In addition to the user authentication provided by Zendesk, you can also use single sign-on, which authenticates your users outside of your Zendesk. There are two types:
Social and business account single sign-on
Social and business account sign-on are additional sign-in options that you can provide for your customers' convenience. For example, you can make the Facebook, Google, Microsoft, and Twitter logins available on your Help Center sign in page. Your customers can then sign in with either their Zendesk account or one of their social or business accounts.
Both your end-users and agents can sign in to your Zendesk using social and business account single sign-on.
The steps for adding social and business account single sign-on to your login page are described in Enabling social and business account single sign-on.
Enterprise single sign-on
Enterprise single sign-on is different than social and business account single sign-on. Instead of being optional and in addition to the Zendesk account sign-in, enterprise single sign-on replaces all other sign-in options. After it's been enabled, your customers do not see or use your Help Center sign in page. Instead, they typically sign in to a corporate network and then access Zendesk options by simply clicking a link (to Zendesk Support, for example) and are automatically signed in. All user management and authentication happens outside of your Zendesk.
Both your end-users and your agents can sign in to your Zendesk using enterprise single sign-on. You can configure it only for end-users , only for agents, or for both. You'll still be able to sign in to your Zendesk using the Zendesk sign-in page, bypassing single sign-on. As an admin you'll need to do this to configure some aspects of your Zendesk.
Enabling enterprise single sign-on also affects the iOS and Android versions of the Zendesk mobile app. Once enabled, just as with the web version of your Zendesk, agents and administrators have to enter their SSO credentials on the mobile device.
- Secure Assertion Markup Language (SAML) is available only to Professional and Enterprise accounts. SAML is supported by many services that you can more easily integrate with your corporate user authentication system (for example, Active Directory and LDAP). These services include Okta, OneLogin, and PingIdentity.
- JSON Web Token (JWT) is available only to Team, Professional, and Enterprise accounts. Just like SAML, this remotely authenticates your users to allow them to access Zendesk. However, JWT can be considered more of a custom implementation
If you decide to use enterprise single sign-on for both end-users and agents, you can use the same option for both groups or a different option for each group. For example, you can choose SAML for both groups, JWT for both groups, or SAML for one group and JWT for the other. To use both JWT and SAML for one group, you need to set up a primary SSO method for users who go to Zendesk to sign in, and a non-primary method for users who use the identity-provider-initiated sign-in.
Enabling enterprise single sign-on means that you're bypassing Zendesk and authenticating your users externally. The advantage to using enterprise single sign-on is that you have complete control over your users, behind your firewall. You authenticate your users once, against your own secure user authentication system, and then grant them access to many other resources both inside and outside of your firewall. Imagine signing into your corporate network and then having quick access to the many other cloud-based services you use each day (Salesforce, JIRA, your wiki, Google Apps, and of course your Zendesk) without having to sign in to each one separately.
Although user management is done outside of your Zendesk (for example, adding and deleting users), your corporate user authentication system is synced with your Zendesk. So, for example, if you add a user account for a new employee, that employee has immediate access to your Zendesk. Conversely, if you delete a user account because an employee has left the company, that employee no longer has access to your Zendesk.
By default, the only data that Zendesk stores for each user is their name and email address. These are necessary of course because your agents communicate with your end-users through Zendesk and the user's name and email address are needed since that communication is via email. It's also possible to sync more user data to Zendesk, for example the user's organization.