Login/normal URL doesn't accept agent credentials unless SSO is disabled

  • 25 April 2019
  • 1 reply
  • 448 views

Hey there!


We recently enabled Simple SSO for our helpdesk so that customers could access our support portal after they log into our website. The user's email address (from their profile on our site) is passed to Freshdesk, which matches it to their existing Freshdesk user profile. If the email addresses match, it grants them access based on their access level in Freshdesk- no need for a separate account.


In order for that to work, our agents have had to use the https://(OurNameHere).freshdesk.com/login/normal URL when trying to log into the system as an agent since this bypasses the SSO authentication. It works well most of the time.


However, we keep encountering three problems:


1. Specific agents are our company keep getting logged out of their Freshdesk session without warning, even while they are in the middle of working. It's strange because it only happens to these 2-3 people, but never to people like me.


2. Even if they try to use the "...login/normal" URL, the page will not accept their agent credentials. I learned after some trial and error that if I disable SSO, have them reload the page and then try to log in again,then the login/normal URL does work. It's confusing because this URL is specifically supposed to completely bypass SSO for authentication, but it doesn't seem to work.


If we see the "Signing in as an agent?" section at the bottom of the login/normal page, that tells us SSO is not enabled and their login attempt will be successful. If we don't see this section (and SSO is enabled), the login attempt will always fail.


3. One of the affected agents from problem #1 keeps getting a "your account has not yet been activated" error on the page even if by some chance their credentials are accepted. 


Again, once I turn SSO off it works fine, but this makes no sense since this person was already in the system and has many tickets that have been worked on. It sends them an activation email, they click it, but they are still unable to log in.


Reason this is such a big problem:

  1. To get agents back in the system, we have to disable SSO, which requires a system admin. If system admins are out of the office or busy, the affected agent is unable to work at all until the SSO is toggled on/off. We do not want to grant more admin rights to other users in Freshdesk.
  2. Whenever we toggle SSO, it interferes with customers' ability to create or view tickets in the support portal. If they create a ticket while SSO is on and then SSO is turned off BEFORE they click "Submit", their ticket creation will fail.



Any help would be appreciated. Thank you!


ssotoggle_40511.pngloginnormalpagelnk_40511.png

This topic has been closed for comments

1 reply

Additional comment:


When SSO is disabled, the login/normal URL page visibly changes.


When we see the additional "Are you an agent?" area, that means SSO is off and the agent credentials work work on the first try on this page. I've attached an image of how the page looks when this is turned off and login attempts are successful.


The way this page should work is that the page should not dynamically change regardless of whether SSO is on or off- it should always show the "Are you an agent?" area and should be not be attempting to authenticate using the remote login/logout URLs configured for SSO within Freshdesk.


areyouanagentarea_41097.png