Goal
I'm trying to set up SSO via SAML between SAP IAS as the Identity Provider and Zendesk as the Service Provider without an additional Corporate Identity Provider (i.e. IAS is used for Identity Authentication).
Status
I've been able to get the sign on (SSO) part working but can't figure out what the proper sign out (SLO) URL should be so that Zendesk can trigger a logout in IAS. This means that when a user signs out they aren't fully signing out from IAS and therefore aren't asked for their credentials again if they go to login again. This also means that depending on what page they are on when they logout, it may trigger a login request to IAS and they are automatically logged back in; effectively meaning they can't logout at all.
Setup
- Zendesk "Charged Application" (service provider) created in IAS using their metadata and adjusting for subdomain
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="https://yoursubdomain.zendesk.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://yoursubdomain.zendesk.com/access/saml"/>
</SPSSODescriptor>
</EntityDescriptor>
Issue
- Zendesk also provides a "Remote logout URL" that gets called after their logic with an encoded logout (below) in a SAMLRequest parameter.
- What should this URL be such that it triggers a logout in IAS?
<?xml version="1.0"?>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="samlr-84627475-d4a8-46da-9a6a-7feb2bf0bad0" IssueInstant="2022-10-27T15:44:24Z" Version="2.0">
<saml:Issuer>https://yoursubdomain.zendesk.com</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">email@domain.com</saml:NameID>
</samlp:LogoutRequest>
URL's I've Tried
https://IAS_TENANT.accounts.ondemand.com/saml2/idp/slo/IAS_TENANT.accounts.ondemand.com
- have tried with sp and RelayState parameters
- have tried replacing slo/IAS_TENANT.accounts.ondemand.com with slo/SP_ID
- this is supposed to be the Single Logout endpoint per the IAS tenant configuration documentation but it doesn't appear to properly handle a GET logout with a SAMLRequest parameter. It errors with HTTP Status 400 – Identity Provider could not process the logout message received.
https://IAS_TENANT.accounts.ondemand.com/saml2/idp/slo?sp=SP_ID
- this appears to be the proper entry for the Zendesk "Remote logout URL" entry. Using this there it does appear to find and call the HTTP-Redirect URL setup in the SAML configuration.
- also errors with HTTP Status 400 – Identity Provider could not process the logout message received
Based on this help article (https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/9dba751c208f4435a711c26b20945980.html) as well as following some of the SAML flows for subdomain we have setup it appears they call the https://IAS_TENANT.accounts.ondemand.com/saml2/idp/slo/IAS_TENANT.accounts.ondemand.com URL but then are redirected to a URL in the form of https://SUBDOMAIN.authentication.REGION.hana.ondemand.com/saml/SSO/alias/ALIAS. Per the article this URL is automatically generated in the subaccount and included as part of the SAML metadata for that subaccount. What I'm thinking/hoping is that there's a similar URL to use for Charged Application setups?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.