Single Sign-On(SSO)

Single Sign-On (SSO) is a system that lets users securely authenticate multiple cloud applications by logging in only once in a managed authentication system. This managed authentication system is also referred to as Identity Provider (IdP) and the cloud applications that rely on the data provided by Identity Provider are called as Service Providers (SP). Some of the Identity Providers are ADFS, OneLogin, Okta, Auth0, and G-Suite.

For more information on SSO in Freshdesk, click here

Custom SSO policies

Orgv2 has a built-in UI to set up a custom login policy (with customized login URL) with different login mechanisms available under it.

  • An Org can set up about 5 custom policies.
  • 1 custom policy apart from the default policy can be set up for agents per account.
  • 1 custom policy for contact per account can be configured.


You can configure a custom policy in Org even without this feature enabled in Freshdesk but those policies will not be synced to Freshdesk. In this scenario, we can enable the feature from the backend and you can change the custom policy name/URL to sync these policies to Freshdesk.


To set up a custom SSO policy

Custom agent SSO:

If Org<>SSO sync feature is enabled, then there are 2 scenarios:

A. Freshdesk account without Freshdesk SSO:

  • The default Freshdesk landing page is support/home. 
  • Click on login → support/login
  • Support/login → On hovering the link 'Are you an agent Login here', the customized URL of Org custom policy will be there. 
  • On clicking here, it will take the Org custom policy login mechanism.
  • login/normal → It will not show any custom URL. This page will always redirect to the default Org login page

B. Freshdesk account with Freshdesk SSO:

  • Support/login → will redirect to Freshdesk SSO IDP. 
  • There is no way agents can log in to agent's custom policy. They can only use login/normal to log in through the Org default login page. 
  • You have to disable Freshdesk SSO to use login through custom policy. But once Freshdesk SSO is disabled, it cannot be re-enabled.



Custom contact SSO:
A. Freshdesk account without Freshdesk SSO:

  • Support/login page → On hovering over the link 'Are you a customer Login here', the customized URL of Org custom policy will be there. On clicking here it will take Org custom policy login mechanism.
  • login/normal → it is only for agents.

B. Freshdesk account with Freshdesk SSO:

  • Support/login → will redirect to Freshdesk SSO IDP.
  • You can check the behavior of contact custom policy by hitting
    account_domain_url/customer/login in the browser. It will be redirected to the custom policy login URL, where you check the contact login functionality. 
  • Once you have completely configured this, disable the Freshdesk SSO.


                   
   Once you have successfully set up SSO, the login page will look this : 



Contact attributes :
The following default user attributes can be sent to Freshdesk from the identity provider when a user logs into the IDP via SSO:


Attribute

Format

Necessity

Description
First Name

givenname or FirstName or username

Optional

The first name of the user/contact

Last Name

surname or LastName

Optional

The last name of the user 

Phone

phone

Optional

Work phone number of the user 

Company

company or organization

Optional 

Name of the Company of the user 

Title 

Title or job_title

Optional

Job title of the user

Unique external ID

unique_id

Optional

Unique external id of the user 

Mobile phone

mobile

Optional

Mobile phone number of the user 

Time zone

time_zone

Optional

Time zone of the user 

Language

language

Optional

Language of the user

About

about, description

Optional

Description of the user


Custom Contact attributes :

We also support custom contact fields.


Custom field

custom_field_<field_name>

Optional


For example: If there is a custom user field (contact field) configured as 'Office Location', then the SAML assertion needs to send the attribute as 'custom_field_office_location' to update the user information.


Note: All the above attributes will be assigned to the contact during login. Any attribute changes would be synced as well. Email is mandatory for a user during login. 


You can refer to this article for the various language codes and timezones allowed.