We use SSO internally for our Freshservice platform. I've noticed that its extremely easy to log into someone else's account if you have the hash but putting it at the end of the URL, for example "&hash=8c4ceaa5ba06561b2cf5ac66f88d7d49" (this is not a legitimate hash).
There are no controls on how this hash can be used so I can litterally walk up to another machine and use that hash to log in as an agent. Surely this hash should be stored and processed more securely?
This issue is addressed with the HMAC-MD5 hash which is more secure.
With the help of this solution article(https://support.freshservice.com/support/solutions/articles/218278-single-sign-on-remote-authentication-in-freshservice) please re-configure the SSO and let us know if you still face any difficulties.
I will also create a Support Ticket to help you over with the transition to HMAC-MD5.