Skip to main content

Setting Up SAML SSO with Microsoft Entra ID (Azure AD)

Updated

This article reviews the complete process for configuring SAML Single Sign-On (SSO) between Zendesk and Microsoft Entra ID (formerly Azure AD). Implementing SSO can strengthen security, simplify user administration and improve the day-to-day login experience. By centralising authentication in Microsoft Entra ID, one set of login credentials is used, while at the same time access to Zendesk can be managed centrally.
The guide is designed as a detailed, practical step-by-step walkthrough with an explanation of relevant technical concepts and recommended approaches for a stable implementation.

Prerequisites: Checklist Before Starting

Before the technical setup is started, the necessary prerequisites must be in place to ensure an efficient and trouble-free process.

  • Administrator permissions: Global administrator or cloud application administrator access is required in the Microsoft Entra admin center, as well as administrator access in the Zendesk Admin Center. The permissions are necessary in order to create and configure applications in both systems.
  • Zendesk subscription: The Zendesk subscription must support SAML SSO. This is included in all Zendesk Suite plans (Team, Growth, Professional, Enterprise and Enterprise Plus). The current plan can be checked with Zendesk if in doubt.
  • Clarification of users and groups: It must be clarified which users or groups in Microsoft Entra ID are to have access to Zendesk via SSO. It is recommended to start with a test group of a few technically capable employees in order to minimise the risk of affecting the entire organisation in the event of any challenges.
  • Browser preparation: Use a modern browser (e.g. Chrome, Firefox or Edge), and temporarily disable any aggressive ad blockers, since these can interfere with redirects between Zendesk and Microsoft Entra ID during the login process.

Part 1: Technical Configuration - Step by Step

The approach follows a logical order: first Zendesk is prepared, then Microsoft Entra ID is configured, and finally the two systems are connected.

Step 1: Prepare Zendesk - Gathering the Necessary Information

The first step is to gather the information from Zendesk that Microsoft Entra ID needs in order to communicate securely with Zendesk. The information acts as the necessary endpoints and identifiers for the SAML integration.

  1. Log in to the Zendesk Admin Center.
  2. Click Account in the left side panel, and select Security > Single sign-on.
  3. Click Create SSO configuration, and select SAML.
  4. Zendesk now displays the information that needs to be used. The following three values must be available for the next step:
    • Zendesk SSO URL: The URL that users are sent to when the login process is started.
    • Reply URL (Assertion Consumer Service URL): The specific Zendesk URL that Microsoft Entra ID is to send the SAML response to after a successful login.
    • Issuer/Entity ID: A unique identifier for the Zendesk account, which Microsoft Entra ID uses to verify that the response is sent to the correct recipient.

Leave the window open in the browser while continuing to the next step.

Step 2: Register Zendesk as an Enterprise Application in Microsoft Entra ID

Zendesk must be registered in Microsoft Entra ID as an application that is to handle login via SSO. This is done by creating an Enterprise Application.

  1. Log in to the Microsoft Entra admin center.
  2. Navigate to Entra ID > Enterprise apps > New application.
  3. In the search field under Add from the gallery: type Zendesk.
  4. Select Zendesk from the results list, and click Add. Wait a moment while the app is added to your tenant.

Microsoft has a ready-configured Zendesk integration in the Entra gallery that pre-fills default values and is the officially recommended approach for this integration.

Step 3: Configure the SAML Connection in Microsoft Entra ID

This step establishes the SAML connection and defines which user information is sent to Zendesk.

Basic SAML Configuration

  1. In the newly created Zendesk application in Entra ID: navigate to Single sign-on in the left-hand menu.
  2. Select SAML as the method.
  3. Click Edit in the Basic SAML Configuration section.

Enter the values from Step 1:

  • Identifier (Entity ID): Paste the Issuer/Entity ID from Zendesk.
  • Reply URL (Assertion Consumer Service URL): Paste the Reply URL from Zendesk.
  • Sign on URL: The field is optional, but it is recommended to paste the Zendesk SSO URL for a more coherent user experience (the option to start the login flow from app portals).
  • Relay State: The field is left empty unless there is a specific reason to use it.
  • Click Save.

Advanced Configuration: Attributes & Claims

This step defines the user identity by sending attributes from Entra ID to Zendesk.

  1. Scroll down to Attributes & Claims, and click Edit.
  2. By default, there is a claim named Name ID. It must be configured to send a unique and immutable identifier. A common and robust setting is user.userprincipalname, so that the email address/UPN sent from Entra ID matches the registered user in Zendesk. If a different email format is used in Zendesk, user.mail may be a better choice.
  3. Add extra claims (recommended): To ensure that name and email are synchronised, additional claims can be added. This is particularly useful when new users are created via SSO.

Click Add new claim to add the following:

Claim name Source attribute Reason
emailaddress user.mail Ensures that the user's email field in Zendesk is filled in correctly.
firstname user.givenname Fills in the user's first name in the Zendesk profile.
lastname user.surname Fills in the user's surname in the Zendesk profile.

Click Save after each addition.

Step 4: Complete the Setup in Zendesk with Metadata

Once the SAML connection is configured in Entra ID, metadata from Entra ID must be transferred to Zendesk via a metadata file with public information and certificates.

  1. Go back to the overview for SAML-based sign-on in the Entra application.
  2. Under Set up Zendesk: copy the Login URL and Logout URL.
  3. Under SAML Signing Certificate: copy the value in the Thumbprint field.
  4. Go to Zendesk Admin Center → Account → Security → Single sign-on.
  5. Fill in the fields in the SAML configuration:
    • SAML SSO URL: Paste the Login URL from Entra.
    • Certificate fingerprint: Paste the Thumbprint value from Entra.
    • Remote logout URL: Paste the Logout URL from Entra.
  6. Important: Click Save to save the configuration. SSO must not be enabled yet, as the setup must first be tested to avoid locking users out.

Part 2: Testing, Rollout and Activation

Thorough testing is crucial to avoid lockout and to ensure a stable go-live.

Step 5: Testing the SSO Connection

The configuration must now be verified in practice.

  1. In the Microsoft Entra admin center: navigate to the Zendesk application.
  2. Go to Users and groups, and click Add user/group.
  3. Select a test user (or the previously created test group) in Entra ID, and grant access to the application.
  4. Log out of Zendesk (alternatively, use an incognito tab for a clean session).
  5. Go to the Zendesk login page (ditdomæne.zendesk.com/access/normal). There should now be a button or a link to log in via the SSO provider.
  6. Click the link. You are redirected to Microsoft's login page, where the Entra ID user can log in.
  7. After a successful login, you are redirected back to Zendesk, and the session is created.

If the test fails, typical causes are incorrect URL configuration or a mismatch in the Name ID claim. See the troubleshooting section below.

Step 6: Planned Rollout to the Organisation

Once the test has been approved, the solution can be rolled out to the rest of the organisation.

  1. In the Microsoft Entra admin center: assign more users or groups to the Zendesk application. Groups are recommended for easier administration (e.g. "Zendesk agents", "Zendesk administrators").
  2. Once the relevant users have been assigned: go to Zendesk Admin Center → Account → Security → Single sign-on.
  3. Enable SSO by switching the toggle on. You can at the same time choose how SSO is enforced:
    • Optional: Login with email and password is still possible. Well suited for a transition phase.
    • Required for all users (except administrators): Everyone (except exempted admin users) must use SSO. This is the most secure setup.
  4. Click Save.

Best Practices, Tips and Troubleshooting

The following guidelines can contribute to a robust and secure implementation.

⚠️ The Most Important Advice: Keep an "Escape Hatch"

There should always be at least one Zendesk administrator who is not covered by the SSO configuration. This user must be able to log in via ordinary email/password. In the event of problems with the SSO setup (e.g. an expired certificate or downtime in Entra ID), the administrator can still access Zendesk and fix the error without locking the organisation out.

Next Step: Automate User Administration with SCIM

You may consider setting up SCIM provisioning for full automation. This makes it possible for Microsoft Entra ID to automatically create, update and deactivate users in Zendesk based on group membership in Entra ID. When a new employee is created in Entra ID and added to the "Zendesk agents" group, the user can be created automatically in Zendesk. When the employee leaves, access can be deactivated automatically. This is a natural next step after a successful SSO implementation.

Troubleshooting: Solving Common Challenges

In the event of problems, the following can be checked first:

  • Microsoft Entra ID sign-in logs: Go to Microsoft Entra ID > Identity > Monitoring & health > Sign-in logs for detailed error messages for login attempts. Filter by the application name for relevant logs.
  • Zendesk SAML logs: In the Zendesk Admin Center under Account → Security, you can often find logs that show received SAML requests.

Error: "Invalid response" or "Invalid signature"

This indicates a problem with the digital signature that confirms that the response comes from Entra ID.

  • Solution: Check that the signing certificate in Zendesk is up to date. Download the latest metadata file from Entra ID, and upload it again to Zendesk.

Error: "User not found"

This is typically due to a mismatch between the identifier sent in the Name ID claim (often UPN/email) and the email address registered on the user in Zendesk.

  • Solution: Check that the user in Zendesk has exactly the same email address as in Entra ID. Also double-check the configuration of the Name ID claim in Entra ID.

Error: "Request expired" or time-related errors

This can occur when there is a time difference of more than a few minutes between the servers at Zendesk and Microsoft.

  • Solution: Check that the servers are synchronised with an NTP time server. If the problem persists, the "Clock skew" settings in Entra ID can be adjusted, but this should be done with caution.

Conclusion: A Future-Proof Login Experience

After completing the steps, a secure and effective SAML SSO connection has been established between Microsoft Entra ID and Zendesk. The login process is simplified, and security management is strengthened through centralised access as well as the option of conditional access in Entra ID.

The setup can be technical, but once it is in place, it can reduce administrative work and improve the user experience. A solid foundation has at the same time been created for a secure and scalable cloud infrastructure. If challenges arise along the way, or if the setup is to be optimised further (e.g. with SCIM provisioning), relevant sparring and assistance can be obtained.

Related articles

Powered by Zendesk