Error enabling SSO for Zendesk

Question

Has anyone else been able to get SSO working with Zendesk and Entra/Azure?

I've followed the instructions several times, but keep getting:

Request Id: 2a544d1b-70be-4981-be0c-9a30d2886f00

Correlation Id: 7495218c-b173-4a11-a6a9-1ba4699e4e89

Timestamp: 2024-04-19T16:41:49Z

Message: AADSTS650056: Misconfigured application. This could be due to one of the following: the client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, the admin has not consented in the tenant. Or, check the application identifier in the request to ensure it matches the configured client application identifier. Or, check the certificate in the request to ensure it's valid. Please contact your admin to fix the configuration or consent on behalf of the tenant. Client app ID: 8e17306b-5fc3-4b73-8e4c-76ec4156b163.

Answer 1

Hi @Ryan Manewich (Admin) ,

That error usually means that the application sends a SAML request with different identifier from what you have set up in Azure. 

Check the issuer in the request and confirm that the one listed in the request matches exactly what is configured in Azure/Entra. Note that the http/https protocol needs to match too.

You can collect a har trace to confirm this during the login and confirm that the application is sending the SAML request correctly so that you can have a valid SAML response. If it is not correct, you may need to work with Zendesk support to get the right values for Identifier, Reply URL, and Sign-On URL.

See also:

Error AADSTS650056 - Misconfigured application - Active Directory | Microsoft Docs

If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

Answer 2

Hello @Ryan Manewich (Admin)

If you could share what information you have followed above, that would be helpful. Meanwhile,

the error message you received, AADSTS650056, indicates that there might be a problem with the configuration of your application. Have you tried the following:

Check the Redirect URI Configuration:

• Verify that the redirect URI specified in your application’s Azure AD registration matches the one in your application code. The redirect URI is used to redirect the user back to your application after they sign in to Azure AD.

Verify the Client ID Configuration:

• Ensure that the client ID specified in your application’s code matches the one in your Azure AD registration. The client ID is used to identify your application to Azure AD.

Check Necessary Permissions:

• Confirm that the necessary permissions are granted to your application. You can do this by checking the “API Permissions” section in your application’s Azure AD registration.

Ensure Your App Is Enabled:

• Check that your application is enabled in Azure AD. You can verify this in the “Enterprise Applications” section of the Azure AD portal.

Inspect the Token Signing Certificate:

• If your application uses tokens, verify that the signing certificate is properly configured in Azure AD. You can find this information in the “Certificates & Secrets” section of your application’s Azure AD registration.

Authentication Method Alignment:

• Ensure that the authentication method used by your application matches the one specified in Azure AD. For example, if your application uses OpenID Connect, verify that it is configured in Azure AD to use OpenID Connect.

Check for Conditional Access Policies:

• Verify if there are any conditional access policies in place that might be blocking your application from accessing Azure AD resources.

Remember that Azure AD Graph is deprecated, and it’s recommended to migrate your apps to Microsoft Graph. Read more here:

Configure Azure AD Graph permissions for an app registration