Configuring Zendesk user provisioning from G Suite

I end up doing a lot of the more complicated G Suite admin stuff at work, especially the SSO integration with SaaSs we use. This past week I spent a fair amount of time getting Zendesk setup. The SAML SSO integration was the easy part. The annoying part was getting the user provisioning right. I'm going to document it here so others might not have to go through the same pain.

First off, Zendesk is apparently expensive. Like $200/month/agent expensive. Your company is going to want to properly manage who gets provisioned as an agent. Zendesk also has a closely guarded free "Light Agent" role that you apparently have to arm twist them to enable on your account. The Light Agents can post private messages to tickets to help provide info to the full agents. What we wanted to do was have people default to being Light Agents and then be bumped up to full agent if they were in the support orgs.

G Suite is using Zendesk's user API to provision users. G Suite doesn't tell you this, but it becomes apparent when you're looking at the fields that you can configure for provisioning users. You're going to need to add some custom attributes to your G Suite directory to pass to Zendesk. At a minimum, you're going to want to pass in role and custom_role_id to Zendesk. We have an G Suite directory attribute schema called AppSpecific where we put things like this. I called the directory attributes zdRole and zdCustomRoleIdentifier for clarity. They get mapped in G Suite as shown below.

What's not clear when you first go to do this is that you might think you could use the role names that you see in the Zendesk role definitions. On no. There are three possible values for role and they are "end-user", "agent", and "admin". You'll want to set this to "agent" for most of your users. Then you need to haul out Postman or another API tool and query the Custom Agent Role API to get the values for your various agent roles to populate the zdCustomRoleIdentifier field in your directory. I set it to the Light Agent role for most everyone and then to the regular agent role for our support folks.

Now you should be able to turn auto-provisioning on and have it work. I hope this saves some people the hours of frustration that I went through.