To learn more about SSO, refer to these articles below.
- SSO Overview
- Implement Single Sign-On for Freshworks
- How is the authentication data securely exchanged between IdP and SP
- Terms and definitions to understand SSO better
- Agent SSO and Contact SSO for an Organization
Here's how you can configure SAML for Freshworks using ADFS:
Open ADFS Management.
Under 'Server Manager', click on 'Tools.'
On the left navigation pane, under 'Trust Relationships,' right-click on 'Relying Party Trusts,' choose 'Add Relying Party Trust' and click on 'Start.'
In the Select Data Source step, choose 'Enter data about the relying party manually' and click the Next button at the bottom.
Under Specify Display Name, enter a suitable Display name and click on Next.
You can skip the next two configurations—'Choose Profile' and 'Configure Certificate'— by clicking 'Next' on the following screens.
Under 'Configure URL,' check the box—'Enable support for the SAML 2.0 SSO WebSSO protocol'.
Simultaneously, login to your Freshworks account using your Organization URL. From the Admin Center, under your Security tab, you will be presented with the ACS URL and Entity ID. Copy the values to enter the values in the relevant fields in the ADFS portal.
[ADFS Portal] Under 'Relying party SAML2.0 SSO service URL,' enter the Freshworks ACS URL that you had copied as instructed in step 8. Click on the 'Next' button at the bottom.
[ADFS Portal] Add Freshworks SP Entity ID you had copied as instructed in step 8 as a 'Relying party trust identifier' under the 'Configure Identifiers' tab.
The next three configurations can be skipped. Click on the 'Next' button to skip forward.
Under 'Finish,' check the box—Open the Edit Claim Rules dialog for this relying party trust when the wizard closes—and click on the 'Close' button to the bottom.
Choose the 'Send LDAP Attributes as Claims' in the 'Add Transform Claim Rule Wizard window' and click the 'Next' button.
Enter FirstName and LastName (case-sensitive attributes in Freshdesk) as the Outgoing Claim Type corresponding to the Given-Name and Surname (attributes from AD) and click on the 'Finish' button at the bottom.
Attributes that we support in Freshworks:
Click on ‘Add rule’ in the Edit Claim Rules for FreshDesk window.
Choose Transform an Incoming Claim from the 'Claim rule template' dropdown. Click on the 'Next' button.
Fill out the necessary values for the dropdowns and click Finish.
E-mail Address for Incoming claim type,
Name ID for Outgoing claim type
Unspecified for Outgoing name ID format
Click on Service > Certificates and right-click on Token Signing Certificate to view the certificate.
Click on the 'Details' tab in the Certificate dialog box. Click on 'Copy to File'. In the resulting Certificate Export Wizard window, choose 'Base-64 encoded X.509 (.CER) and click on the 'Next' button at the bottom.
Once you have the Certificate open it in Notepad(in case of Windows)/Text edit(in case of MAC), copy the Contents, and then paste them under the Security Certificate (or x.509 certificate) in your Freshworks Security Settings portal.
Also, fill in the IdP Entity ID and SAML SSO URL in the Freshworks Security Settings portal. You can find the Entity ID under "Action" > "Edit Federation Service Properties" as the link displayed under "Federation Service identifier." For most ADFS builds, the "Login URL" will be the base URL of the "Entity ID" with "/adfs/ls/"
Normally the parameters would be of the format given below:
Entity ID of the IdP - http://[your-adfs-domain.com]/adfs/services/trust
SAML SSO URL - https://[your-adfs-domain.com]/adfs/ls
Note: You can obtain the detailed XML doc from https://<adfs server url>/FederationMetadata/2007-06/FederationMetadata.xml
Done! You have configured SAML 2.0 for Freshworks using ADFS.
Note: In SAML, RelayState is an optional parameter that you can use to communicate to your Identity Provider where your users should be redirected after signing in with SSO. When you configure the RelayState field in your Identity Provider with a valid Freshworks Product URL (like https://abc.freshservice.com/ or https://abc.freshdesk.com), the user will be redirected to this URL after successful login from IdP. In case of an invalid URL, the user will be redirected to the Admin Center. Please note that the RelayState will take precedence only when the login action is directly initiated from the identity provider dashboard.
If you need further assistance, please feel free to write to firstname.lastname@example.org with your queries. We're more than happy to help.