Single sign-on (SSO) options in Zendesk Follow

all plans

In addition to the user authentication provided by Zendesk, you can also use single sign-on, which authenticates your users outside of your Zendesk. There are two types: social media single sign-on and enterprise single sign-on.

Note: If you place a wildcard (*) in the Blacklist, users will no longer be able to authenticate or create an account in SSO. For more information see Using the whitelist and blacklist to control access to your Zendesk.
This article contains the following sections:

Social media single sign-on

Social media single sign-on are additional sign-in options that you can provide for your customers convenience. For example, you can make the Facebook, Google, and Twitter logins available on your Help Center sign in page. Your customers can then sign in with either their Zendesk account or one of their social media accounts.

Both your end-users and agents can sign in to your Zendesk using social media single sign-on.

The steps for adding social media single sign-on to your login page are described in Enabling social media single sign-on.

Enterprise single sign-on

Enterprise single sign-on is different than social media single sign-on. Instead of being optional and in addition to the Zendesk account sign-in, enterprise single sign-on replaces all other sign-in options. After it's been enabled, your customers do not see or use your Help Center sign in page. Instead, they typically sign in to a corporate network and then access Zendesk options by simply clicking a link (to Zendesk Support, for example) and are automatically signed in. All user management and authentication happens outside of your Zendesk.

Both your end-users and your agents can sign in to your Zendesk using enterprise single sign-on. You can configure it only for end-users , only for agents, or for both. You'll still be able to sign in to your Zendesk using the Zendesk sign-in page, bypassing single sign-on. As an admin you'll need to do this to configure some aspects of your Zendesk.

Note: It's a good idea to modify your SSO sign-in page to add a link for your agents to sign in directly to the agent interface, subdomain.zendesk.com/agent.

Enabling enterprise single sign-on also affects the iOS and Android versions of the Zendesk mobile app. Once enabled, just as with the web version of your Zendesk, agents and administrators have to enter their SSO credentials on the mobile device.

 

 

For enterprise-level single sign-on, Zendesk supports the following options:
  • Secure Assertion Markup Language (SAML) is available only to Professional and Enterprise accounts. SAML is supported by many services that you can more easily integrate with your corporate user authentication system (for example, Active Directory and LDAP). These services include Okta, OneLogin, and PingIdentity.
  • JSON Web Token (JWT) is available only to Team, Professional, and Enterprise accounts. Just like SAML, this remotely authenticates your users to allow them to access Zendesk. However, JWT can be considered more of a custom implementation

If you decide to use enterprise single sign-on for both end-users and agents, you can use the same option for both groups or a different option for each group. For example, you can choose SAML for both groups, JWT for both groups, or SAML for one group and JWT for the other. To use both JWT and SAML for one group, you need to set up a primary SSO method for users who go to Zendesk to sign in, and a non-primary method for users who use the identity-provider-initiated sign-in.

Enabling enterprise single sign-on means that you're bypassing Zendesk and authenticating your users externally. The advantage to using enterprise single sign-on is that you have complete control over your users, behind your firewall. You authenticate your users once, against your own secure user authentication system, and then grant them access to many other resources both inside and outside of your firewall. Imagine signing into your corporate network and then having quick access to the many other cloud-based services you use each day (Salesforce, JIRA, your wiki, Google Apps, and of course your Zendesk) without having to sign in to each one separately.

Although user management is done outside of your Zendesk (for example, adding and deleting users), your corporate user authentication system is synced with your Zendesk. So, for example, if you add a user account for a new employee, that employee has immediate access to your Zendesk. Conversely, if you delete a user account because an employee has left the company, that employee no longer has access to your Zendesk.

By default, the only data that Zendesk stores for each user is their name and email address. These are necessary of course because your agents communicate with your end-users through Zendesk and the user's name and email address are needed since that communication is via email. It's also possible to sync more user data to Zendesk, for example the user's organization.

For information about setting up enterprise single sign-on, see the following:
Have more questions? Submit a request

Comments

  • 0

    >> your corporate user authentication system is synced with your Zendesk. ... if you delete a user account because an employee has left the company, that employee no longer has access to your Zendesk.

    It's not really true. If user visit help center by direct link after his/her deletion and zendesk session cookie is not expired yet then help center will authenticate the user. Is there any way to invalidate user session?

  • 0

    @Dmitry - The only way to kill another user's session is with the API:

    https://developer.zendesk.com/rest_api/docs/core/sessions

    It may also be possible to do this using tools from your identity provider, but you would have to check with them to explore that possibility.

  • 0

    I need a way for users to signup without validating them via email. Just typing in name, username/email and password when registering and after this be granted access immediately to check their ticket status in the HC.

    Would this be possible if using SAML?

  • 0

    Hi Michael,  

    You can disable the email verification email for new users submitting tickets by:

    • Navigating to Settings > Customers in your Admin menu
    • Checking the 'Anybody Can Submit Tickets' checkbox

    • Unchecking the 'Ask Users to Register' checkbox

    Please give that a try and let me know if you're still experiencing issues - I'm happy to help!

  • 0

    Hi Garrick.

    Thank you. So far so good but how do users log in to check status in the ticket they have submitted?

  • 0

    Hi Michael,

    In order to check the status of a ticket they've submitted, users would return to your Help Center and click the 'Sign In' button in the upper-right of your Help Center.

    They can then generate an email to set a password using either the 'Forgot my Password' or 'Get a Password' links in the resultant login pop-up:

    After setting a password, they'll be logged into your Help Center and can access their My Activities view from the Profile drop-down in the upper-right corner to interact with their existing tickets.

  • 0

    Hi Garrick.

    Thank you for clearifying but with this method the users will need to varify via email which I do not want as mentioned in my last question. So this ends up in a catch 22 :)

    That is why I am asking these questins in the SSO thread as I want users to check ticket status without email validation.

    I am thinking of a user signup where they choose their own password when registering with no email validation

    Would this be possible using some kind of SSO?

  • 0

    Hey Michael!

    As long as you have your Help Center active, they'll be given the option to log in from the upper right corner of the window.

  • 0

    Hi Jessie.

    But that would require a password that they do not have because they cannot set it via email ot are there some other way of setting a password besides getting a link via email?

    I am beginning to think that Zendesk cannot meet this requirement. All I want to do is having the users login to check ticket status without an email being involved at any!!! point.

  • 0

    Hi Michael,

    It sounds like you have a specific workflow in mind - I'm reaching out to you via a ticket where we can continue this discussion.

     

  • 0

    Hi ,

    I have a similar workflow like Michael. At the moment, are there some other way of setting a password besides getting a link via email?

  • 0

    Hey there!

    The only way your end-users can change their passwords is via email link. However, Administrators in your Zendesk can reset or change passwords on behalf of your end-users. You can find more information about that here: Resetting user passwords.

  • 0

    I'm trying to get a demo of a successful SAML single sign on integration as a proof of concept for my Product and Engineering teams. Can you recommend a partner who could show me this in action?

  • 0

    Hello, I'm trying to accomplish JWT single sign on via my application into Zendesk. I was able to do SSO for "Agents", but same snippet of code is not working for "End-users". Is there a known issue or configuration to fix this?

    I can share my code for those who are interested.

    Thanks in advance.

  • 0

    @Mayank M,

    There are no known issues with end-user or agent JWT sign-in that I am aware of. I will be creating a ticket for you so we can look into this further.

Please sign in to leave a comment.

Powered by Zendesk