In addition to the user authentication provided by Zendesk, you can also use single sign-on, which authenticates your users outside of Zendesk. There are two types: social and business single sign-on, and enterprise single sign-on.
Social and business single sign-on
Social and business single sign-on are additional sign-in options that you can provide for your customers convenience. For example, you can make the Facebook, Google, and Twitter logins available on your Help Center sign-in page. Your customers can then sign in with their Zendesk account or with one of their social or business accounts.
Both your end users and agents can sign in using their Google or Microsoft account credentials. End users also have the option of using their Twitter or Facebook accounts.
The steps for adding social and business single sign-on to your login page are described in Enabling social and business single sign-on.
Enterprise single sign-on
Enterprise single sign-on is different than social and business single sign-on. Instead of being optional and in addition to the Zendesk account sign-in, enterprise single sign-on replaces all other sign-in options. After it's been enabled, your customers do not see or use your Help Center sign in page. Instead, they typically sign in to a corporate network and then access Zendesk options by simply clicking a link (to Zendesk Support, for example) and are automatically signed in. All user management and authentication happens outside of your Zendesk.
Both your end-users and your agents can sign in to your Zendesk using enterprise single sign-on. You can configure it only for end-users , only for agents, or for both. You'll still be able to sign in to your Zendesk using the Zendesk sign-in page, bypassing single sign-on. As an admin you'll need to do this to configure some aspects of your Zendesk.
Enabling enterprise single sign-on also affects the iOS and Android versions of the Zendesk mobile app. Once enabled, just as with the web version of your Zendesk, agents and administrators have to enter their SSO credentials on the mobile device.
For enterprise-level single sign-on, Zendesk supports JWT (JSON Web Token) and SAML (Secure Assertion Markup Language). JWT is only available to Team, Professional, and Enterprise accounts. SAML is only available to Professional and Enterprise accounts. Both options accomplish the same thing: remotely authenticating your users and allowing them access to your Zendesk. However, JWT can be considered more of a custom implementation whereas SAML is supported by many services that you can more easily integrate with your corporate user authentication system (for example, Active Directory and LDAP). These services include Okta, OneLogin, and PingIdentity.
If you decide to use enterprise single sign-on for both end-users and agents, you can use the same option for both groups or a different option for each group. For example, you can choose SAML for both groups, JWT for both groups, or SAML for one group and JWT for the other. To use a different option for each group, you need to set up a primary SSO method for users who go to Zendesk to sign in, and a non-primary method for users who use the identity-provider-initiated sign-in. For more details, please submit a request on our website or send an email to firstname.lastname@example.org.
Enabling enterprise single sign-on means that you're bypassing Zendesk and authenticating your users externally. The advantage to using enterprise single sign-on is that you have complete control over your users, behind your firewall. You authenticate your users once, against your own secure user authentication system, and then grant them access to many other resources both inside and outside of your firewall. Imagine signing into your corporate network and then having quick access to the many other cloud-based services you use each day (Salesforce, JIRA, your wiki, Google Apps, and of course your Zendesk) without having to sign in to each one separately.
Although user management is done outside of your Zendesk (for example, adding and deleting users), your corporate user authentication system is synced with your Zendesk. So, for example, if you add a user account for a new employee, that employee has immediate access to your Zendesk. Conversely, if you delete a user account because an employee has left the company, that employee no longer has access to your Zendesk.
By default, the only data that Zendesk stores for each user is their name and email address. These are necessary of course because your agents communicate with your end-users through Zendesk and the user's name and email address are needed since that communication is via email. It's also possible to sync more user data to Zendesk, for example the user's organization.