Enabling JWT (JSON Web Token) single sign-on

Have more questions? Submit a request

82 Comments

  • Daras Johnson
    Comment actions Permalink

    Hello, 

    I want to be able to display an account number passed through our JWT to our Help Center on ZenDesk. Is it possible to extract that information some way in the JS file, so that I can bind it to the homepage?

    Regards, 
    Daras

    0
  • Molly
    Comment actions Permalink

    Hi Daras - Welcome to The Community!

    You can definitely pass information about your users to Zendesk using JWT. I would recommend a custom user field to store it.

    I'd like to get a bit more information about your use case though, so I'm going to follow up with you in a ticket. Stay tuned!

    0
  • Charles Lloyd
    Comment actions Permalink

    Feature request: use expiration value when present in token ('exp'), so that token expiration can be extended. 

    As far as I can tell, there is only a 3 minute window as it is currently implemented. 

    0
  • Brett - Community Manager
    Comment actions Permalink

    Hi Charles,

    Thanks for sharing your feedback!

    I also recommend cross-posting in our Developer Feature Request forum to help gauge interest from other users as well as provide visibility to the appropriate team :)

    Your feedback is greatly appreciated :)

    0
  • Pedro Reis
    Comment actions Permalink

    We want to enable JWT SSO for end-users. Does this mean that the user will be registered automatically registered Zendesk when he creates an account in our system, or just that the user will be recognized as already verified (by our system) when login to Zendesk?

     

    0
  • Brett - Community Manager
    Comment actions Permalink

    Hi Pedro,

    When the unauthenticated user attempts to access Zendesk resources requiring login (e.g. tickets, restricted HC content etc.) they’ll be redirected to your system. Your system will be responsible for evaluating the user’s legitimacy via a login/active session and sending the user back to Zendesk with JWT payload. If that payload is successful, it will then create a user in ZD for the user if one hasn’t already been created.

    Let me know if you have additional questions for me.

    Thanks!

    0
  • Pedro Reis
    Comment actions Permalink

    Thanks Brett!

    0
  • Brett - Community Manager
    Comment actions Permalink

    Happy to help Pedro :)

    0
  • Q LIU
    Comment actions Permalink

    We want to do logout in my webpage while zendesk also logout ,But I couldn't find a demo ,Please tell me how to achieve it 

    0
  • Jonas Eriksson
    Comment actions Permalink

    Same thing here as Q LIU - can we remotely log out the active session in Zendesk when users log out from our web page? How?

    https://support.zendesk.com/hc/en-us/community/posts/203432866-SSO-force-logout-previous-session

    Same problem is described here too, without any answers.

    0
  • Terry
    Comment actions Permalink

    Hi Jonas and Q, 

    With a custom script you could detect the user ID and delete the active session.

    https://developer.zendesk.com/rest_api/docs/support/sessions#delete-session

    Alternatively, visiting {subdomain}.zendesk.com/access/logout does the same thing. You could add this as part of your users logout flow to accomplish the same result.

    0
  • Jason Miller
    Comment actions Permalink

    Hello!

    The authentication system on my end requires a bit of information about the user to present them the proper login page. Is there a way that I could tokenize the login url in Zendesk to send this information along with the login request?

    Something like...

    I send a link to a user like:
    mycompany.zendesk.com/tickets/123?userinfo=something

    They aren't already authenticated so they get redirected to

    myloginpage.com?return_to=mycompany.zendesk.com/tickets/123&userinfo=something

    Is anything like this possible, or would you have any examples of how other users have navigated around this issue?

    1
  • Andrew Soderberg
    Comment actions Permalink

    When using JWT SSO where we are adding and managing users external from Zendesk, is it possible when a new user is added via our web application, that we can suppress the email that Zendesk sends out to the user asking them to click a link to set a password (and authenticates their email)? Our own web application does this already.

     

    0
  • Brett - Community Manager
    Comment actions Permalink

    Hey Andrew,

    If you disable both checkboxes and remove the text under User welcome email text and Email verification email text does that suppress the emails being sent out to your end-users? I've attached a screenshot below:

    If the emails continue being delivered let me know and we can dig into this a bit further.

    Cheers!

    0
  • Andrew Soderberg
    Comment actions Permalink

    @Brett

    Thanks for the response, but I forgot to give a couple pieces of key info that will likely change your recommended solution.

    1. We are mulitbrand in Zendesk. We want to suppress these emails for only one brand.

    2. We are using SSO, but only on one brand (at this time). The SSO script that Zendesk points to, will check the referrer and direct our first brand customers to the 'backdoor' login of /access/normal while the new second brand customers are logging in via our SSO. It is the second brand with the SSO that we want to suppress the emails for.

    0
  • Brett - Community Manager
    Comment actions Permalink

    Hey Andrew,

    I'm afraid these settings are account wide so you wouldn't be able to toggle off for one brand while leaving another brand activated. One of the limitations of multibranding is that only login configuration can be set up for each account. This will include the welcome emails that are sent out when an account is created.

    More information on multibrand limitations can be found here: Multibrand known issues

    I wish I was able to provide another alternative for you but I'm afraid one does not exist at this time :-/

    0
  • shaodong cai
    Comment actions Permalink

    After configuring the JWT of SSO, I can't go to the homepage of the management desk to process the work order. Why? How do I get to the admin desk homepage?

    0
  • Devan La Spisa
    Comment actions Permalink

    Hello Shaodong,

    I would recommend navigating to subdomain.zendesk.com/agent, if you can get into through this link then you are running into an SSO issue. If this is the case then I would recommend reaching out your developers to resolve this. Also, be sure to replace subdomain w/ your subdomain.

     

    0
  • Annie B
    Comment actions Permalink

    Hello!

     

    I'm curious what takes precedence with regards to Organizations: if we send an Organization ID as part of the SSO JWT when creating a user, but have also enabled the email domain automation (adding specific domains to organizations with the expectation that users having those domains will automatically be added to that organization), which determines the Organization of that user? 

     

     

    0
  • Kyle Jones
    Comment actions Permalink

    Hey there Annie,

    This is a very good question. However, it's a question that has a few different answers depending on how you're setting this up. If your end-user's are verified upon creation, and you have multiple orgs off for end-users, email mapping should take precedence. 

    We'd recommend using one over the other if possible so you don't run into any issues. However, there are certain factors we cannot account for since JWT is a pretty customized aspect. If you're wanting further clarity I would recommend sending in a support ticket to support@zendesk.com with your JWT payload information.

    I hope this helps!

    0
  • Longathrow
    Comment actions Permalink

    I seem to be having a problem with the JWT Active Directory integration that Zendesk has provided, you can see the article here https://support.zendesk.com/hc/en-us/articles/203663856-Configure-Zendesk-for-your-Active-Directory-Microsoft-environment

    I am currently getting the following error

    The supplied iat value is more than 3 minutes off, check your server clock.

    When I set the JWT plugin to debug mode I am presented with the IAT attribute that is being sent, placing that in an Epoch time converter shows that the time being sent to the Zendesk servers are identical to what the NTP time servers are presenting as the current time.

    Anyone experience and solved this issue?

    0
  • Charles Lloyd
    Comment actions Permalink

    C# example-

    //JWT uses Unix epoch in seconds
    TimeSpan t = (DateTime.UtcNow - new DateTime(1970, 1, 1));
    int timestamp = (int)t.TotalSeconds;

     

    payload = new Dictionary<string, object>() {
    { "iat", timestamp },
    { "jti", System.Guid.NewGuid().ToString() },
    {"tags", aryTags },
    { "name", username },
    { "email", useremail }
    };

     

     

    0

Please sign in to leave a comment.

Powered by Zendesk