCert.cer
Entering a new file name will not impact the setup.
- Click Finish to export the file.
A message is displayed stating "The export was successful".
- Click OK to dismiss the message.
- Close the MMC.
- The token-signing certificate is downloaded in .cer format. Since Zoho Desk does not accept certificates in this format, kindly save it to a .txt file.
Step 5 - Configuring for use with Zoho Desk
After setting up ADFS, you need to configure your Zoho Desk to authenticate using SAML 2.0.
- Click the Setup icon ( ) in the top bar.
- Click Help Center under the Channels menu.
- Select the Help Center in which you want to authenticate users using SAML.
- Click User Authentication under the Help Center sub-menu.
- On the SAML page, provide the following details:
- Remote Login URL: Enter the remote login URL as https://sso.yourdomain.tld/adfs/ls
- Remote Logout URL: Enter the remote logout URL as https://sso.yourdomain.tld/adfs/ls/?wa=wsignout1.0
- Reset Password URL: Enter the reset password URL as https://sso.yourdomain.tld/adfs/ls
- Public Key: Upload the base-64 encoded X.509 certificate in the text format. Refer, Step 4.
- Algorithm: Select RSA from the drop-down menu.
You should now have a working ADFS SSO implementation for Zoho Desk.