Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Configure Zendesk SSO with Access for SaaS

This guide covers how to configure Zendesk SSO with Access for SaaS.

​​ Prerequisites

  • A Zero Trust Account
  • An integrated identity provider (IdP)
  • Admin access to your Zendesk account

​​ Configure Zendesk and Cloudflare

  1. Go to your Zendesk administrator dashboard, typically available at <yourdomain>.zendesk.com/admin/security/sso.

  2. In a separate tab or window, open Zero Trust, select your account, and go to Access > Applications.

  3. Select Add an application, then choose SaaS.

  4. Input the following values in the Zero Trust application configuration:

    Zero Trust fieldValue
    Entity IDhttps://<yoursubdomain>.zendesk.com
    Assertion Consumer Service URLcontents of SAML SSO URL in Zendesk account
    Name ID FormatEmail
  5. (Optional) Configure these Attribute Statements to include a user’s first and last name:

    Cloudflare attribute nameIdP attribute value
    <first name>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    <last name>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

    Zendesk will use the user’s email address as their name if the name is not provided.

  6. To determine who can access Zendesk, create an Access policy.

  7. Copy the values from the Cloudflare IdP fields and add them to the following Zendesk fields:

    Cloudflare IdP fieldZendesk field
    SSO EndpointSAML SSO URL
    Public Key (transformed to fingerprint)Certificate Fingerprint

    To transform the public key into a fingerprint, use a fingerprint calculator:

    1. Copy the public key value and paste it into X.509 cert.

    2. Wrap the value with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

    3. Set Algorithm to SHA256 and select Calculate Fingerprint.

    4. Copy the Formatted FingerPrint value.

  8. Go to https://<yourdomain>.zendesk.com/admin/security/staff_members and enable External Authentication > Single Sign On.

Users should now be able to log in to Zendesk if their Email address exists in the Zendesk user list.