Last updated: 2025-09-23

Source: https://support.freshservice.com/support/solutions/articles/50000002088-configuring-custom-sso-policies-under-org

Single Sign-On(SSO)

Single Sign-On (SSO) is a system that lets users securely authenticate multiple cloud applications by logging in only once in a managed authentication system. This managed authentication system is also referred to as Identity Provider (IdP) and the cloud applications that rely on the data provided by Identity Provider are called as Service Providers (SP). Some of the Identity Providers are ADFS, OneLogin, Okta, Auth0, and G-Suite.

For more information on SSO in Freshdesk, click here

Custom SSO policies

Orgv2 has a built-in UI to set up a custom login policy (with customized login URL) with different login mechanisms available under it.

  • An Org can set up about 1000 custom policies.
  • 1 custom policy apart from the default policy can be set up for agents per account.
  • 1 custom policy for contact per account can be configured.

    • You can configure a custom policy in Org even without this feature enabled in Freshdesk but those policies will not be synced to Freshdesk. In this scenario, we can enable the feature from the backend and you can change the custom policy name/URL to sync these policies to Freshdesk.

    To set up a custom SSO policy

    Custom agent SSO:

    If Org<>SSO sync feature is enabled, then there are 2 scenarios:

    A. Freshdesk account without Freshdesk SSO:

  • The default Freshdesk landing page is support/home.
  • Click on login → support/login
  • Support/login → On hovering the link 'Are you an agent Login here', the customized URL of Org custom policy will be there.
  • On clicking here, it will take the Org custom policy login mechanism.
  • login/normal → It will not show any custom URL. This page will always redirect to the default Org login page

    • B. Freshdesk account with Freshdesk SSO:

  • Support/login → will redirect to Freshdesk SSO IDP.
  • There is no way agents can log in to agent's custom policy. They can only use login/normal to log in through the Org default login page.
  • You have to disable Freshdesk SSO to use login through custom policy. But once Freshdesk SSO is disabled, it cannot be re-enabled.

    • Custom contact SSO:

    A. Freshdesk account without Freshdesk SSO:

  • Support/login page → On hovering over the link 'Are you a customer Login here', the customized URL of Org custom policy will be there. On clicking here it will take Org custom policy login mechanism.
  • login/normal → it is only for agents.

    • B. Freshdesk account with Freshdesk SSO:

  • Support/login → will redirect to Freshdesk SSO IDP.
  • You can check the behavior of contact custom policy by hitting

    • account\_domain\_url/customer/login in the browser. It will be redirected to the custom policy login URL, where you check the contact login functionality.

  • Once you have completely configured this, disable the Freshdesk SSO.

    • Once you have successfully set up SSO, the login page will look this :

    Contact attributes :

    The following default user attributes can be sent to Freshdesk from the identity provider when a user logs into the IDP via SSO:

    AttributeFormatNecessityDescription
    First Namegivenname or FirstName or usernameOptionalThe first name of the user/contact
    Last Namesurname or LastNameOptionalThe last name of the user
    PhonephoneOptionalWork phone number of the user
    Companycompany or organizationOptionalName of the Company of the user
    TitleTitle or job\_titleOptionalJob title of the user
    Unique external IDunique\_idOptionalUnique external id of the user
    Mobile phonemobileOptionalMobile phone number of the user
    Time zonetime\_zoneOptionalTime zone of the user
    LanguagelanguageOptionalLanguage of the user
    Aboutabout, descriptionOptionalDescription of the user

    Custom Contact attributes :

    We also support custom contact fields.

    Custom fieldcustom\_field\_<field\_name>Optional

    For example: If there is a custom user field (contact field) configured as 'Office Location', then the SAML assertion needs to send the attribute as 'custom\_field\_office\_location' to update the user information.

    _Note_ _: All the above attributes will be assigned to the contact during login. Any attribute changes would be synced as well. Email is mandatory for a user during login._

    You can refer to this article for the various language codes and timezones allowed.