In addition to the user authentication provided by Zendesk, you can also use single sign-on to authenticate your users outside of Zendesk. There are three types of SSO: social account, business account, and enterprise.
This article contains the following sections:
Essential facts for SSO
Below are some essential facts for you about the available single sign-on options. These are explained in greater detail throughout the rest of this article.
- Admins and agents can sign in with either their Google, Microsoft, or Zendesk accounts, or can sign in directly by going to their Zendesk URL and entering their username and password. End users can sign in with all social and business accounts, in addition to their Zendesk accounts.
- If your Zendesk is closed or restricted, and a user tries to sign in with a different email than the one in Zendesk Support, their request will be rejected (see Enabling social and business account single sign-on).
- When you use JWT- or SAML-based SSO, you take on the responsibilities of verifying the identity of your users, including verifying their email addresses.
- If you use both JWT and SAML, you must set one as the primary authentication (see Using different SAML and JWT SSO (single sign-on) for agents and end users). Also, be sure you understand that the authentication method is not segregated. Agents and end users can authenticate by either method, because they are both configured to use SSO.
- No matter what authentication method you choose, Zendesk stores all users in the same database.
- If you're using a third party identity provider to authenticate, you must configure the Zendesk app with the identity provider.
- It is not possible to apply different SSO options to individual brands, unless using a custom script for JWT. See Multi-brand- Using multiple JWT Single Sign-on URL's.
- If you place a wildcard (*) in the blacklist, users will no longer be able to authenticate or create an account with SSO. For more information, see Using the whitelist and blacklist to control access to your Zendesk.
Social and business account single sign-on
Social and business account single sign-on are additional sign-in options you can provide for your users' convenience. You can make these logins available on your Help Center sign-in page, so users can either authenticate with their Zendesk Support account or a social or business account.
Social accounts include Facebook and Twitter and business accounts include Google and Microsoft. Agents and admins can only use business accounts to authenticate, but end users can authenticate with both.
Microsoft sign-in is not supported in the iPad version of Zendesk Support for Mobile app. The Google sign-in supports both Gmail and Google Apps. The Federated Login Service is disabled by default for Google Apps Business and Education accounts. The domain admin can enable it from the Control Panel at http://www.google.com/a/cpanel/yourdomain/SetupIdp. If two-factor authentication is enabled by the user or for the Google Apps domain (Google Authenticator), this functionality is supported by this authentication process.
For instructions on adding social and business account single sign-on to your login page, see Enabling social and business account single sign-on.
Enterprise single sign-on
Enterprise single sign-on is different than social media and business account single sign-on. Instead of being optional and in addition to the Zendesk account sign-in, enterprise single sign-on replaces all other sign-in options.
About enterprise single sign-on
When you enable enterprise single sign-on, you're bypassing Zendesk and authenticating your users externally. When users navigate to your Zendesk sign-in page or click a link to your Zendesk, they can authenticate by signing into a corporate server or a third party identity provider, such as OneLogin or Okta. Enabling enterprise single sign-on also affects the iOS and Android versions of the Zendesk mobile app.
- Users navigate to a Zendesk page or subdomain.
- If not already authenticated, users are redirected to your corporate server or third party identity provider login page, depending on the enterprise SSO option you selected.
- Users enter their sign-in credentials.
- If valid, users are redirected back to the original Zendesk page.
Both your end users and your agents can sign in to your Zendesk using enterprise single sign-on. You can configure enterprise SSO only for end users, agents, or for both.
The advantage to using enterprise single sign-on is that you have complete control over your users, behind your firewall. You authenticate your users once, against your own user authentication system, and then grant them access to many other resources both inside and outside of your firewall. This also means that your user management is performed outside of your Zendesk, but your corporate user authentication system is still synced with Zendesk. So if you add a user account for a new employee, they will have immediate access to your Zendesk, or if you delete a user account that employee will no longer have access to your Zendesk.
By default, the only data that Zendesk stores for each user is their name and email address, but it's possible to sync more user data to Zendesk, like the user's organization.
You have the option of keeping Zendesk authentication with your enterprise SSO authentication. However, whenever SSO is active, users must log in with their SSO authentication. If you decide to disable Zendesk authentication, all Zendesk user passwords will be permanently deleted within 24 hours.
If your SSO service is temporarily unavailable, you can still access your Zendesk account. See Accessing your Zendesk account when your SSO service is down.
Enterprise single sign-on options
- JSON Web Token (JWT): Credentials and user information is sent in JSON format encrypted using a Zendesk Shared Secret. For information on configuring JWT single sign-on, see Enabling JWT (JSON Web Token) single sign-on.
- Secure Assertion Markup Language (SAML): SAML is supported by many identity provider services, such as Okta, OneLogin, Active Directory, and LDAP. For information on configuring SAML single sign-on, see Enabling SAML single sign-on.
You can use the same option for both groups or a different option for each group. This is ideal if you have two separate sets of users, existing in different locations that you do not want to merge. If you use both JWT and SAML, you will need to select one as the primary authentication method. When signing in to Zendesk, users will be redirected to your primary method login page. Users can sign in with the secondary method by going to the second method login page first. For more information, see Using different SAML and JWT SSO (single sign-on) for agents and end users.
37 Comments
We have Zendesk Enterprise Support and Enterprise Guide. We are adding a new second Brand. The the first Brand is for our existing products and uses Zendesk's built-in login (no SSO). Our Agents login via SSO with MS Azure. The new second Brand will be used for our SaaS services that will require the use of a SSO (SAML or JSON web token compatible).
Can we setup Zendesk so that the second Brand uses SSO for that customer base (completely separate audience than the users of our first brand), and our customers in the first Brand continue to authenticate with their existing built-in Zendesk credentials? If so, how do we set this up?
Thanks,
Andy
Hi Andrew,
I'm afraid this is a current limitation of our Single-Sign On (SSO) feature as mentioned in Multibrand known issues. Currently, you may only choose one authentication option for each user type (agent or end-user) and thus, you can't implement SSO for brand-X and brand-Y and Zendesk authentication for brand-Z.
The only alternative I can think of is if you set up SSO for all your end-users, but for your first brand you customize the sign-in link to direct those users to subdomain.zendesk.com/access/normal. This will allow them to log in using the native Zendesk login where as users from your second brand should be directed to your SSO page by clicking the default sign-in button.
Hope this helps!
Hi,
When trying to enable SSO for end users it takes me to a 404 Page not found. This is the url https://investminthelp.zendesk.com/admin/security/sso
Hey Riaan!
Thank you for contacting us! I have already updated your ticket with Support so we'll be updating you from there! :)
Link to 'Enabling social and business account single sign-on' is broken
Just out of interest, what are some implications of letting users sign in with their social media accounts?
Hey Patrick,
Good catch! I updated the article and fixed the link you referenced :)
Enabling this can provide your users with more options for signing in which may be a bit more appealing than having to create a separate login for your Help Center.
Happy to answer any additional questions if you have any!
Please sign in to leave a comment.