The following table details the required and optional attributes to be configured in the assertion attribute contract.

Attribute Name Description Required / Optional


Email Address


The following table details the references that are used within this guide that are environment specific. Replace these with the suitable value for your environment.

Reference Description


Zendesk Tenant name

  1. Create the PingFederate service provider (SP) connection for Zendesk:
    1. Sign on to the PingFederate administrative console.
    2. Using the following information, create an SP connection in PingFederate:
      1. Set Partner’s Entity ID to https://<tenant>
      2. Configure using Browser SSO profile SAML 2.0.
      3. Enable the following SAML Profiles.
        • IdP-Initiated SSO
        • SP-Initiated SSO
      4. In Assertion Creation > Attribute Contract Fulfillment, set the Subject Name Format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
      5. In Assertion Creation > Attribute Contract Fulfillment, map the attribute SAML_SUBJECT to the attribute mail.
      6. In Protocol Settings > Assertion Consumer Service URL, enter https://<tenant>
      7. In Protocol Settings > Allowable SAML Bindings, enable Redirect.
      8. In Credentials, choose a suitable signing certificate and make sure the Include the certificate in the signature <KEYINFO> element check box is selected.
    3. Export the metadata for the newly-created SP connection.
    4. Export the signing certificate public key.
      The PingFederate administrative console on the Applications > Integration > SP Connections page. The SP Connections page includes a successfully created and enabled Zendesk SP connection. A search bar with Search and Clear buttons, and a Narrow By filter. Below this is a list of the existing SP connections. The resuls are listed by Connection Name, Connection ID, Virtual ID, Protocol, Enabled which is a toggle switch set to the on position, and Action. There are Create Connection and Import Connection buttons.
  2. Configure the PingFederate IdP connection for Zendesk:
    1. Sign on to Zendesk as an administrator.
    2. Click on the Products icon.
    3. Click Admin Centre.
      A screen capture of the Zendesk Administrator home page. The Get Started page view option is clicked. On the top right of the page is a search bar, a message icon, a bell icon, the products icon, and a user icon. The products icon is clicked and displays the menu options of Support, Guides, Gather, Chat, Talk, Explore, Sell, and Admin Centre. The Admin Centre option has a light blue background when the mouse hovers over it and is highlighted.
    4. Click the Security icon.
    5. Click Single sign-on.
      A screen capture of the Admin Centre page. On the left side is a navigation pane with the icons for menu options. The Security icon which is a shield with a checkmark in the center is clicked. The Security sub-menu options has Staff Members, End users, Single sign-on, which is clicked and highlighted, and Advanced. The Single sign-on section is displayed. There are SAML and JSON Web Token configuration options with Configure buttons for each option. The SAML Configure button is highlighted.
    6. In the SAML SSO URL field, enter the SSO URL for your PingFederate environment configuration.

      For example, https://<pinghostname>/idp/SSO.saml2.

    7. Open the Signing certificate you downloaded in the PingFederate SP configuration and copy the thumbprint to the Certificate fingerprint.
      A screen capture of the Certificate dialog with the Details tab open. In the Show list, <All> is selected. The list is organized by Field and Value. The Thumbprint line entry is selected and has a light grey background. At the bottom of the dialog is the Edit Properties button, whcich is blurred, and the Copy to File... button. Below these buttons is the OK button, which is highlighted with a blue outline.
    8. Select the Enabled check box.
      The SAML configuration page. The introduction sentence is SAML is an industry standard SSO framework typically used by large enterprises for communicating identities across the internet. There are fields for Enabled, which is a selected check box, SAML SSO URL, Certificate fingerprint*, and the Remote logout URL.
    9. Click Save.
      You can now enable external authentication for Staff members or End users as required.

      The following example enables it for Staff members only.

    10. To enable external authentication:
      1. Click the Security icon.
      2. Click Staff members.
      3. Select the External Authentication check box.
      4. Click Single sign-on.
        A screen capture of the Admin Centre > Security > Staff members configuration page. There are fields for External authentication, which is a checkbox that is selected, Google and Microsoft radio buttons, which aren’t clicked, and a Single sign-on radio button which is clicked. At the bottom of the page is the Cancel and Save buttons.
      5. Click Save.
  3. Test the integration:
    • For PingFederate IdP-initiated SSO:
      1. Go to the SSO Application Endpoint from the PingFederate application configuration to perform IdP-initiated SSO. For example, https://PingFederateHostname:PingFederatePort/idp/
      A screen capture of a SSO page. There are fields for Username and Password and a Sign On button.
    • For PingOne SP-initiated SSO:
      1. Go to the URL for your Zendesk tenant. For example, https://<tenant>

        Because SSO is only enabled for Staff, you should see a sign on form.

      2. Click I am an Agent to initiate SSO.

      A screen capture of the Zendesk sign on page. There are fields for Email and Password, a Sign in button, an I am an Agent link, which is highlighted, the Forgot my password link, and the Privacy Policy link.