This guide provides the steps required to configure Provisioning for Zendesk, and includes the following topics:
The following Provisioning features are supported:
New users created in the third party application will be downloaded and turned in to new AppUser objects, for matching against existing OKTA users.
New users created through OKTA will also be created in the third party application.
Updates made to the user's password through OKTA will be pushed to the third party application.
Updates made to the user's profile through OKTA will be pushed to the third party application.
Deactivating the user or disabling the user's access to the application through OKTA will deactivate the user in the third party application.
Reactivating the user through Okta will reactivate the user in the 3rd party application.
Push, update, and download user groups.
Configure your Provisioning settings for Zendesk as follows:
Check the Enable API Integration box.
Enter your Zendesk API credentials in the Username and Password fields.
Only verified account credentials can be used (see https://support.zendesk.com/entries/23242272-Verifying-a-user-s-email-address for more information).
Only accounts without two-factor authentication can be used.
Note that you can use an API token instead of a password. If you do this, append /token to the end of the agent's email address in the Username field, and paste an Active API token into the Password field. See Generating an API Token.
Select what kind of User Roles to Import; either All Users or Only Admins and Agents.
Check Don’t import suspended users if inactive users should be ignored during import.
Optional: Test your credentials by clicking Test API Credentials.
Click Save.
Select To App in the left panel, then select the Provisioning Features you want to enable.
Click Save.
You can now assign people to the app (if needed) and finish the application setup.
Zendesk supports User's Schema Discovery, so you can add some extra attributes to User's Profile, to do that, follow the instructions below:
In Okta, from the Admin dashboard, select Directory > Profile Editor.
Select the APPS section in the left navigation bar, then find your app in the list.
Check the list of attributes, and if you decide you need more, click Add Attribute. A list of extended attributes will appear:
Select the attributes you want to add, then click Save.
You can now import and push these user attribute values to/from Zendesk.
If an admin selects a unsupported Locale for the end user role, Okta will revert to the default locale.
Group memberships are not supported for end users. Assigning users with the end user role to the Okta group that linked to Zendesk group will result in an error.
Group Push is only available for applications with no Groups profile property in the template. If you want to unlock this feature for existing application - ask Support to update the profile for your application and then remove Groups from the Custom attribute list in the Profile Editor.
All new applications have Group Push enabled, so it is impossible to add the Groups profile property in the template for them.
All agent and administrator users pushed to the Zendesk are automatically added to the Support group. Then open Provisioning and re-save the Provisioning to App settings, click Edit, then scroll down and Save.
Zendesk allows you to create several groups with same name, but on the OKTA side you will receive an error while trying to link Okta group to one of these Zendesk groups.
After a user is removed from the OKTA group that is linked to one of the Zendesk groups, the user stays in the Zendesk group with inactive state.
In order to ensure that Sync Unique Password works for the Zendesk application, make sure you have enabled All admins to set passwords, as shown below (Zendesk Global section, Security > Settings):
If you are in the process of creating a Zendesk app instance and encounter an error similar to the following during the app assignment flow:
The workaround for this is to first create the app instance without assigning it to any user/group. Once the app instance exists, you can then assign the app to the respective people by either:
By User: From the Okta admin dashboard, navigate to Directory > People then assign apps to users.
By Application: From the Okta admin dashboard, navigate to Applications then assign apps to users.
If you get a phone validation error during creating/updating a user:
You can only use E.164 phone format for users or must disable phone validation in Zendesk side (Admin > Customers > Validate user phone numbers):
