Zendesk & FusionAuth SAML set up: Cannot log out of Zendesk without first logging out of FusionAuth/admin
-
Hi, we are new to FusionAuth, and are just in the early set up phase.
We have successfully set up SAML-based authentication against FusionAuth (with FusionAuth as the identity provider).
However, when I log out of our Zendesk sandbox (test instance), I am automatically logged in again instead of being redirected to the FusionAuth's logged-out page. I must first open up FusionAuth Admin web application, and log out of FusionAuth, then log out of Zendesk sandbox. Only then, will Zendesk redirect me to the FusionAuth logged-out page.
Why is this happening? What configuration am I missing?
Your help is appreciated as this is a showstopper for continuing to use FusionAuth as our IDP.
Pam
-
Clarification: In the flow I described above, I should add that I was not logged into FusionAuth/admin at the time when I first attempted to log out of the Zendesk sandbox.
It seems to me that logging into the Zendesk sandbox (via SAML set up ) causes me to also be have a valid session/token for FusionAuth admin (as I did not login to the admin console prior)
-
Zendesk does not support SAML Single Logout.
The SAML logout request that Zendesk produces is not adequate to complete logout with FusionAuth.
This means, you click the logout button in Zendesk, it redirects to FusionAuth with a SAML logout request but it is not sufficient to end the SSO session with FusionAuth. Because you are then still logged into FusionAuth SSO, you are implicitly logged back into Zendesk.
This is a limitation of the Zendesk SAML implementation.
-
Thanks for the info Dan.
Zendesk also support JWT/oAuth SSO. I guess I'll give that a try - though it seems unlikely to give a different result.
If that fails, we will rely on session timeout and disable the logout button.
