Enabling JWT (JSON Web Token) single sign-on

Have more questions? Submit a request

82 Comments

  • Joan Fernbach
    Comment actions Permalink

    Is it possible to authenticate users by UUID as well as email address?  If a user changes his email address on our website to match someone else's, he would then be logged into that user's account on Zendesk.

    2
  • Moath Almallahi
    Comment actions Permalink

    Hello,

    I have the following issue, after doing all what is required, there is only one user get redirected with a message "Please use one of the options below to sign in to Zendesk" this case only happens for a single user, and there is nothing special in the data being sent to Zendesk through the JWT for this user, also tried to look around the website if there is any descriptions for the error am receiving, couldn't find any.

    Any help?

    1
  • Jessie Schutz
    Comment actions Permalink

    Hey Matthew!

    I saw that you posted this in another thread as well, and one of my colleagues was able to point you to some resources. Let us know if you need anything else!

    1
  • Aleksey
    Comment actions Permalink

    Hi. Is there any article that clarifies the conditions when Zendesk redirects user to JWT authentication endpoint? Everything works flawlessly and completely transparently when I manually click the "sign in" button in Help Center, but I don't see any redirections when I just visit the Help Center in a freshly opened browser's incognito mode window.

    1
  • Jason Miller
    Comment actions Permalink

    Hello!

    The authentication system on my end requires a bit of information about the user to present them the proper login page. Is there a way that I could tokenize the login url in Zendesk to send this information along with the login request?

    Something like...

    I send a link to a user like:
    mycompany.zendesk.com/tickets/123?userinfo=something

    They aren't already authenticated so they get redirected to

    myloginpage.com?return_to=mycompany.zendesk.com/tickets/123&userinfo=something

    Is anything like this possible, or would you have any examples of how other users have navigated around this issue?

    1
  • Nicole - Community Manager
    Comment actions Permalink

    Thanks for sharing, Anthony!

     

    1
  • Anthony Willis
    Comment actions Permalink

    Yes, I have got this to work. You can use the same jwt token by adding the following code after the webwidget code:

    window.zESettings = {
      authenticate: { jwt: '{{ token }}' }
     };

    Hope this helps,

    Anthony

    1
  • Andrew Soderberg
    Comment actions Permalink

    When using JWT SSO where we are adding and managing users external from Zendesk, is it possible when a new user is added via our web application, that we can suppress the email that Zendesk sends out to the user asking them to click a link to set a password (and authenticates their email)? Our own web application does this already.

     

    0
  • Devan - Community Manager
    Comment actions Permalink

    Hello Shaodong,

    I would recommend navigating to subdomain.zendesk.com/agent, if you can get into through this link then you are running into an SSO issue. If this is the case then I would recommend reaching out your developers to resolve this. Also, be sure to replace subdomain w/ your subdomain.

     

    0
  • Solomon
    Comment actions Permalink

    I have tried multiple ways to get JWT to work with SSO, and I just don't see how it's possible.  Every attempt is a failure and the languages you folks are providing examples on are just not practical.  I am using wordpress with php and I can't get this to work.  It just logs me in and out.  I have the Team Plan with SSO and JWT enabled and have the following PHP code to generate a url and redirect to it (which does nothing in zendesk):

    $secret = 'MY SECRET KEY FROM ZENDESK SSO with JWT';
    $jwt_header = array(
    'type' => 'JWT',
    'alg' => 'HS256'
    );

    $user_name = $user->user_firstname . ' ' . $user->user_lastname;

    $jwt_payload = array(
    'iat' => $_GET['timestamp'],
    'jti' => uniqid($user->ID, true),
    'name' => trim($user_name),
    'email' => $user->user_email
    );

    if (!empty($_GET['locale_id']))
    $jwt_payload['locale_id'] = $_GET['locale_id'];

    $header_string = base64_encode(json_encode($jwt_header));
    $payload_string = base64_encode(json_encode($jwt_payload));
    $signature = hash_hmac('sha256', $header_string . $payload_string, $secret);

    $redirect = 'https://heavyocity.zendesk.com/access/jwt?jwt=' . $header_string . $payload_string . '.' . $signature;

     

    If I redirect to the $redirect url it does not log me into zendesk.  This is bogus!  Why doesn't this work?

    0
  • Jim Tarber
    Comment actions Permalink

    I have a problem with our JWT SSO setup, which is working fine in my tests but not for one user who cannot login because:

    - Sign In keeps invoking our /support/logout URL (which is /support/logout in our case here).

    - This invocation is done without a return_to argument being passed to it, so it has nowhere to go after signout.

    I only added the Sign Out code last week, and as far as I know it was working fine then. However, at this point the two problems above are preventing this user from logging in. I've asked her to clear cache, try a different browser, etc. They all fail the same way.

    Is it ever normal for my Sign Out SSO URL to be invoked on a Sign In? If so, shouldn't it specify a return_to URL?

    - It's only enabled for end-users

    - It's set to SSO -> JWT and the Remote URLs are:

    Sign In: (domain)/support/login/

    Sign Out: (domain)/support/logout/

    Summary: We've set the two URL fields in the SSO JWT options to the values above and in most cases it's working fine (very smooth, no problems implementing SSO), but the second one is being invoked on a Sign In.  Clearing cache, changing browsers, etc, seems to have no effect.

    0
  • Dipesh Dave
    Comment actions Permalink

    Hey Yael,

    You should be able to get your end-users directly behind the login content by utilizing the Web Widget. If you take a look at your documentation here: Using Restricted Help Center Content on Web Widget.

    You will see that you can use the web widget to share private articles from your help center for signed in end-users. They also have the ability to use the web widget to ask questions and search for articles that match the keywords or phrases.

    Hope this helps!

    0
  • Jessie Schutz
    Comment actions Permalink

    Welcome to the Community, Anthony!

    Are you trying to restrict the agent interface, or your content in Help Center?

    0
  • Brett - Community Manager
    Comment actions Permalink

    Happy to help Pedro :)

    0
  • Nate Legakis
    Comment actions Permalink

    Thanks for the reply.  We're holding off on SSO for now.  We might implement it in the future, but not anytime soon.  Here's where I got the information about the Wordpress plugin and SSO. https://support.zendesk.com/hc/en-us/articles/203659896-Setting-up-and-using-the-Zendesk-for-WordPress-plugin

    0
  • Longathrow
    Comment actions Permalink

    I seem to be having a problem with the JWT Active Directory integration that Zendesk has provided, you can see the article here https://support.zendesk.com/hc/en-us/articles/203663856-Configure-Zendesk-for-your-Active-Directory-Microsoft-environment

    I am currently getting the following error

    The supplied iat value is more than 3 minutes off, check your server clock.

    When I set the JWT plugin to debug mode I am presented with the IAT attribute that is being sent, placing that in an Epoch time converter shows that the time being sent to the Zendesk servers are identical to what the NTP time servers are presenting as the current time.

    Anyone experience and solved this issue?

    0
  • Q LIU
    Comment actions Permalink

    We want to do logout in my webpage while zendesk also logout ,But I couldn't find a demo ,Please tell me how to achieve it 

    0
  • Joseph McCarron
    Comment actions Permalink

    Ryan,

    Absolutely makes sense, I was just trying to offer you a workaround. I'll make sure that our SSO Product Manager sees your request at least.

    0
  • Dmitry Kirilyuk
    Comment actions Permalink

    Question about "Error handling" section

    >> If you have a return URL configured for your JWT integration, it will redirect to that and pass a "message" and a "kind" parameter.

    What do you mean by "return URL"? Remote logout URL? If yes, change it in text

    0
  • Jessie Schutz
    Comment actions Permalink

    Hi Yael! I'm going to see if I can find someone who can answer this for you. Stand by!

    0
  • Jessie Schutz
    Comment actions Permalink

    Hi Nate! I'm sorry that nobody has been able to weigh in on this for you.

    I'm going to run it by our Community Moderators to see if they have any ideas!

    0
  • Brett - Community Manager
    Comment actions Permalink

    Hi Pedro,

    When the unauthenticated user attempts to access Zendesk resources requiring login (e.g. tickets, restricted HC content etc.) they’ll be redirected to your system. Your system will be responsible for evaluating the user’s legitimacy via a login/active session and sending the user back to Zendesk with JWT payload. If that payload is successful, it will then create a user in ZD for the user if one hasn’t already been created.

    Let me know if you have additional questions for me.

    Thanks!

    0
  • Taylor Horwood
    Comment actions Permalink

    Is it possible to manually change the Shared Secret, or revert back to an old Shared Secret?

    0
  • Joan Fernbach
    Comment actions Permalink

    Thank you Jim - I know we can pass in the UUID, but my question is whether that will be validated for login along with the email address, or is just the email address used to authenticate the user?

    0
  • Nitya Subramani
    Comment actions Permalink

    Thanks, Anthony! We'll try it out. We are also trying to set up a service page of sorts which will be the Remote Login URL for an unauthenticated user. As long as we can get the user email (and other user parameters) in the redirect to the service page, we can attempt to send a new auth token. 

    0
  • Andrea Saez
    Comment actions Permalink

    Hey Nate,

    Are you trying to use your WP login as your Zendesk login through SSO? Or are you trying to use another service that WP supports SSO for to login? (like LDAP, SAML, Google?) 

    If it's the second, then just use the service and set it up directly with Zendesk.

    I've never heard of WP having an oAuth service, but if it does you could just use the service to pass through the token info.

    0
  • Anna Everson
    Comment actions Permalink

    Hi Alexandre,

    As long as the email address that is used in the JWT login is the same one already associated with their Zendesk account, it will recognize them as the same user and no duplicate user will be created.

    It is possible to merge users however, should you need to do so:
    https://support.zendesk.com/hc/en-us/articles/203690896-Merging-a-user-s-duplicate-account

    Thanks!

    0
  • Dara Garvan
    Comment actions Permalink

    Hi Aleksey,

    There's no particular article for this, however we only redirect when a user selects either the "Sign In" button or directly clicks a ticket link from say, an email notification that requires sign in.

    You can of course, require that all users are signed into the Help Center, to ensure they get redirected if required.

    Cheers,
    Dara

    0
  • Pedro Reis
    Comment actions Permalink

    We want to enable JWT SSO for end-users. Does this mean that the user will be registered automatically registered Zendesk when he creates an account in our system, or just that the user will be recognized as already verified (by our system) when login to Zendesk?

     

    0
  • Terry
    Comment actions Permalink

    Hi Jonas and Q, 

    With a custom script you could detect the user ID and delete the active session.

    https://developer.zendesk.com/rest_api/docs/support/sessions#delete-session

    Alternatively, visiting {subdomain}.zendesk.com/access/logout does the same thing. You could add this as part of your users logout flow to accomplish the same result.

    0

Please sign in to leave a comment.

Powered by Zendesk