In addition to the user authentication provided by Zendesk, you can also use single sign-on to authenticate your users outside of Zendesk. There are three types of SSO: social account, business account, and enterprise.
This article contains the following sections:
Essential facts for SSO
Below are some essential facts for you about the available single sign-on options. These are explained in greater detail throughout the rest of this article.
- Admins and agents can sign in with either their Google, Microsoft, or Zendesk accounts, or can sign in directly by going to their Zendesk URL and entering their username and password. End users can sign in with all social and business accounts, in addition to their Zendesk accounts.
- If your Zendesk is closed or restricted, and a user tries to sign in with a different email than the one in Zendesk Support, their request will be rejected (see Enabling social and business account single sign-on).
- If you use both JWT and SAML, you must set one as the primary authentication (see Using different SAML and JWT SSO (single sign-on) for agents and end users).
- If you're using a third party identity provider to authenticate, you must configure the Zendesk app with the identity provider.
- It is not possible to apply different SSO options to individual brands, unless using a custom script for JWT (see Multi-brand- Using multiple JWT Single Sign-on URL's (Professional Add-on and Enterprise).
- If you place a wildcard (*) in the blacklist, users will no longer be able to authenticate or create an account with SSO. For more information, see Using the whitelist and blacklist to control access to your Zendesk.
Social and business account single sign-on
Social and business account single sign-on are additional sign-in options you can provide for your users' convenience. You can make these logins available on your Help Center sign-in page, so users can either authenticate with their Zendesk Support account or a social or business account.
Social accounts include Facebook and Twitter and business accounts include Google and Microsoft. Agents and admins can only use business accounts to authenticate, but end users can authenticate with both.
Microsoft sign-in is not supported in the iPad version of Zendesk Support for Mobile app. The Google sign-in supports both Gmail and Google Apps. The Federated Login Service is disabled by default for Google Apps Business and Education accounts. The domain admin can enable it from the Control Panel at http://www.google.com/a/cpanel/yourdomain/SetupIdp. If two-factor authentication is enabled by the user or for the Google Apps domain (Google Authenticator), this functionality is supported by this authentication process.
For instructions on adding social and business account single sign-on to your login page, see Enabling social and business account single sign-on.
Enterprise single sign-on
Enterprise single sign-on is different than social media and business account single sign-on. Instead of being optional and in addition to the Zendesk account sign-in, enterprise single sign-on replaces all other sign-in options.
About enterprise single sign-on
When you enable enterprise single sign-on, you're bypassing Zendesk and authenticating your users externally. When users navigate to your Zendesk sign-in page or click a link to your Zendesk, they can authenticate by signing into a corporate server or a third party identity provider, such as OneLogin or Okta. Enabling enterprise single sign-on also affects the iOS and Android versions of the Zendesk mobile app.
- Users navigate to a Zendesk page or subdomain.
- If not already authenticated, users are redirected to your corporate server or third party identity provider login page, depending on the enterprise SSO option you selected.
- Users enter their sign-in credentials.
- If valid, users are redirected back to the original Zendesk page.
Both your end users and your agents can sign in to your Zendesk using enterprise single sign-on. You can configure enterprise SSO only for end users, agents, or for both.
The advantage to using enterprise single sign-on is that you have complete control over your users, behind your firewall. You authenticate your users once, against your own user authentication system, and then grant them access to many other resources both inside and outside of your firewall. This also means that your user management is performed outside of your Zendesk, but your corporate user authentication system is still synced with Zendesk. So if you add a user account for a new employee, they will have immediate access to your Zendesk, or if you delete a user account that employee will no longer have access to your Zendesk.
By default, the only data that Zendesk stores for each user is their name and email address, but it's possible to sync more user data to Zendesk, like the user's organization.
You have the option of keeping Zendesk authentication with your enterprise SSO authentication. However, whenever SSO is active, users must log in with their SSO authentication. If you decide to disable Zendesk authentication, all Zendesk user passwords will be permanently deleted within 24 hours.
If your SSO service is temporarily unavailable, you can still access your Zendesk account. See Accessing your Zendesk account when your SSO service is down.
If you aren't sure if enterprise single sign-on is the best for your use case, see Having the talk: Am I ready for a more advanced authentication option?
Enterprise single sign-on options
- JSON Web Token (JWT) is available only to Team, Professional, and Enterprise accounts. Credentials and user information is sent in JSON format encrypted using a Zendesk Shared Secret. For information on configuring JWT single sign-on, see Enabling JWT (JSON Web Token) single sign-on.
- Secure Assertion Markup Language (SAML) is available only to Professional and Enterprise accounts. SAML is supported by many identity provider services, such as Okta, OneLogin, Active Directory, and LDAP. For information on configuring SAML single sign-on, see Enabling SAML single sign-on (Professional and Enterprise).
You can use the same option for both groups or a different option for each group. This is ideal if you have two separate sets of users, existing in different locations that you do not want to merge. If you use both JWT and SAML, you will need to select one as the primary authentication method. When signing in to Zendesk, users will be redirected to your primary method login page. Users can sign in with the secondary method by going to the second method login page first. For more information, see Using different SAML and JWT SSO (single sign-on) for agents and end users.
30 Comments
Hi there Michael-
Thanks for writing in. We support both OAuth as well as JWT/SAML, but these are different mechanisms (and often cause for confusion). OAuth is an authorization protocol that allows a user to selectively decide which services can do what with its associate data.
SSO is an authentication / authorization flow through which a user can log into multiple services using the same credentials, e.g. for users logging into multiple domains.
Hey, Aaron!
I've received the ticket created from your comment, and I will continue with you in the ticket to go over what options you will have for your specific case :)
@Mayank M,
There are no known issues with end-user or agent JWT sign-in that I am aware of. I will be creating a ticket for you so we can look into this further.
Welcome to the Community, Aaron!
I'm going to find someone who can answer this for you. Stand by!
Hi Steve,
We don't support supplying the JWT via header for SSO, but you can submit it as a POST payload to prevent that data from being picked up from the query string.
Hi Max,
All of your scenarios are possible with the help of SAML (Secure Assertion Markup Language). Instructions are too big to paste them here.
This article outlines basic steps needed to set up the whole chain:Configuring how end-users access and sign in to Zendesk Support
And this is one guides you through the steps of SAML setup:Using SAML for single sign-on (Professional and Enterprise)
After setup is done, your users should be able access your Help Center with no issues, assuming they have passed your authentication.
Hi, we're evaluating Zendesk and I have a question relating to single sign on.
We support multiple brands which require separate, private help centres.
Will it be possible to use single sign on to authenticate users so they can view content in the help centre for their particular brand? Or does that user need to separately set up an account in Zendesk so they can view content.
If you could give me some guidance in this area I would very much appreciate it.
Many thanks,
Aaron.
Hi Garrick,
I have a similar workflow like Michael. At the moment, are there some other way of setting a password besides getting a link via email?
>> your corporate user authentication system is synced with your Zendesk. ... if you delete a user account because an employee has left the company, that employee no longer has access to your Zendesk.
It's not really true. If user visit help center by direct link after his/her deletion and zendesk session cookie is not expired yet then help center will authenticate the user. Is there any way to invalidate user session?
I'm trying to get a demo of a successful SAML single sign on integration as a proof of concept for my Product and Engineering teams. Can you recommend a partner who could show me this in action?
@Dmitry - The only way to kill another user's session is with the API:
https://developer.zendesk.com/rest_api/docs/core/sessions
It may also be possible to do this using tools from your identity provider, but you would have to check with them to explore that possibility.
My app uses the user's email address and secure password to authenticate users logging in. Is there a way to use that same login to authenticate them for my Zendesk KB/help center/community center?
It's kinda gross to make them create another login for getting support in my app.
Is this article saying it's possible if I use "Login with Facebook/Google/etc."?
Hi Michael,
It sounds like you have a specific workflow in mind - I'm reaching out to you via a ticket where we can continue this discussion.
Hi there:
With SSO enabled can we still have users open tickets directly from the "deep link" - take them directly to the issue? Will that work with SSO enabled?
Hi Michael,
You can disable the email verification email for new users submitting tickets by:
Please give that a try and let me know if you're still experiencing issues - I'm happy to help!
Hi Garrick.
Thank you. So far so good but how do users log in to check status in the ticket they have submitted?
Hey Michael!
As long as you have your Help Center active, they'll be given the option to log in from the upper right corner of the window.
I need a way for users to signup without validating them via email. Just typing in name, username/email and password when registering and after this be granted access immediately to check their ticket status in the HC.
Would this be possible if using SAML?
Hi there,
we have a web portal that uses a user's email address and secure password to authenticate them when logging in. Is there a way to use that same login to authenticate them to our Help Center Guide automatically?
My goal is a seamless experience for our users (no manual Zendesk Account registration, no typing of passwords later, etc.)
However, I require that only our users have access to the Help Center Guide (only an authenticated user of our web portal should ever be able to access an article).
Thank you in advance!
Hi Garrick.
Thank you for clearifying but with this method the users will need to varify via email which I do not want as mentioned in my last question. So this ends up in a catch 22 :)
That is why I am asking these questins in the SSO thread as I want users to check ticket status without email validation.
I am thinking of a user signup where they choose their own password when registering with no email validation
Would this be possible using some kind of SSO?
Hi,
Is it possible to support sending the JWT in a header as opposed the URL? I know that the token is submitted over HTTPS and is short lived, but taking it out of the querystring will ensure it is never picked up via a referrer header, screen shots, recording software etc.
Thanks
Steve
Whats confusing is that the CORE API documentation lists Oauth 2.0: https://developer.zendesk.com/rest_api/docs/core/oauth_clients
Here, it only lists JWT and SAML. Please elaborate on whether Oauth 2.0 is supported.
Hi Sergei,
In the continuity of Max's question, how would you concretely set up the SAML to make sure that users can have access to the Help Center Guide using the same credentials as for our application?
To put this another way:
- As user A, I have an account with the application X that has an SSO integration with Zendesk
- As user A, I want to login to the Zendesk help center using the same credentials as for application X from https://applicationX.zendesk.com/access/normal (the URL that bypasses the SSO).
Thank you
Hi Marcin,
Thanks for your question. We do not have a native tool that will allow for two different SSO login urls but there is a workaround that is explained in this article: Multibrand - Using multiple JWT Single Sign-On URLs
Currently that is the only workaround we have. I hope that helps and thanks again for your question.
Hi, I have a similar one. We have two brands with different end users and consider having multi-brand option within Zendesk. We would like to use SSO but redirects user to two different login URLs depending on the brand's helpdesk page they are looking at. Can it be configured this way?
Hi Michael,
In order to check the status of a ticket they've submitted, users would return to your Help Center and click the 'Sign In' button in the upper-right of your Help Center.
They can then generate an email to set a password using either the 'Forgot my Password' or 'Get a Password' links in the resultant login pop-up:
After setting a password, they'll be logged into your Help Center and can access their My Activities view from the Profile drop-down in the upper-right corner to interact with their existing tickets.
Hi Jessie.
But that would require a password that they do not have because they cannot set it via email ot are there some other way of setting a password besides getting a link via email?
I am beginning to think that Zendesk cannot meet this requirement. All I want to do is having the users login to check ticket status without an email being involved at any!!! point.
Hi Garrick,
Thanks for the quick reply. Is there documentation on how this is sent? form data? JSON?
Thanks
Steve
Hey there!
The only way your end-users can change their passwords is via email link. However, Administrators in your Zendesk can reset or change passwords on behalf of your end-users. You can find more information about that here: Resetting user passwords.
Hello, I'm trying to accomplish JWT single sign on via my application into Zendesk. I was able to do SSO for "Agents", but same snippet of code is not working for "End-users". Is there a known issue or configuration to fix this?
I can share my code for those who are interested.
Thanks in advance.
Please sign in to leave a comment.