Enabling JWT (JSON Web Token) single sign-on

Have more questions? Submit a request

82 Comments

  • Jessie Schutz
    Comment actions Permalink

    Hey Nehal!

    Feel free to hop in and share the solution that you and Bonnie came up with in your ticket, if you have time! Others might find it helpful, too. :)

    0
  • Ryan Vogel
    Comment actions Permalink

    Is it possible to flip the roles of the servers around in this scenario? In other words, I have users of web app A authenticated via Zendesk and then redirected back to web app A with the authentication result?

    0
  • Mathieu Nicolaizeau
    Comment actions Permalink

    Hi Ryan,

    Our SSO with JWT is only used for signing in seamlessly your users into Zendesk and not meant for redirection to an external app. You would probably want to reach out to support@zendesk.com for further clarification/advise on your use case.

     

    0
  • Nicole - Community Manager
    Comment actions Permalink

    Hey Ryan - If you want to share more details about your use case here as well, there might be some members of the community who can provide some insight. 

    0
  • Joseph McCarron
    Comment actions Permalink

    Hey Ryan,

    It's not perfectly flipped, but it sounds like you're looking for OAuth: https://support.zendesk.com/hc/en-us/articles/203663836-Using-OAuth-authentication-with-your-application 

    That will allow you to direct your users to Zendesk from web app A, have them authenticate with Zendesk, and get sent back to web app A with credentials to access the Zendesk API as that user (or an error if they couldn't log in).

    0
  • Ryan Vogel
    Comment actions Permalink

    @Joe McCarron

    OAuth isn't meant for pure authentication, which is what I need. The problem with OAuth is the token you receive after a user authorizes your application to communicate with Zendesk. The token can be used whether or not the user is actively signed into Zendesk.

    Also, the workflow is a bit deceptive and awkward. When web app A asks the user to give it permission to communicate with Zendesk, there is an intermediary screen that more or less asks that same thing. I want Zendesk to take over the authentication portion of my application. I don't need access to any user info (right now anyway).

    I hope that makes sense.

     

    @Nicole Relyea

    I simply want to have Zendesk authenticate a Zendesk user and return an authentication result to my web app. I want my Zendesk users to have access to my web app. I believe OpenID is the standard that makes the most sense for my situation. I submitted a support ticket and got a response that more or less said, "You used to be able to use Zendesk in this way, but you can't any longer."

    0
  • Joseph McCarron
    Comment actions Permalink

    Ryan,

    Absolutely makes sense, I was just trying to offer you a workaround. I'll make sure that our SSO Product Manager sees your request at least.

    0
  • Nate Legakis
    Comment actions Permalink

    Is there an easy way to do this with Wordpress?  It looks like there's a plugin, but it seems to restrict you a little.  If anyone has implemented SSO with a Wordpress site, I'd love to hear about your experience and what you learned.

    0
  • Jessie Schutz
    Comment actions Permalink

    Hi Nate! I'm sorry that nobody has been able to weigh in on this for you.

    I'm going to run it by our Community Moderators to see if they have any ideas!

    0
  • Andrea Saez
    Comment actions Permalink

    Hey Nate,

    Are you trying to use your WP login as your Zendesk login through SSO? Or are you trying to use another service that WP supports SSO for to login? (like LDAP, SAML, Google?) 

    If it's the second, then just use the service and set it up directly with Zendesk.

    I've never heard of WP having an oAuth service, but if it does you could just use the service to pass through the token info.

    0
  • Nate Legakis
    Comment actions Permalink

    Thanks for the reply.  We're holding off on SSO for now.  We might implement it in the future, but not anytime soon.  Here's where I got the information about the Wordpress plugin and SSO. https://support.zendesk.com/hc/en-us/articles/203659896-Setting-up-and-using-the-Zendesk-for-WordPress-plugin

    0
  • Andrew J
    Comment actions Permalink

    @nate - I've done it in the past - a while ago now.  But I think it went ok.  Just always pays to make a note of the 'normal' login URL before you start :)

    We're not doing it currently.

    0
  • Daniel Kostinskiy
    Comment actions Permalink

    how do I implement the return_to stuff?

     Using the example JWT url I tried this and tried to do  return_to in the back but both go to my zendesk page( with my JWT url). Do you need to encrypt everything?

    Edit:Encoding it makes it give me a website not find.

    https://joeandco.zendesk.com/access/jwt?return_to=https://google.com&jwt=eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpYXQiOjEzNzIxMTMzMDUsImp0aSI6ODg4MzM2MjUzMTE5Ni4zMjYsIm5hbWUiOiJUZXN0IFVzZXIiLCJlbWFpbCI6InR1c2VyQGV4YW1wbGUub3JnIiwiZXh0ZXJuYWxfaWQiOiI1Njc4Iiwib3JnYW5pemF0aW9uIjoiQXBwbGUiLCJ0YWdzIjoidmlwX3VzZXIiLCJyZW1vdGVfcGhvdG9fdXJsIjoiaHR0cDovL21pdC56ZW5mcy5jb20vMjA2LzIwMTEvMDUvQmFybmFieV9NYXR0X2Nyb3BwZWQuanBnIiwibG9jYWxlX2lkIjoiOCJ9.Zv9P7PNIcgHfxZaMwQtMpty3TZnmVHRWcsmAMM-mNHg

    0
  • Anthony Willis
    Comment actions Permalink

    Hello,

    Is it possible to access the JWT inside the zendesk help desk? I.e. pass information inside the JWT about the specific user in question?

    We have several different companies who will use the help desk, content being restricted depending on the company the client is coming from.

    It would be helpful to store the company of the client inside the JWT then access that inside the help desk to taylor their view accordingly.

    Thanks,

    Anthony

     

    0
  • Jessie Schutz
    Comment actions Permalink

    Welcome to the Community, Anthony!

    Are you trying to restrict the agent interface, or your content in Help Center?

    0
  • Anthony Willis
    Comment actions Permalink

    Jessie,

    I am trying to taylor the display of certain company icons according to which company a specific visitor belongs.

    I have now found a way to do this by using the JSON code snippet I found in your article https://support.zendesk.com/hc/en-us/articles/115008781728

    I just have to ensure that an organisation is included in the JWT payload on our website before it is sent to Zendesk. Then I can just use javascript to access the user object to get the oganization_id.

    Thanks,

    Anthony

     

     

    0
  • Jessie Schutz
    Comment actions Permalink

    Hey Anthony! I'm glad you were able to get it figured out. :)

    0
  • Robert Aronovici
    Comment actions Permalink

    Hello!

    So, this article is intended if I'd like SSO from my WebApp to authenticate via Zendesk JWT token, correct? Smooth, seamless authentication from my site/app?

    0
  • Solomon
    Comment actions Permalink

    I have tried multiple ways to get JWT to work with SSO, and I just don't see how it's possible.  Every attempt is a failure and the languages you folks are providing examples on are just not practical.  I am using wordpress with php and I can't get this to work.  It just logs me in and out.  I have the Team Plan with SSO and JWT enabled and have the following PHP code to generate a url and redirect to it (which does nothing in zendesk):

    $secret = 'MY SECRET KEY FROM ZENDESK SSO with JWT';
    $jwt_header = array(
    'type' => 'JWT',
    'alg' => 'HS256'
    );

    $user_name = $user->user_firstname . ' ' . $user->user_lastname;

    $jwt_payload = array(
    'iat' => $_GET['timestamp'],
    'jti' => uniqid($user->ID, true),
    'name' => trim($user_name),
    'email' => $user->user_email
    );

    if (!empty($_GET['locale_id']))
    $jwt_payload['locale_id'] = $_GET['locale_id'];

    $header_string = base64_encode(json_encode($jwt_header));
    $payload_string = base64_encode(json_encode($jwt_payload));
    $signature = hash_hmac('sha256', $header_string . $payload_string, $secret);

    $redirect = 'https://heavyocity.zendesk.com/access/jwt?jwt=' . $header_string . $payload_string . '.' . $signature;

     

    If I redirect to the $redirect url it does not log me into zendesk.  This is bogus!  Why doesn't this work?

    0
  • Rebecca
    Comment actions Permalink

    Hi Robert - 

    This article discusses implementing Zendesk as a service provider for JWT single sign on for end user or agent authentication into Zendesk. If you are building a web app you'd like to authenticate, I'd recommend OAuth -  Using OAuth authentication with your application & Using OAuth to authenticate Zendesk API requests in a web app

    0
  • Yael Lapid
    Comment actions Permalink

    Hi, 

    We have implemented Single sign-on with JSON Web Token (JWT) for our Help Center content which is behind a login. However, when end-users click the "support" from our web app to redirect to the HC, they get only to the public content and are required to click the sign-in, in order to see the full HC. (they are then immediately logged in, without being prompted to log in - thanks to SSO - which is fine).

    Is there a way for them to get directly into the behind-login content with JSON SSO configuration?

     

    Thanks

    Yael.

    0
  • Jessie Schutz
    Comment actions Permalink

    Hi Yael! I'm going to see if I can find someone who can answer this for you. Stand by!

    0
  • Dipesh Dave
    Comment actions Permalink

    Hey Yael,

    You should be able to get your end-users directly behind the login content by utilizing the Web Widget. If you take a look at your documentation here: Using Restricted Help Center Content on Web Widget.

    You will see that you can use the web widget to share private articles from your help center for signed in end-users. They also have the ability to use the web widget to ask questions and search for articles that match the keywords or phrases.

    Hope this helps!

    0
  • Nitya Subramani
    Comment actions Permalink

    Hi Zendesk team,

    We have used JWT SSO to authenticate our platform to the Help Center. Anytime a customer clicks on a link to 'Help' in our platform, we send a JWT to Zendesk that authenticates the user and pulls up contextual results within our Help Center. The JWT SSO has been working fine for the authentication to the Help Center, but we are struggling to authenticate the Help links within the Web Widget. We understand that the default Widget authentication only pulls the Help content within the Widget and that we need to set up a separate JWT payload to make the Help links within the Widget valid. I had a couple specific questions for you/the community:

     

    1. Has anyone used JWT SSO and successfully set up a separate JWT payload to authenticate the Help links within the Widget? Any best practices or recommendations on this piece would be much appreciated.

    2. In the SSO auth process below, when Zendesk redirects an unauthenticated user to the remote URL configured for the SSO setting, does Zendesk pass along any user-specific info (i.e. email, shared key, IP address, etc.)? Could you pass along any additional info to address this point as well? 

    Thanks,

    Nitya

    0
  • Anthony Willis
    Comment actions Permalink

    Yes, I have got this to work. You can use the same jwt token by adding the following code after the webwidget code:

    window.zESettings = {
      authenticate: { jwt: '{{ token }}' }
     };

    Hope this helps,

    Anthony

    1
  • Nicole - Community Manager
    Comment actions Permalink

    Thanks for sharing, Anthony!

     

    1
  • Nitya Subramani
    Comment actions Permalink

    Thanks, Anthony! We'll try it out. We are also trying to set up a service page of sorts which will be the Remote Login URL for an unauthenticated user. As long as we can get the user email (and other user parameters) in the redirect to the service page, we can attempt to send a new auth token. 

    0
  • J.Michael Wagner
    Comment actions Permalink

    Hey Sedat,

    I am going to pull this into a ticket to discuss since I believe we will need to look into your implementation of JWT SSO. Look out for my email that will include the Ticket ID!

    0
  • Filippo
    Comment actions Permalink

    Hi, anyone had success authenticating against Microsoft ADFS 4.0 and getting a JWT token? Thanks so much!!!

    0
  • Gab
    Comment actions Permalink

    Hi Filippo,

    You can refer to this article –  Configure Zendesk for your Active Directory/Microsoft environment – for the steps on how to set up JWT SSO for ADFS. That guide references an older version, but that should work for you, too. We usually recommend setting up SSO with Active Directory as described here: Setting up single sign-on using Active Directory with ADFS and SAML (Professional and Enterprise); we currently don't have an article specific for ADFS 4.0. You may also contact Microsoft to ask if there are other requirements from their side.

    Hope this helps, Filippo.

    0

Please sign in to leave a comment.

Powered by Zendesk