Zendesk Integration - Invalid_Redirect_URI Error

[prasanna10021991]

Zendesk Integration Documentation / Setup Instructions

Problem

An SSO setup is being built for a project which integrates with multiple applications. One of which is Zendesk and this request is to get the help needed for the SAML based integration of Zendesk with the project wherein Fusion Auth will act as the IDP which authenticates to Zendesk Service Provider.

Solution

I've been informed by @robotdan , that the SAML integration of Zendesk via FusionAuth is already in the works. I know you guys are swamped but this will help me a lot in setting up the base of a project. This request is to get the instructions or the documentation (currently in "Coming Soon" state) updated on the fusionauth page. If not possible, the request is to get some form of help in the integration setup.

Alternatives/workarounds

Get guidance or instruction steps on the integration that is currently possible.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[robotdan]

@voidmain Were there any gotchas when configuring a SAML Zendesk login that would be helpful for @prasanna10021991 ?

[robotdan]

@prasanna10021991 have you attempted to configure Zendesk with FusionAuth and failed, or are you just looking for how to get started?

[prasanna10021991]

@robotdan ..actually I'm looking to get started on it, wanted to check if its similar to SAML integration guideline given in overview or something more/specific to zendesk has to be done...we're trying put all things together for a project and checking feasibility with integrations for the systems as we're trying to get SSO setup for all of them in one place which will be fusion-auth.

[robotdan]

I'd say get started on it and see how it goes. Zendesk has some guides on enabling it and the SAML v2 IdP requirements.

It is has been a while since we tested with them, and we had a hard time getting help from Zendesk.

We do want it to work well with Zendesk so if you run into issues let us know, we can use this ticket or the Slack channel to work through configuration.

[prasanna10021991]

Hi @robotdan , I've tried the integration of the IDP with zendesk. The link was successful and I was able to see Auth requests coming from Zendesk on my event logs. But the IDP does not respond, and I get the following error in the UI stating Invalid request & Invalid-Redirect-URI :

And this is the SAML request sample received from Zendesk from the Event Logs:

Successfully accepted a SAML AuthnRequest. The deflated and encoded request is [fZFLT8MwEITv/RWR707i9BmrSRW1QqpUEGqBAzc33tAIP4LXKY9fTxqoVCTguvuN.....]. The XML is [<?xml version="1.0"?>

mydomain.zendesk.com ]. Could you please help me with this. Does this have anything to the with 'Audience' restriction field available in SAML configuration tab in the Application? Please let me know if you need more information on this

[prasanna10021991]

@robotdan Also I'm not sure why we're being redirected to outh2 url when trying to initiate SSO.. Here is the URL with redirect uri: https://fusionauth.mydomain/oauth2/authorize?client_id=cd979ea2-3d26-4ef5-a827-1d3f62dd0975&redirect_uri=%2Fsamlv2%2Fcallback%2F4d30cc31-ea5c-f9c7-9ace-d7da9994ebea&response_type=code&state=%7B%22ai%22%3A%22cd979ea2-3d26-4ef5-a827-1d3f62dd0975%22%2C%22id%22%3A%22samlr-b308b470-dea0-11e9-a391-a284136c68ec%22%2C%22rs%22%3A%22https%3A%2F%2Fmydomain.zendesk.com%2Fhc%2Fen-us%22%7D

I've referenced the bugs : https://github.com/FusionAuth/fusionauth-issues/issues/119 & https://github.com/FusionAuth/fusionauth-issues/issues/118 which were on this topic, And I don't have any "Authorized Redirect Url" config set up, it's currently blank.

[robotdan]

A few questions:

1. What version of FusionAuth are you running?
2. What guide from Zendesk are you following?

Here is one I have reviewed, let me know if this is the one you're using. https://support.zendesk.com/hc/en-us/articles/203663676-Enabling-SAML-single-sign-on-Professional-and-Enterprise-

To enable SAML single sign-on in Zendesk

1. In any product, click the Zendesk Products icon () in the top bar, then select Admin Center. Click the Security icon () in the left sidebar, then click the Single sign-on tab.
2. For SAML, click Configure.
3. For SAML SSO URL, enter the remote login URL of your SAML server.
4. Enter the Certificate fingerprint. This is required for us to communicate with your SAML server.
5. (Optional) For Remote logout URL, enter a logout URL where Zendesk can redirect users after they sign out of Zendesk.
6. (Optional) For IP ranges, enter a list of IP ranges if you want to redirect users to the appropriate sign-in option.
7. Users making requests from the specified IP ranges are routed to the remote SAML authentication sign-in form. Users making requests from IP addresses outside the ranges are routed to the normal Zendesk sign-in form. Don't specify a range if you want all users to be redirected to the remote authentication sign-in form.
8. Once your SAML SSO configuration is set, click Enabled so you can assign this option to users.
9. Click Save.

Using this as a guide,

3. For SAML SSO URL, enter the remote login URL of your SAML server.

https://fusionauth.mydomain/samlv2/login/{tenantId}

4. Enter the Certificate fingerprint. This is required for us to communicate with your SAML server.

If you have not yet generated an RSA key pair, do that now. Settings --> Key Master in FusionAuth. Once you have done this, click the view button and find the certificate fingerprint value.

Ensure that this key pair is configured for use in your SAML IdP settings. Applications --> SAML --> Signing Key

---

Assuming that is ok, then the XML you provided, is that what Zendesk is showing that FusionAuth sent?

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
                    ID="samlr-8f3d9e68-de44-11e9-afdb-aa0d8ba77e1f" 
                    IssueInstant="2019-09-23T20:56:05Z" 
                    Version="2.0" 
                    AssertionConsumerServiceURL="https://mydomain.zendesk.com/access/saml">
   <!-- Missing the saml:Issue open tag? --> 
    saml:Issuermydomain.zendesk.com 
    </saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
</samlp:AuthnRequest>

This doesn't look to be valid XML, there seems to be an open tag. Can you provide a full encoded AuthN request?

Does this have anything to the with 'Audience' restriction field available in SAML configuration tab in the Application?

I don't know, their doc does seem to indicate that they want the Audience set to your_subdomain.zendesk.com. So this will be your Zendesk domain value I would think.

Also I'm not sure why we're being redirected to outh2 url when trying to initiate SSO.

Are you seeing this once you're on the FusionAuth login workflow? If so, this is expected, we essentially perform a sub OAuth2 workflow on our end during the SAML login.

If you want to join the Slack Channel (see Chat with Users on https://fusionauth.io/ ) you can DM me and perhaps I can help you debug this in more detail.

[prasanna10021991]

@robotdan ..I've requested access to the slack channel, I'll DM once I get it..and thank you for pointing me towards that and providing the above information, I really appreciate the instant feedback :) Also in the meantime, here are some follow-ups:

1. What version of FusionAuth are you running?

I'm currently on v.1.8.0-RC.1

2. What guide from Zendesk are you following?

I followed the exact guide/steps you've outlined here till having the Key generated for the application and using the fingerprint of signing key to configure Zendesk SAML. All of that worked out well and I was able to hit our IDP as seen in the logs. Then pops the error.

This doesn't look to be valid XML, there seems to be an open tag. Can you provide a full encoded AuthN request?

I'm sorry about that, I think I messed it up while commenting the output, It does have the open tag: <?xml version="1.0"?>

mydomain.zendesk.com > I don't know, their doc does seem to indicate that they want the `Audience` set to `your_subdomain.zendesk.com`. So this will be your Zendesk domain value I would think. Yeah, I've set the issuer as `your_subdomain.zendesk.com` which is automatically applied to Audience too. But wanted to check with you on this because the hint next to the field in FusionAuth said some providers like Zendesk might need a different Audience. > Are you seeing this once you're on the FusionAuth login workflow? If so, this is expected, we essentially perform a sub OAuth2 workflow on our end during the SAML login. Oh okie cool..yes, as soon as I trigger the SAML login from Zendesk subdomain it's throwing the error I mentioned in the Oauth URL seen here [ https://fusionauth.mysite/oauth2/authorize?client_id=cd979ea2-3d26-4ef5-a827-1d3f62dd0975&redirect_uri=%2Fsamlv2%2Fcallback%2F4d30cc31-ea5c-f9c7-9ace-d7da9994ebea&response_type=code&state=%7B%22ai%22%3A%22cd979ea2-3d26-4ef5-a827-1d3f62dd0975%22%2C%22id%22%3A%22samlr-b308b470-dea0-11e9-a391-a284136c68ec%22%2C%22rs%22%3A%22https%3A%2F%2Fmydomain.zendesk.com%2Fhc%2Fen-us%22%7D ]. So does that mean there might be something wrong in my Oauth config that might've caused the invalid_redirect error. Here is what I've in there, I haven't touched most of it.  Also I tried configuring the logout URL & that worked just fine and I got redirected to fusionauth logout. Attaching the error JSON here for reference: { "error" : "invalid_request", "error_description" : "Invalid redirection uri /samlv2/callback/4d30cc31-ea5c-f9c7-9ace-d7da9994ebea", "error_reason" : "invalid_redirect_uri" } Another quick question, while configuring Zendesk SAML SSO url for IDP, I've given the - 'SAML Login URL' and not the 'Entity ID' [as entity ID redirects to IDP metadata instead and nothing shows up in event logs too]. So I should be using LoginURL only right

[robotdan]

Thanks for that additional information @prasanna10021991 . The exact JSON error was really helpful.

{
  "error" : "invalid_request",
  "error_description" : "Invalid redirection uri /samlv2/callback/4d30cc31-ea5c-f9c7-9ace-d7da9994ebea",
  "error_reason" : "invalid_redirect_uri"
}

I think this is a bug in FusionAuth, that redirect is ok, it is an internal redirect to perform a sub OAuth grant. I think I have a fix for this, I'll plan to get it out in the upcoming patch release.

Thanks for the help, it will be great to get Zendesk documented and working.