Setting up SAML Single Sign-on for Help Center

Setting up SAML Single Sign-on for Help Center

Security Assertion Markup Language (SAML) is a mechanism used for exchanging authentication and authorization data between applications, in particular, an identity provider (IdP) such as OneLogin, Okta, PingIdentity and a service provider (such as Zoho Desk). You can configure SAML-based single sign-on (SSO) for end users so they can access your Help Center without being prompted to enter separate login credentials.

Notes:
  • SAML single sign-on is not available on the Free edition.
  • Only users with Administrator profiles will be able to manage the SAML settings.
  • SAML authentication will only apply to end user accounts and not to your agent accounts.
  • You can set up either remote authentication or SAML for single sign-on, but not both at the same time.
  • End users cannot self-sign up or change their account password on a SAML-enabled Help Center.

How SAML Works

SAML single sign-on authentication involves a service provider, in this case, Zoho Desk, and an identity provider. When you've enabled SAML, end-user management and authentication are handled through your company's identity provider (IDP). An end user who requests access to the Zoho Desk's Help Center will be redirected to your identity provider for authentication. The identity provider authenticates the end user and in return, generates an authentication assertion, which indicates that a user has been authenticated. On receiving the assertion, the end user is redirected back to your Help Center and then signed in seamlessly. Being a single point of authentication that happens with your trusted identity provider, SAML ensures that your end-user credentials are secure within your company's firewall boundary.

Setting up SAML SSO

The third-party identity provider provides the configuration details for the SAML. Note that you must log in with administrator credentials to set up SAML single sign-on in your Zoho Desk.
  1. Click the Setup icon  ) in the top bar.
  2. Click Help Center under the Channels menu.
  3. Click Help Center SAML under the Help Center sub-menu.
  4. On the Help Center SAML page, provide the following details:
    • Remote Login URL: Enter the remote login URL of your IdP where Zoho Desk will redirect your end users when they login to the Help Center.
    • Remote Logout URL: Enter the remote logout URL of your IdP that Zoho Desk will redirect your end users when they attempt to log out of the Help Center.
    • Reset Password URL: Enter the reset password URL of your IdP where Zoho Desk will redirect your end users when they try to change their password for the Help Center.
    • Public Key: Upload the Public X.509 certificate in the text format. We will use the public key contained in the certificate to verify that your identity provider has issued all received SAML authentication requests.
    • Algorithm: Select an algorithm between RSA and DSA using which your IdP generated the public keys and certificates.
  5. Click Save.
Before clicking Save, you'll see new fields (like Help Center SAML Request URL, etc.) and values listed. Copy those values over to your identity provider to ensure that your IdP is capable of communication with your SAML-enabled Zoho Desk.

Disabling SAML SSO

You may go back to using Zoho Desk's built-in authentication, or switch to a different identity provider (IdP), by disabling the SAML configuration. Once you disable SAML, end users will need a Zoho Desk account password to log in to your Help Center. Please keep the following implications in mind as you disable SAML for single sign-on:
  • End users who had a password on your Help Center account before enabling SAML single sign-on can use that to log in.
  • End users who signed up for your Help Center after enabling SAML single sign-on will need to reset their password when they log in the next time.

To disable SAML single sign-on:
  1. Click the Setup icon  ) in the top bar.
  2. Click Help Center under the Channels menu.
  3. Click Help Center SAML under the Help Center sub-menu.
  4. On the Help Center SAML page, click Disable in the upper-right corner of the screen.
  5. Click Continue to confirm your action.

Configuring the Identity Provider

Find the provider-specific instructions listed here, or look up instructions with the identity provider you use.

Zoho Vault

This section describes how to configure Zoho Vault to provide SSO for your Zoho Desk Help Center.
  1. Log in to your Zoho Vault account.
  2. Navigate to Apps  >>  Manage Apps.
  3. Click Add Custom App
  4. In the  Application Settings tab,  provide the following details:
    • Application Name: Provide a name for the application. For example, Zoho Desk.
    • Assertion Consumer Service URL -  Paste the value for SAML Response URL that you copied from the Help Center SAML screen in Zoho Desk.
    • Audience URI (SP Entity ID) - Enter your Zoho Desk Help Center instance URL (it has the pattern https://support.mycompany.com/ ).
  5. Click Next.
  6. You now need to provide the details of Zoho Vault (IdP) to Zoho Desk (SP).
  7. In the  IdP Details  tab, do the following:

    • Copy the Identity Provider Single Sign-On URL and paste it into the Remote Login URL field in Zoho Desk Help Center SAML page.
    • Copy the Identity Provider Single Logout URL and paste it into the Remote Logout URL field in Zoho Desk Help Center SAML page.
    • Copy the Identity Provider Issuer and paste it into the Reset Password URL field in Zoho Desk Help Center SAML page.
    • Copy the Identity Provider Certificate and save it to a .txt file. Then upload the file into the Public Key field in Zoho Desk Help Center SAML page.
  8. Click Next.
  9. In the  Manage App Access tab, select the list of users to whom you wish to give access to the SAML-enabled Help Center.
  10. Click Save.

Okta

This section describes how to configure Okta to provide SSO for your Zoho Desk Help Center.
  1. Log in to your Okta account with administrative privileges.
  2. Click the Applications tab.
  3. Click Add Application and then click Create New App.
  4. On the pop-up window, select the SAML 2.0 option and then click Create.
  5. In the General Settings page, provide a name for the application. For example, Zoho Desk.
  6. Click Next to continue.
  7. In the Configure SAML page, do the following:
    • Single sign on URL  - Paste the value for SAML Response URL that you copied from the Help Center SAML screen in Zoho Desk.
    • Audience URI (SP Entity ID) - Paste the value of  SAML Response URL  here as well.
    • Default RelayState - Paste the value for Default Relay State that you copied from the Help Center SAML screen in Zoho Desk.
    • Name ID format - Specify as EmailAddress.
  8. Click Next to continue.
  9. In the Feedback page, select I’m an Okta customer adding an internal app, and check the  This is an internal app that we have created option.
  10. Click Finish.
    The 
    Sign On section of your newly created application appears.
  11. Click View Setup Instructions on the Sign On tab. It opens a new window to the IdP settings.
  12. On the IdP Settings window, do the following:
    • Copy the Identity Provider Single Sign-On URL and paste it into the Remote Login URL field in Zoho Desk Help Center SAML page.
    • Copy the Identity Provider Issuer and paste it into the Remote Logout URL field in Zoho Desk Help Center SAML page.
    • Copy the Identity Provider Single Sign-On URL and paste it into the Reset Password URL field in Zoho Desk Help Center SAML page.
    • Copy the X.509 Certificate and save it to a .txt file. Then upload the file into the Public Key field in Zoho Desk Help Center SAML page.
  13. Click Save.
  14. Now you must select the users to whom you wish to give access to the SAML-enabled Help Center. To do this:
    • Click the Applications tab and select your newly created application on Okta.
    • Click on the Assignments section of the application.
    • Click Assign and then select Assign to People.
    • In the pop-up window, type your username into the search box and then click  Assign next to your username.
      Repeat this step to add more users.
  15. Click Done to exit the assignment wizard.
  16. Back in Zoho Desk, check the Enable Signup option on the Help Center SAML page to allow the new user to log in for the first time and then click Save.

OneLogin

This section describes how to configure OneLogin to provide SSO for your Zoho Desk Help Center.
  1. Log in to your OneLogin account.
  2. Go to Apps >> Add Apps in the OneLogin administrator dashboard.
  3. Search for 'SAML Test Connector' and select the first result from the search results.
    It should be 
    SAML Test Connector (IdP).
  4. When the Configuration tab appears, provide a name for the application. For example, Zoho Desk.
  5. Click Save.
    Now, additional tabs appear, and you land on the 
    Info tab.
  6. Click the Configuration tab and enter the following details:
    • RelayState - Paste the value for Default Relay State that you copied from the Help Center SAML screen in Zoho Desk.
    • Recipient - Paste the value for SAML Response URL that you copied from the Help Center SAML screen in Zoho Desk.
    • ACS (Consumer) URL Validator - Paste the value of  SAML Response URL  here as well.
    • ACS (Consumer) URL - Paste the value of  SAML Response URL  here as well.
  7. Once done, click the SSO tab and do the following:
    • Copy the SAML 2.0 Endpoint (HTTP) URL and paste it into the Remote Login URL field in Zoho Desk Help Center SAML page.
    • Copy the  SAML 2.0 Endpoint (HTTP) URL and paste it into the Reset Password URL field in Zoho Desk Help Center SAML page.
    • Copy the  SLO Endpoint (HTTP) URL and paste it into the Remote Logout URL field in Zoho Desk Help Center SAML page.
    • In the X.509 Certificate field, click View Details and save the contents to a .txt file. Then upload the file into the Public Key field in Zoho Desk Help Center SAML page.
  8. Now you must select the users to whom you wish to give access to the SAML-enabled Help Center. To do this:
    Click the 
    Users tab and then click All Users to add the app to individual user accounts.
  9. Click Save.
  10. Back in Zoho Desk, check the Enable Signup option on the Help Center SAML page to allow the new user to log in for the first time and then click Save.

Auth0

This section describes how to configure Auth0 to provide SSO for your Zoho Desk Help Center.
  1. Log in to your Auth0 account.
  2. Go to Dashboard >> Applications.
  3. Click the + CREATE APPLICATION button on the right.
  4. In the Name field, enter a name for the application. For example, Zoho Desk.
  5. Select the type of Application you want to create.
  6. Click Save.
  7. Go back to Dashboard >>  Applications.
  8. Find the application you just created in Step 4, and click the Gear icon corresponding to it.
  9. Scroll down and click on the Advanced Settings link.
  10. In the expanded window, click the  Download Certificate button under the Certificates section.
    The downloaded certificate will be a 
    .pem file.
  11. Now scroll back up and click on the Addons tab. Then enable the SAML2 WEB APP option.
    You will see a screen asking you to provide additional configuration information.
  12. On the Settings section of the screen, enter the following details:
    • Application Callback URL - Paste the value for SAML Response URL that you copied from the Help Center SAML screen in Zoho Desk.
    • Settings - Paste the below SAML configuration into this field.
      {
      "mappings": {
      "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
      "given_name": "User.FirstName",
      "family_name": "User.LastName"
      },
      "createUpnClaim": false,
      "passthroughClaimsWithNoMapping": false,
      "mapUnknownClaimsAsIs": false,
      "mapIdentities": false,
      "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
      "nameIdentifierProbes": [
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
      ]
      }
    • Click Save.
  13. In the Addon SAML2 Web App popup, click the Usage tab and do the following:
    • Copy the Identity Provider Login URL and paste it into the Remote Login URL and the Reset Password URL fields in Zoho Desk Help Center SAML page.
    • Enter https://your_auth0_domain/v2/logout in the the Remote Logout URL field. Replace YOUR_AUTH0_DOMAIN with your actual Auth0 domain.
    • Upload the certificate you saved in Step 10 into the Public Key field in Zoho Desk Help Center SAML page.
  14. When done, click Save in Zoho Desk. 
    Your end users will now be redirected to the Auth0's sign-in page when signing in to the Help Center.


Google G Suite 

This section describes how to configure G Suite to provide SSO for your Zoho Desk Help Center.
  1. Sign in to your Google G Suite admin console with an administrator account.
  2. In your Google G Suite admin console, click through to Apps > SAML Apps.
    You will see a list of any existing SAML apps.
  3. Click the big plus sign (  ) in the bottom right to add a new one.
  4. Under Enable SSO for SAML application, select Setup my own custom app.
  5. Under Google IdP Information, copy the SSO URL and paste it into the Remote Login URL and the Reset Password URL fields in Zoho Desk Help Center SAML page.
    Your members redirect here when they sign in with an email address with your Google domain.
  6. Enter the Remote Logout URL as https://accounts.google.com/logout in Zoho Desk Help Center SAML page.
  7. Under Certificate, select Download. Then upload the file into the Public Key field in Zoho Desk Help Center SAML page.
  8. Click Next.
  9. Under Basic information for your Custom app, enter a name and description to help others identify your app.
  10. For Upload logo, select Choose File and browse to and select the PNG or GIF to use as the app's icon.
    Alert: Google G Suite requires you to recreate the app if you change or add the logo after you set up the connection.
  11. Click Next.
  12. Under Service Provider Details, do the following:
    1. Paste the value for SAML Response URL from Help Center SAML screen in Zoho Desk in the ACS URL field.
    2. In the Entity ID field, enter the entity ID as zoho.com, and click Next.
    3. Paste the value for Default Relay State from Help Center SAML screen in Zoho Desk in the Start URL field.
    4. Select EMAIL as Name ID Format.
  13. Ignore Attribute Mapping and click Finish.
  14. Click OK.
  15. Back in Zoho Desk, check the Enable Signup option on the Help Center SAML page to allow the new user to log in for the first time and then click Save.

Microsoft Azure AD

This section describes how to configure Microsoft Azure Active Directory to provide SSO for your Zoho Desk Help Center.
  1. Sign in to your Azure AD portal with an administrator account.
  2. In the Azure portal, on the left navigation pane, click Azure Active Directory.
  3. Select Enterprise Applications and then All Applications.
  4. Click the New Application button.
  5. In the search box, type SAML SSO, select Confluence SAML SSO by Microsoft from result panel then click Add to add the application to your portal.
  6. Navigate back to Enterprise Applications and then click Confluence SAML SSO by Microsoft app.
  7. Click Single sign-on and then choose SAML for Mode.
  8. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration dialog.
  9. On the Basic SAML Configuration section, do the following:
    1. In the Identifier text box, enter zoho.com
    2. In the Reply URL text box, paste the value for SAML Response URL that you copied from the Help Center SAML screen in Zoho Desk.
    3. In the Sign-on URL text box, paste the value of Redirect URL for Microsoft Azure.
    4. In the Relay State text box, paste the value for Default Relay State that you copied from the Help Center SAML screen in Zoho Desk.
    5. Check the radio boxes for the entered values.
    6. Click Save at the top of the page.
  10. On the Set up Single Sign-On with SAML page, click the Edit button to open User Attributes & Claims dialog.
  11. In the User Attributes section on the User Attributes & Claims dialog, do the following:
    1. Click Edit icon to open the Manage user claims dialog.
    2. From the Source attribute list, select the attribute value user.mail.
    3. Click Save.
  12. Go to SAML Signing Certificate menu and do the following:
    1. In the Signing Option drop-down list, choose Sign SAML response.
      This enables Azure AD to sign the SAML response with the X.509 certificate of the application.
    2. Click Save to apply the new SAML signing certificate settings.
    3. Download the certificate by clicking Certificate (PEM).
  13. Go to Set up Confluence SAML SSO by Microsoft menu and do the following:
    1. Copy the Login URL and paste it into the Remote Login URL and the Reset Password URL field in Zoho Desk Help Center SAML page.
    2. Copy the Logout URL and paste it into the Remote Logout URL field in Zoho Desk Help Center SAML page.
    3. Upload the certificate you saved in Step 12 into the Public Key field in Zoho Desk Help Center SAML page.
  14. Click Save.
  15. Back in Zoho Desk, check the Enable Signup option on the Help Center SAML page to allow the new user to log in for the first time and then click Save.

It is the responsibility of the data administrator to provide requisite permissions to their agents.


    • Related Articles

    • Managing Help Center Permissions

      When you set up the Help Center, you must determine who should have access to it. You may allow anyone to access the Help Center or only those who have registered for it. Providing an open Help Center is less of an effort for your legitimate ...
    • Managing Help Center Users

      Help Center users are users who prefer to find solutions by reading through your knowledge base articles or the community posts. When they are unable to find answers they can get it resolved from your agents by submitting a ticket. Users can also ...
    • Single Sign-On for Cloud Apps

      ​ (Available in Enterprise edition only) Admins can allow users to access multiple cloud applications that support SAML 2.0 configuration right from their account, using single sign-on (SSO) with Zoho Vault. This helps admins enhance their ...
    • Google Analytics Dashboard for Help Center

      Help Center users are users who prefer to find solutions by reading through your knowledge base articles or the community posts. When they are unable to find answers they can get it resolved from your agents by submitting a ticket. Users can also ...
    • Enabling Google Analytics for your Help Center

      Google Analytics is a free tool for analyzing the traffic of websites. It provides valuable insights on visitor trends and behavior. By knowing how your customers react and respond to your web pages, you can identify what works best, and what needs ...