SSO authentication logic is flawed | The place for Zendesk users to come together and share
Skip to main content
Accepted

SSO authentication logic is flawed

Related products:Support
  • April 8, 2024
  • 4 replies
  • 12 views
C

Zendesk offers the possibility to have separate SAML configurations, one for team members (agents) and another for end users.

We would assume that each configuration should strictly authenticate users based on their SAML configuration -however this is not the case: If the same agent, is present on both IdPs, for team members and end-users, if they can sign in as end-user they can get logged in as an agent. This is wrong and raises security concerns. Zendesk should ensure that agent authentication is only permitted through the designated Agent SAML SSO setup. 

 

Currently Zendesk does not honor the authentication method to validate agent's entry point. The reason is that although a separate SSO was introduced, the email is still the only key for identifying the user and totally ignores the IdP source.

 

In our system, we want end users to sign in with a simple IdP , while agents need to sign in with MFA.
That is not possible with current authentication logic of Zendesk, as agents can totally bypass the MFA by simply log-in from end user SSO.

 

Do you see the problem here?

Regards,

Haris

 

 

 

 

 

 

    4 replies

    Shawna James
    • Shawna JamesCommunity Manager
    • Community Manager
    • April 8, 2024
    Hey Haris,
     
    Thank you for taking the time to provide us with your feedback. This has been logged for our PM team to review. For others who may be interested in this feature request, please add your support by upvoting this post and/or adding your use case to the comments below. Thank you again!
    Caroline Kello

    Hi Haris, 

    This is an improvement that we want to make (restricting the SSO method based on your role) but there's a few different pieces of work that we need to complete before we do that, most importantly removing the constraint that Google and Microsoft currently can't co-exist with other custom SSO methods for team members (that's work that we have in progress right now). Once that's available, we'll need to announce this as a breaking change with a slow rollout as a lot of users are going to be stopped from signing in as the SSO method they chose isn't assigned to them. 

      C

      Hi Caroline,

      Thank you for the update. I am really happy that there is progress with this implementation.
      Our Zendesk instance is eagerly waiting for this rollout and finally harden our security.
      Is there a way we can participate in the early rollout when its available?

      K
      • Kévin12
      • Newcomer
      • September 18, 2025

      Hello,
       

      We’re facing the same issue: our agents must log in via Microsoft SAML SSO (with MFA, set as the primary), and our end-users via Keycloak. Since agents exist in both directories (necessary for our other tools), Zendesk still allows them to authenticate through Keycloak, effectively bypassing MFA. What we expect is that authentication is strictly enforced by role: agents only via Microsoft SSO, end-users via Keycloak.


      Where does Zendesk stand on this?

      Terms & ConditionsAccessibility statement