Setting up single sign-on with JWT (JSON Web Token) Follow

Comments

47 comments

  • Avatar
    Joan Fernbach

    Is it possible to authenticate users by UUID as well as email address?  If a user changes his email address on our website to match someone else's, he would then be logged into that user's account on Zendesk.

  • Avatar
    Moath Almallahi

    Hello,

    I have the following issue, after doing all what is required, there is only one user get redirected with a message "Please use one of the options below to sign in to Zendesk" this case only happens for a single user, and there is nothing special in the data being sent to Zendesk through the JWT for this user, also tried to look around the website if there is any descriptions for the error am receiving, couldn't find any.

    Any help?

  • Avatar
    Jessie - Community Manager

    Hey Matthew!

    I saw that you posted this in another thread as well, and one of my colleagues was able to point you to some resources. Let us know if you need anything else!

  • Avatar
    Jim Tarber (Edited )

    I have a problem with our JWT SSO setup, which is working fine in my tests but not for one user who cannot login because:

    - Sign In keeps invoking our /support/logout URL (which is /support/logout in our case here).

    - This invocation is done without a return_to argument being passed to it, so it has nowhere to go after signout.

    I only added the Sign Out code last week, and as far as I know it was working fine then. However, at this point the two problems above are preventing this user from logging in. I've asked her to clear cache, try a different browser, etc. They all fail the same way.

    Is it ever normal for my Sign Out SSO URL to be invoked on a Sign In? If so, shouldn't it specify a return_to URL?

    - It's only enabled for end-users

    - It's set to SSO -> JWT and the Remote URLs are:

    Sign In: (domain)/support/login/

    Sign Out: (domain)/support/logout/

    Summary: We've set the two URL fields in the SSO JWT options to the values above and in most cases it's working fine (very smooth, no problems implementing SSO), but the second one is being invoked on a Sign In.  Clearing cache, changing browsers, etc, seems to have no effect.

  • Avatar
    Jessie - Community Manager

    Welcome to the Community, Anthony!

    Are you trying to restrict the agent interface, or your content in Help Center?

  • Avatar
    Nate Legakis (Edited )

    Thanks for the reply.  We're holding off on SSO for now.  We might implement it in the future, but not anytime soon.  Here's where I got the information about the Wordpress plugin and SSO. https://support.zendesk.com/hc/en-us/articles/203659896-Setting-up-and-using-the-Zendesk-for-WordPress-plugin

  • Avatar
    Joe McCarron

    Ryan,

    Absolutely makes sense, I was just trying to offer you a workaround. I'll make sure that our SSO Product Manager sees your request at least.

  • Avatar
    Dmitry Kirilyuk

    Question about "Error handling" section

    >> If you have a return URL configured for your JWT integration, it will redirect to that and pass a "message" and a "kind" parameter.

    What do you mean by "return URL"? Remote logout URL? If yes, change it in text

  • Avatar
    Jessie - Community Manager

    Hi Nate! I'm sorry that nobody has been able to weigh in on this for you.

    I'm going to run it by our Community Moderators to see if they have any ideas!

  • Avatar
    Taylor Horwood

    Is it possible to manually change the Shared Secret, or revert back to an old Shared Secret?

  • Avatar
    Joan Fernbach

    Thank you Jim - I know we can pass in the UUID, but my question is whether that will be validated for login along with the email address, or is just the email address used to authenticate the user?

  • Avatar
    Andrea Saez

    Hey Nate,

    Are you trying to use your WP login as your Zendesk login through SSO? Or are you trying to use another service that WP supports SSO for to login? (like LDAP, SAML, Google?) 

    If it's the second, then just use the service and set it up directly with Zendesk.

    I've never heard of WP having an oAuth service, but if it does you could just use the service to pass through the token info.

  • Avatar
    Anna Everson

    Hi Alexandre,

    As long as the email address that is used in the JWT login is the same one already associated with their Zendesk account, it will recognize them as the same user and no duplicate user will be created.

    It is possible to merge users however, should you need to do so:
    https://support.zendesk.com/hc/en-us/articles/203690896-Merging-a-user-s-duplicate-account

    Thanks!

  • Avatar
    Dara Garvan

    Hi Aleksey,

    There's no particular article for this, however we only redirect when a user selects either the "Sign In" button or directly clicks a ticket link from say, an email notification that requires sign in.

    You can of course, require that all users are signed into the Help Center, to ensure they get redirected if required.

    Cheers,
    Dara

  • Avatar
    Gary Bunofsky (Edited )

     

     

  • Avatar
    Jessie - Community Manager

    Hey Nehal!

    Feel free to hop in and share the solution that you and Bonnie came up with in your ticket, if you have time! Others might find it helpful, too. :)

  • Avatar
    Jim Tarber (Edited )

    I can't check (I don't have admin access currently) but I believe there was a checkbox on the Admin->Auth->User tab that enabled or disabled use of the "external_id" field as the key for the user. I believe we've already done email address changes and had the zendesk account retain the previous info associated with that account.  It basically just works, as far as I can tell.

    However, there is a potential "gotcha" here.  If you already have existing user accounts showing up in Zendesk, I'm not sure how transitions to that setup would work. If you don't already have it enabled and filled in per-user, then enable it, new JWT fetches with an external_id may determine that to be a new Zendesk user (losing access to old support requests, etc).   It may just fall back to some attempt to match the email address, or at least until the next JWT is returned for that user.  But I haven't found it described in this level of detail anywhere.

  • Avatar
    Anthony Willis

    Hello,

    Is it possible to access the JWT inside the zendesk help desk? I.e. pass information inside the JWT about the specific user in question?

    We have several different companies who will use the help desk, content being restricted depending on the company the client is coming from.

    It would be helpful to store the company of the client inside the JWT then access that inside the help desk to taylor their view accordingly.

    Thanks,

    Anthony

     

  • Avatar
    Anna

    @Mat & @Eldien -  In an effort to assist you further, I've created individual tickets for you.  I'll send you an update via your ticket shortly.  

  • Avatar
    Anna Everson

    @Taylor - Due to security concerns, you cannot manually set the shared secret or revert it to an old one. Your only option is to generate another shared secret.

  • Avatar
    Justin Fitzgerald

    It would be helpful to add a table of contents to the top of this article with anchor links down to each section (similar to most ZD articles). I use this page all the time! Thanks.

  • Avatar
    Matthew Kisow

    We are trying to setup JWT with IIS on Windows 2016.  Using the script classic_asp_jwt_with_ad.asp and its dependencies we are able to log into Zendesk without issue.

     

    We want to be able to pass the phone number and department with our end user logins in doing so we are trying to use the "user_fields" API.  I am woefully unqualified as a Classic ASP programmer, I understand most of the code and how the Scripting.Dictionaries are working.  However when I add the string "employee_department Information Technology" to the scripting object, it fails miserably.

     

    Can anyone point me in the right direction on how to pass these hashes so that it works.  I can work with pseudo code if you are unfamiliar with ASP.

     

  • Avatar
    Daniel Kostinskiy (Edited )

    how do I implement the return_to stuff?

     Using the example JWT url I tried this and tried to do  return_to in the back but both go to my zendesk page( with my JWT url). Do you need to encrypt everything?

    Edit:Encoding it makes it give me a website not find.

    https://joeandco.zendesk.com/access/jwt?return_to=https://google.com&jwt=eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpYXQiOjEzNzIxMTMzMDUsImp0aSI6ODg4MzM2MjUzMTE5Ni4zMjYsIm5hbWUiOiJUZXN0IFVzZXIiLCJlbWFpbCI6InR1c2VyQGV4YW1wbGUub3JnIiwiZXh0ZXJuYWxfaWQiOiI1Njc4Iiwib3JnYW5pemF0aW9uIjoiQXBwbGUiLCJ0YWdzIjoidmlwX3VzZXIiLCJyZW1vdGVfcGhvdG9fdXJsIjoiaHR0cDovL21pdC56ZW5mcy5jb20vMjA2LzIwMTEvMDUvQmFybmFieV9NYXR0X2Nyb3BwZWQuanBnIiwibG9jYWxlX2lkIjoiOCJ9.Zv9P7PNIcgHfxZaMwQtMpty3TZnmVHRWcsmAMM-mNHg

  • Avatar
    Joan Fernbach

    thank you again for your help - the existing user issue was exactly what I was thinking about - we have a large number of users who already have accounts without external ids set, so it may not work to change things now.

  • Avatar
    Andrew J

    @nate - I've done it in the past - a while ago now.  But I think it went ok.  Just always pays to make a note of the 'normal' login URL before you start :)

    We're not doing it currently.

  • Avatar
    Mat N

    Hello,

     

    I am trying to setup jwt with IIS on win2008.  The script classic_asp_jwt_with_ad.asp and his dependencies are located in C:\inetpub\wwwroot\zendesk on my server.

    However I have an issue when I try to connect.

    When I setup my Remote login URL to http://mycompany.com/zendesk/  the login works with my AD users but I just get the web page index of /zendesk/ on nothing happen (no redirection to zendesk) like the script was not executing.

    If I change my Remote login URL http://mycompany.com/zendesk/script classic_asp_jwt_with_ad.asp  the login works but I get an HTTP error 500...

    Could you please clarify what I should exactly setup for the "Remote login URL" in order for the script to execute and redirect me to sendesk once I log in ?

    Thanks

  • Avatar
    Aleksey

    Hi. Is there any article that clarifies the conditions when Zendesk redirects user to JWT authentication endpoint? Everything works flawlessly and completely transparently when I manually click the "sign in" button in Help Center, but I don't see any redirections when I just visit the Help Center in a freshly opened browser's incognito mode window.

  • Avatar
    Eldien Hasmanto

    Hi,

    I always get a 500 error page when I try to reach http://server/classic_asp_jwt_with_ad.asp based on a IIS W2008 Server.

    Is anyone facing this error ?

  • Avatar
    Anna Everson

    @Justin (again) - Done! Thanks again for your input!

  • Avatar
    Dan Zaner (Edited )

    Hi everyone,

    Can anyone confirm that SSO using JWT is possible on a "Starter" plan account? The "Plan Availability" header at the top of this article says that it is NOT available, but the main Pricing page (https://www.zendesk.com/product/pricing/) says it IS available. I've also read posts in this Forum that say that SSO via JWT is available on all plans, but maybe that person was just reading the Pricing page. Has anyone actually successfully done it?

    I ask because I've attempted an SSO integration that returns a 401 "unauthorized" status page every time with body content set to this sparse and rather unenlightening message:

    {"error":"Couldn't authenticate you"}

    Even more interesting is the fact that an end-user account is created even though I get the error. I'd sort of figure that this would be all-or-nothing; I'd assume I'd either get a new end-user created (if needed) and logged in or I'd get completely rejected and nothing would happen. The fact that the end-user account gets created makes me believe that the JWT got decoded and verified successfully, but then I can't explain the "Couldn't authenticate you" message.

    Has anyone gotten this before? Is there a "verbose" mode where you get a bit more feedback about why you can't be authenticated? Are there any other debugging tips anyone can pass along.

    Thanks in advance!

    -- Dan

    Edit: I figured out how to get around the error. Activate Help Center from your main Admin control panel. That allows you to determine if users must register and log in or not. Turn that on. Then make sure you supply a return_to param with the JWT call, and make sure the return_to URL is somewhere that a logged in user could go -- like the new request form. Don't leave it empty. Whatever the logic is, the JWT handler does not have a reasonable default value for return_to.

Please sign in to leave a comment.

Powered by Zendesk