SSO

You can log in to your Freshservice account use the Login option located at the top-right corner of your Freshservice portal. You can access your account through the URL yourcompanyname.freshservice.com or your custom vanity URL if you've set one up.

Enter your email address and password on the login page to access the helpdesk. If you've enabled Single Sign-On (SSO) or Google login, you'll be redirected to the corresponding authentication site, where you can enter your credentials to log in.

For Freshworks org accounts, you can configure multiple authentication modes, including SSO and Freshworks credentials, which is beneficial for managing users from various domains.

Using Freshservice URL:

Using Freshworks URL:

In case you have issues with your SSO, then you can bypass  SSO using the URL, https://domain.freshservice.com/login/normal. When you hit the URL, you will be taken to the login page where you will have to enter your local Freshservice credentials.

For Freshworks accounts, you can use https://domain.freshworks.com/login/normal to bypass the SSO and until the issue with the SSO is sorted. 

Note that the bypass on Freshworks Org enabled accounts is only possible for users with the Organizational admin permissions.

You can enable the native login credentials at Service Desk security for other users to workaround this issue temporarily

Single Sign-On (SSO) is a feature that allows users to securely authenticate multiple cloud applications by logging in only once in a managed authentication system. With SSO, users don't have to think and remember different passwords for different applications; they can now use the existing login information that is managed by Identity Providers (IdP) like ADFS, OneLogin, Okta, Azure AD, G-Suite and the cloud applications that rely on the data provided by Identity Provider called Service Providers (SP). Using SSO, you can log in to different accounts across Freshworks products. Admins can choose and configure how users can log into each of the Freshworks accounts.

Today, Freshworks supports the following protocols to securely exchange user identity information between the Identity Provider and Service Provider: SAML, OAuth2, OpenID Connect (OIDC), JWT.


TABLE OF CONTENTS

• How does SSO work 
• Security policy for Contacts
• SSO configuration made easy
• Custom policies for your unique needs
  
  

How does SSO work 

With single sign-on, this is what happens when you try to log in to an application, 

1. If you have already logged in using SSO, the application grants you access to it. 

2. If you haven’t, you are presented with options for authentication via a third-party identity provider like Google. You can log in with that provider. 

3. The identity provider authenticates you, ensures the application that is asking for your authentication is legit, and issues a token back to the application. The application uses this information to log the user in. 

4. Once you are logged in, the authentication verification data (either as cookies or as tokens) is passed as you navigate to different pages of the application. 
   

With our new and improved UI, you can 

• easily setup SSO with the help of in-product configuration guides for popular identity providers

• configure up to 99 SSOs  for a single organization

• customize advanced SAMLoptions like for single logout, encrypted assertions, and more 

• download SAML metadata and configure it in third party IdPs with one click (wherever supported)

• customize the “Sign in with SSO” button label on the login page

• define custom policy in just three steps

• configure up to 99 custom policies and customize logo on each of the custom login URL

Security policy for Contacts

We have brought in a separate tab to define various login methods through which your contacts can log in. 

One policy for all

Under Security > Default Login Methods, you can choose between Freshworks Login, Google Login, and Single sign-on via any identity provider of your choice. The default policy will drive the entire authentication layer for all your accounts in the organization. 

Apply password policy

After choosing your password policy (either configuring your custom policy or choosing one of the preset levels), you can choose when to apply the policy. You can either apply it immediately, the next time the user logs in, or the next time the user decides to change the password. 

SSO configuration made easy

Our new and improved UI is intuitive and has helpful configuration guides for some of the popular identity providers. That's not it. We have many advanced enterprise-grade controls that you can customize like single logout, encrypted assertions, and more. You have an option to rename the SSO name and button label, making it easy to manage multiple configurations you might have setup. 

Custom policies for your unique needs

You can define authentication controls for specific accounts and portals in just three steps to cater to your specific security needs. We now support up to 99 configurations. 

Org Admins can configure multiple policies to ensure your users securely access the Freshworks accounts. Here are a few things you can do: 

• You can choose the Default security policy comprising Freshworks login managed by a password policy or/and Google Login or/and SSO login applicable to all admins/agents logging into the organization's accounts. 

• You can also create custom policies to configure SSO for contacts (Your customers in Freshdesk) or to cater to agents in a specific portal/account. 

• Users can also opt to configure two-factor authentication. 
  
  

With SSO, you can use one set of credentials to access multiple services without having to remember multiple login credentials for different services. 

As an Org Admin of your account, you can configure SSO by navigating to Admin > Account Settings > Service Desk Security. From there, select the relevant Identity Provider for setting up SSO for Freshworks like. ADFS, OneLogin, Okta, or Azure AD.

Please choose the relevant IDP for setting up SSO.

• Configure SSO with SAML 2.0
• Configure SAML 2.0 for Freshworks using Okta
• Configure SAML 2.0 for Freshworks using Azure AD
• Configure SAML 2.0 for Freshworks using ADFS
• Configure SAML 2.0 for Freshworks using OneLogin  
• Configure SSO with OpenID Connect
• Configure SSO with OAuth 2.0
• Configure SSO with JWT

This error would be displayed when an incorrect username - password combination was entered during login. If you have forgotten the password of your account, you can trigger a password reset email from the login page of your account by clicking the ‘Forgot Password’ option and set up a new password for login. 

If you don't receive the password reset email, please check your Spam folder in your mailbox for the email. If you still have issues in resetting your password, please contact support@freshservice.com with your account details for assistance.

Also please note that if you make too many incorrect attempts to log in using the incorrect credentials, the profile might be blocked. In such cases, please write to support@freshservice.com for unblocking your account.

If you are added as an Occasional Agent in your service desk and if your service desk does not have sufficient day passes to log in, you will be displayed with this error.

You can contact your Account Administrators and they can help you in purchasing day-passes for logging in. A new day pass can be added to your account from under Admin-->Day pass. You could also view the day pass Usage History from under the same page.

If the email address that was entered during login, is not an agent/contact in the account, then this error would be displayed. You could sign up for a new account, using the Sign Up option on the Portal, or ask to be added as an Agent from under Admin-->Agents in your account. Once this is done, you can login to your Freshservice Account.

If you continue to face issues with login, reach out to our support team through support@freshservice.com for further assistance.

If you click on a link to which you don’t have access to or do not have the right to view, this error is displayed.

For example: If you click on a ticket URL, which you don’t have access to,(you could be part of the conversation by being in cc) then you get this message.

The same happens when an agent clicks on the ticket and it would say that either the ticket is deleted or the agent does not have permission to view the ticket.

If you are getting this error as an Agent, please check if you have the correct Ticket Scope (Global access) to view the page.

Please feel free in writing to support@freshservice.com in cases where the error appears in scenarios that are not mentioned above.

This error is generally thrown when the IP from which you are looking to access Freshservice is restricted, provided your team has set up IP whitelisting to allow access of Freshservice from particular IP addresses only.

The navigation path to do this is Admin --> Channels -->Email Settings and Mailboxes --> Freshservice IP addresses for email communication 

While setting up an SSO, users would have to login from a common login URL, to be authenticated using SSO. The Remote Login URL is the URL to which your users would be redirected when they hit the Login button on your portal after you have set up an SSO.

You would have to update this field with the common login URL, while setting up SSO for your freshservice Account.

Freshservice makes use of HMAC MD5 encryption, while using SSO for login authentication.

The mandatory parameters that need to be passed during login are, name, secret hash, email, and time stamp - in that order. Please follow the below article for further detail,

https://support.freshservice.com/support/solutions/articles/236062-active-directory-integration

The most common mistake that might cause this is the presence of blank spaces at the beginning and end of the fingerprint text under Admin-->Service Desk Security. Please ensure that there are no spaces before or after the fingerprint.

To update the Fingerprint, you can login to your account using the URL domain.freshservice.com/login/normal and by using your freshservice local credentials.

If the issue persists, please send an email to support@freshservice.com and we'll help you out.

This error message denoting authentication failure would be because of an error in setting up the SSO. To analyze this, we would require the debug log. Please enter ?debug=1 at the end of the URL that is generated, to retrieve the debug log. 

Once you receive the error log please send an email to support@freshservice.com and one of our agents would assist you further on this.

If you're experiencing issues logging in through AD SSO in Freshservice, here are some troubleshooting steps to follow:

1. Check if the agent is using the correct email address associated with the AD account to log in.
2. Make sure the user profile on AD has permission to use SSO. Sometimes, users may not have access to the SSO configuration or app in the idP.
3. Verify that the user unique identifier in the SSO configuration is mapped to the correct AD attribute. The value in the attribute should match the email in the agent profile in Freshservice. Freshservice uses the AD profile's email address as the parameter for authentication to locate their profile on Freshservice

Agents are often logged back into the portal automatically after logging out because their browsers might be set to remember their login credentials. To prevent this from happening, agents can clear their browser's cache and cookies or disable the browser's auto-fill feature.

It is also possible that the agents' accounts have been set to remain logged in for a certain period of time. This can be adjusted by navigating to Admin > Account Settings > Service Desk Security > Session Timeout. Here, you can set the session timeout to a value that suits your needs.

If none of the above solutions work, it is recommended to contact the support team by dropping an email to support@freshservice.com for further assistance. They can help troubleshoot the issue and provide a solution that is specific to your account and portal settings. 

Agents being logged back into the portal automatically after they log out can be caused by various reasons such as portal settings, browser settings, and account settings. By adjusting these settings or seeking assistance from the support team, agents can prevent this issue from occurring in the future.

Yes, if you have configured SAML based SSO then we would have to have a SSL certificate for your vanity URL.

SSO facilitates the use of having a common password across different applications and services that you are using in your organisation.

It is possible to set up multiple SSO configurations for your accounts in Freshservice. By defining a default security policy, you can ensure that all users logging into any account in your organization adhere to a consistent authentication protocol. Moreover, you can create custom policies that configure login methods for either all users or specific company portals while in MSP. This level of flexibility allows you to tailor your SSO setup to your organization's unique needs.

To learn more, Freshservice offers a variety of configuration options for SSO as below,

• Configure SSO with SAML 2.0
• Configure SAML 2.0 for Freshworks using Okta 
• Configure SAML 2.0 for Freshworks using Azure AD 
• Configure SAML 2.0 for Freshworks using ADFS 
• Configure SAML 2.0 for Freshworks using OneLogin  
• Configure SSO with OpenID Connect
• Configure SSO with OAuth 2.0 
• Configure SSO with JWT

If you need help setting up SSO in Freshservice or need further assistance, you can contact the Freshservice support team. You can raise a request to support@freshworks.com, and the team will get back to you as soon as possible.

IIS should be hosted publicly in order to access your service desk from any network else your service desk would be accessible only from your network where the IIS is hosted.

Global port(8080/80) or any other open ports could be allocated for the IIS server.

To enable users from multiple domains to use SSO in Freshservice, you can create an SSO configuration for each tenant in the Neo admin center. When users log in, they can choose the relevant login option. 
If you need further assistance setting up SSO for multiple domains, don't hesitate to reach out to the Freshservice support team at support@freshservice.com. Our team will be happy to help you with any queries or concerns you may have.

The AD script can be downloaded from the below solution article: https://support.freshservice.com/support/solutions/articles/236062-active-directory-integration

There can be multiple scenarios that may cause you trouble logging into your Freshservice instance. Here are some recommendations to troubleshoot the issue.

1. Check for deactivated user
2. Try logging in after password reset.
3. Check for primary email for SSO login.
4. Check for common browser issues.

Check for deactivated user

When your account is either deactivated or unused for a long time, contact your Admin to reactivate your account. As an Administrator of your servicedesk, follow the steps below to check and reactivate users.

1. Navigate to Admin. Under the User Management section, select Agent or Requester.

2. Click on the Deactivated tab and check for the user profile facing the login issue.

3. Select the deactivated user profile and click on the Reactivate button.

4. This will take you to the Edit agent/requester page where you can update the roles and permissions of the user.

5. Once done, click on Update to reactivate the user.
   
   
   

Try logging in after password reset.

If you're having trouble logging in using the Freshworks login, 

1. Click on the 'Forgot your password' to reset your password from your login page. 

2. Select the ‘Request reset link’ option.

3. Reset the password using the link from the password reset email.

4. Try to log in again with the new password and check if the issue persists.

   
   

   

Check for primary email for SSO login.

Check if you're using the secondary email address to log in through SSO. Please note that you can only use the primary email address for SSO login.

As an Administrator of your Freshservice account, you can check if a requester is using their secondary email to login by following the steps below.

1. Navigate to Admin. Under the User Management section, select the Requester option.

2. Click on the requester profile facing login issues, and choose the Edit Requester option under the More dropdown. 

3. Scroll down and check for the email addresses provided under the Secondary emails section.

4. Emails mentioned under secondary emails should not be used to login through SSO.
   
   
   
   

You can also access your Freshservice instance when your SSO server is down.

Check for common browser issues.

Clear cache and cookies on your web browser and try to sign in again. You can also open an incognito window to access your Freshservice instance to eliminate any extensions that limit your access.

If you still need help logging in after working through all of the above recommendations, please reach out to support@freshservice.com.