To learn more about SSO, refer to these articles below.
- SSO Overview
- Implement Single Sign-On for Freshworks
- How is the authentication data securely exchanged between IdP and SP
- Terms and definitions to understand SSO better
- Agent SSO and Contact SSO for an Organization
Add Freshworks from the gallery
To configure the integration of Freshworks into Azure AD, you need to add Freshworks from the gallery to your list of managed SaaS apps.
Sign in to the Azure portal.
On the left navigation pane, select the ‘Azure Active Directory’ service.
Navigate to ‘Enterprise Applications’ and then select ‘All Applications’.
To add a new application, select ‘New application.’
In the Add from the gallery section, type Freshworks in the search box.
Select Freshworks from the results panel and then add the app. Wait a few seconds while the app is added to your tenant.
Configure and test Azure AD SSO for Freshworks
Login to your Freshworks account using your Organization URL that looks something like this: email@example.com.
Simultaneously, log in to your Azure portal, navigate to the Freshworks application integration page, find the Manage section in the sidebar, and select single sign-on.
[Azure Portal] On the Select a single sign-on method page, select SAML.
[Azure Portal] On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.
rom Freshworks' Dashboard, you will be presented with the ACS URL and Entity ID. Copy the values and enter the values in the relevant fields in the Azure AD portal. To be more specific:
In the ‘Identifier (Entity ID)’ field, enter the SP Entity ID from the Freshworks security settings page.
In the ‘Reply URL’ field, enter the Assertion Consumer Service(ACS) URL from the Freshworks security settings page.
In the ‘Sign-on URL’ field, enter your login URL that looks like this: https://<Freshworks domain>/login.
[Azure Portal] On the Set up single sign-on with SAML page, click the edit/pen icon for User Attribute & Claims to edit the settings.
[Azure Portal] Select the Unique User identifier as user.mail. The name-id format should be unspecified.
[Azure Portal] Click Save on the top left once done.
[Azure Portal] Once you configure Freshworks as an SP, you will be given values for the following entries in the Azure AD Portal.
Entity ID (or Metadata ID)
SAML SSO URL (or Login URL)
Security Certificate (or x.509 certificate)
Note: On the set-up single sign-on with SAML page, in the SAML Signing Certificate section, find Certificate (Base64) and select Download to download the certificate and save it on your computer.
[Freshworks Portal] Copy and paste in relevant fields in the Freshworks dashboard. To be more specific:
In the ‘Entity ID Provided by the IdP’ field, copy the Azure AD Identifier URL.
In the ‘SAML SSO URL’ field, copy the Login URL from the Azure portal.
Under ‘Signing Options’, choose ‘Only Signed Assertions’ (By default, this would be chosen. If you have modified the signing in Azure app, select accordingly)
Open the Base64 encoded certificate in notepad, copy its content and paste it into the Security certificate text box.
[Freshworks Portal] Click on save.
Once the setup is complete in Azure, the customer has to Assign Users for the Freshworks App on the Azure portal to ensure the right users get the right access. There are 2 options for doing this.
One can switch off User Assignment completely for the app. This means anybody with an Azure account can try to log in. However, to be logged in to Freshworks, they have to be an agent in the Organization. This is the easiest way.
You can achieve this by going to the Freshworks App in the Azure Portal -> Properties -> User assignment Required and toggle it to No.
The User can assign individual users or groups to the app by going to the Freshworks App -> Users and Groups -> Click Add User.
Note: Freshworks expects NameIdFormat:email for Single Sign-On. Hence under User Claims & Attributes, set the unique user Identifier to user.mail as shown in the image below and save it.
Once the above steps are verified to be complete on both sides, you have configured SAML 2.0 for Freshworks using Azure AD.
Note: In SAML, RelayState is an optional parameter that you can use to communicate to your Identity Provider where your users should be redirected after signing in with SSO. When you configure the RelayState field in your Identity Provider with a valid Freshworks Product URL (like https://abc.freshservice.com/ or https://abc.freshdesk.com), the user will be redirected to this URL after successful login from IdP. In case of an invalid URL, the user will be redirected to the Admin Center. Please note that the RelayState will take precedence only when the login action is directly initiated from the identity provider dashboard.
If you need further assistance, please feel free to write to firstname.lastname@example.org with your queries. We're more than happy to help.