You can provide your users with more options for signing in to Zendesk Support by allowing them to sign in using their existing social and business accounts. Social sign-ins include Facebook and Twitter and business sign-ins include Google and Microsoft. Agents and admins can only use business single sign-on. For information on other types of single sign-on options, see Single sign-on (SSO) options in Zendesk.
How social and business SSO works
Social and business single sign-on allows end users to access Zendesk using their Facebook, Twitter, Google, or Microsoft accounts. When you enable the SSO methods, a sign-in button is added to your Help Center page.
Agents and admins only have access to either Google or Microsoft SSO methods. If Google or Microsoft is also enabled for end users, agents and admins can use the sign-in button on the Help Center page. If the method is not enabled for end users, agents and admins will need to click the I am an Agent link to use SSO.
Your users' social and business account sign-in credentials (username and password) are never shared with Zendesk. Only the primary email address contained in the social and business account is shared.
- Users select one of the social or business sign-on options on your Zendesk account sign-in page.
- Users will be redirected to their social or business sign in page and required to enter their credentials.
Note: If users are signing in with Microsoft, they can also use their Office365 credentials.
- If the credentials are valid, users will be redirected back to your Zendesk Support account.
- Zendesk will prompt the user to add an email to use as a contact.
- If the email address matches a user's email address in Zendesk, Zendesk will ask the user to enter their Zendesk password. After validated, the contact information is added to the user's profile.
- If the email address does not match a user in Zendesk, a new user will be created, and Zendesk will send a verification email. If the user is a duplicate of a pre-existing Zendesk user, you can merge the users (see Merging a user's duplicate account).
If your Zendesk account is closed or restricted, and a user tries to sign in with a business or social account email that does not exist in Zendesk, their request to authenticate will be rejected. To enable a user to sign in with a social or business account that uses a different email, you will need to add the account email as a contact in Add contact on their user profile.
For more information on modifying a user's profile, see Updating your user profile and password.
After the one-time authorization is completed, the user is seamlessly signed in to Zendesk. On subsequent visits, if the user is already signed in to the account, they will be immediately signed in to Zendesk after they click the associated social or business sign-on button. If they aren't already signed in with the social or business account, they will be prompted to.
Enabling social and business SSO
You can enable social and business SSO, without any custom configuration. End users can use Twitter, Facebook, Google, and Microsoft. Agents and admins can only use either Google or Microsoft.
To enable social and business SSO
- In any product, click the Zendesk Products icon (
) in the top bar, then select Admin Center. - Click the Security icon (
) in the left sidebar, then click Staff members or End users. You can set different SSO permissions for both groups.
The End Users tab is not available until you activate the Help Center. See Getting started with Guide.
- Select each of the SSO options you want to enable.
- If you want all users to only use the single sign-on method, disable the Zendesk authentication option.
Warning: Disabling Zendesk authentication permanently deletes any Zendesk passwords on record within 24 hours.
- Click Save.
The sign-in links appear on your Help Center sign-in page.
21 Comments
Is there a way to see the users who specifically have signed up/in using social?
Hey Pedro! There is a way to see which users have social media contacts listed in their profile. Though this doesn't tell you how they logged in last, it would at least give you an idea of which users maybe have signed in via social media auth. You can see these contact methods as an example in step 6 under "How social and business SSO works in Zendesk Support" above.
The one wrinkle to this is that if your user submitted a request via Twitter, for example, you will see a user profile for that individual that has a Twitter handle listed as a contact method. In this particular case, this user never actually signed in, but the way they submitted a request allowed for the creation of a profile using their twitter handle. This is necessary to ensure when you respond to their ticket, the followup is sent appropriately.
Long-story short, there really is no way to see exactly which users have ever signed in via a social media authentication method. If you don't have any social media channels enabled for ticket submission, however, then you can safely assume that any social media contact information for users is the direct result of them using this sign-in method to access your Help Center.
Thanks a lot for the clarification, Dennis. Another question, please: is there a way to see who specifically used social auth in the Chat pre-form? I'd like to see if offering those options are useful or not.
If a user is signing in with Microsoft and their Office365 account password changes or their account is disabled by the organization's IT, will they be automatically logged out and unable to log back into Help Center?
Hi Justin,
If the SSO authentication fails, then the users will be unable to log in to Zendesk using it. I wouldn't describe it as automatic, but if they were logged in at the time that the information changed, then the next time their session refreshed they would be prompted to reauthenticate.
They might still be able to log in if they have a separate password set up within Zendesk, and are using the youraccountname.zendesk.com/access/normal path to try and log in as a backup (though they would need to be aware of that path as an option first).
Is it possible to allow end-users only the option to sign in with Social and business single sign-on (and not Zendesk sign-in)?
Hey Justin,
There's no way to toggle off the native Zendesk login and only use the social media single sign-on at this time. The only way to remove the native Zendesk login as an option is by setting up SSO for your end-users. More information on the different SSO options in our SSO (single sign-on) options in Zendesk article.
Hope this helps!
Hello
I try to use business SSO. The backend do th job...
But I need to get the JWT token sent back in my private app. How can I get this token ?
Hi Fabien!
Thanks for your question today! It looks like you have an open ticket about this one already, so I will let the advocate know! If you have any further questions, it will be a good idea to respond to his email.
Hope that helps.
Hi there.
Is there a way to access Zendesk using vk.com profile? Are you considering to add such an option? Thanks
Hello Yulia,
The best wat to accomplish this would be through the vk.com Zendesk app, which you can find in the Zendesk Marketplace, which I've linked below. As for future updates to make this more native, we currently have nothing on the roadmap, but I would recommend posting your suggestion in our product feedback forums so our developers can consider your ask for future updates.
Zendesk vk.com
Best regards.
Thank you Devan. I know about this app, but unfortunately this one doesn't allow users log in in Zendesk using their vk profiles. This is topic about SSO and my question was about SSO, I wonder if Zendesk's going to allow users to log in using their vk account.
Hey Yulia,
Nothing on the roadmap currently that would allow vk as a social/business SSO. You'd most likely need to set up JWT or SAML SSO to allow your users to sign in using their vk.com credentials. More information on the available SSO options here: SSO (single sign-on) options in Zendesk .
Let me know if you have any other questions.
Cheers!
Hi there,
I have a question on the SSO. My organization's Zendesk application is actually linked to our organization's SSO policy stringed via Microsoft and therefore for every Zendesk applications used i.e. Zendesk Support, Zendesk Guide and Zendesk Talk a SSO is required to log into any of these Zendesk applications.
For my Zendesk Guide however, we are building our knowledge base guides that are intended for internal use as well as for external use (i.e. to our external clients). Given that the restriction of organization SSO that we have integrated for our Zendesk applications these guides that we have built would not be accessible to these external parties due to our SSO policy.
Hence my question for your team would be is it possible that we can actually customize or pick and choose which of the Zendesk applications that can be enabled with the SSO i.e. enable SSO for Zendesk Support and disable SSO for Zendesk Guide or will the SSO enablement be effective for the entire Zendesk applications within the subscribed suite? We would still like to enable SSO for Zendesk Support but just not for Zendesk Guide, can this be done?
Hoping to hear from you guys soon.
Thanks a bunch!
Jee
Hello Jee Han,
No, this would not be possible. Although Zendesk allows you to set up different authentication methods for agents and end-users and you can setup Guide to be accessible to everyone then set the article permissions based on the organization the user is in. I've shared some articles below that goes into further detail on this topic.
SSO (single sign-on) options in Zendesk
Creating user segments for Guide user permissions
Best regards.
If I set End users to login using External with SAML, and Admins using External with Microsoft, what would be the link to provide to the Agents?
I know about these:
https://your_subdomain.zendesk.com/access/sso_bypass
https://your_subdomain.zendesk.com/access/normal
https://your_subdomain.zendesk.com/access/saml (seems to be just for the setup... doesn't work to click on.)
is there a
https://your_subdomain.zendesk.com/access/microsoft
https://your_subdomain.zendesk.com/access/agent
or something like that?
Hi Niclas,
There isn't a https://your_subdomain.zendesk.com/access/microsoft address, or a https://your_subdomain.zendesk.com/access/agent address.
What the SSO login urls look like can vary depending the which SSO service is being used. If your company uses Microsoft's Active Directory and wants to set up that using SAML you you'd most likely end up with a login url similar to examples in this article.
Gail L the last link was incorrect I assume.
Argh, yes, I was trying to link to Setting up single sign-on using Active Directory with ADFS and SAML
Is there a method to restrict different brand access when using SSO, eg: Staff with an SSO login get X, Y, & Z brand access, but end-users with SSO only gain access to Brands X & Z.
Hi Dave,
As of the moment, SSO will apply to the entire account. There is no native way to restrict the implementation to different brands. However, I understand your need for this functionality and I am marking this comment as product feedback. We truly value customer feedback and your voice and votes in the community help influence future Zendesk functionality.
All the best
Please sign in to leave a comment.