Multibrand - Using multiple JWT Single Sign-on URL's (Professional Add-on and Enterprise) Follow

Comments

13 comments

  • Avatar
    James Coates

    Thanks, this is definitely a useful feature for those of us using MultiBrand with tenanted clients with different implementations of SSO.

  • Avatar
    Charlotte Parrish (Edited )

    This is exactly what I need, but I'm struggling following a little bit here. You have two systems listed with login script URL's. Which do you put inside the Zendesk settings? Do you host a login and logout script at each domain, then just one set inside Zendesk?

    In your example (below) which information would go inside Zendesk? I am using Wordpress too for both sites if that has any effect. Thanks!

    System 1

    Login URL: https://page1.example.com/zdlogin.php
    Logout URL: https://page1.example.com/zdlogout.php

    System 2

    Login URL: https://page2.example.com/zdlogin.php
    Logout URL: https://page2.example.com/zdlogout.php



  • Avatar
    Anna Everson

    Hi Kevin,

    The premise here is that you create a new login script and a new logout script that essentially "funnels" both of your existing login/logout scripts into one. You can download Abel's example scripts using the links in the article, and you would replace the links to reflect your Wordpress login script locations. It would probably look something like this:

    "brand1.zendesk.com" => "https://www.mywordpresssite1.com/wp-login.php",
    "support1.example.com" => "https://www.mywordpresssite1.com/wp-login.php",
    "brand2.zendesk.com" => "https://www.mywordpresssite2.com/wp-login.php",
    "support2.example.com" => "https://www.mywordpresssite2.com/wp-login.php"

    This may be slightly different depending on your Wordpress setup. Save this new script and host that somewhere on your site, then reference the new script in your Zendesk security settings.

    I will reach out to you in a ticket to make sure you have all the info you need.

  • Avatar
    Dmitry Kirilyuk

    Does Zendesk plan to allow using of different SSO settings for brands?

  • Avatar
    Rebecca (Edited )

    Hi Dmitry- 

    At this time, our multi brand feature should be thought of as "ticket management" as opposed to "user management" in other words brands follow tickets, not users. We do however realize this is a major limitation and are actively working to make multibrand better equipped for user management, including users by brand and SSO by brand for user authentication. 

    There is more on this here, where SSO per brand is limited as a limitation we are planning to address:  Multibranding - Known Limitations 

  • Avatar
    Petr Pavlov

    Hi all, we ran into a problem which prevent us from using multibrand feature of Zendesk together with SSO at all. If anyone knows a way out please share your experience. Assuming a user has two different registrations on two Brand sites and tickets in two Brands too. E.g. he uses q@q.q in Brand#1 and k@k.k in Brand#2. What will happen with his tickets if he changes his k@k.k e-mail in Brand#2 to q@q.q? Ok, in this case user merge feature of Zendesk seems a logical step. But if after that he changes his e-mail in Brand#2 back to q@q.q how to deal with it? As far as I can see separating tickets is not possible between two authors, because Zendesk don't have an API to change the author of replies/comments.

  • Avatar
    Anna Everson

    Hi Petr - All of your users for all of your brands are managed in the same place and are not associated to a particular brand. You might be interested in some other known issues/limitations with multi-brand which can be found here:

    https://support.zendesk.com/hc/en-us/articles/206339578

    So to address your particular questions:

    What will happen with his tickets if he changes his k@k.k e-mail in Brand#2 to q@q.q?

    I'm assuming you mean changing his email address within Zendesk (and not your external auth system.) He will not be allowed to do so, as user q@q.q already exists and no two users can have the same email address. Similarly, user q@q.q will not be able to change their email address to k@k.k.

    Ok, in this case user merge feature of Zendesk seems a logical step.

    I would be cautious of this. When you merge k@k.k into q@q.q,  k@k.k is added as a secondary email address to user q@q.q. A secondary email address will make sure that tickets sent via email from both email addresses are attributed to the same user, but secondary email addresses cannot be used for authentication, so the user will no longer be able to use k@k.k to login.

    The simplest way to address this would be to ensure that one user is using one email address to login. The only other way to get this to work would be to ensure that both external authentication systems have the same external ID for both user profiles. If k@k.k and q@q.q both log in using the same external ID, they will both be logged into the same user profile, and each time they log in their info will be overwritten with whichever email address they used to log in. There are limitations to this approach as well, so if you need more details or need any more help with this, I would recommend submitting a ticket to support@zendesk.com.

    Thanks!

  • Avatar
    Conor Devlin

    Is this possible to set up with different systems using the same brand?

    Say if page1.example.com and page2.example.com both use brand1.zendesk.com and page3.example.com and page4.example.com both use brand2.zendesk.com.  Is this something that can be achieved? 

  • Avatar
    Anna Everson

    Hi Conor - theoretically this should work fine.

  • Avatar
    Andrew Akeroyd

    This isn't clear in the documentation, but if you are logging out of Zendesk via the /access/logout URL you will need to pass the return_to parameter yourself in order to work with this script.


    e.g.
    1. User is in support1.example.com and clicks logout
    2. Redirect user to brand1.zendesk.com/access/logout?return_to=http://support1.example.com
    3. Zendesk logs the user out and redirects to auth.example.com/zdlogout.php?&brand_id=1234&return_to=http://support1.example.com

    If you don't add return_to in step 2, you won't get it in step 3 and the script provided about will probably show a blank screen.


    Note: If the user clicks logout from inside Zendesk, it will send this parameter for you, this is only required if you are redirecting your logouts through Zendesk.

  • Avatar
    Jessie Schutz

    Thanks for sharing this, Andrew!

  • Avatar
    Mike Hammond

    Hi there,

    Will you also be implementing multibranding into SAML, to make it possible to use a different IDP for the different brands? If so, do you have an expected release date?

    We're an IDP and currently provide a whitelabeled product, for which we also provide support, so SAML is currently not an option, as we cannot have the whitelabled customers logging in via an IDP with our own branding and vice versa.

    We currently do not support JWT, and with the mentioned security risks in this article, as well as in the JWT implementation article (info is encoded and not encrypted), we would not be able to implement JWT as a solution.

    Another question is if you are going to implement any other SSO methods, such as oAuth2?

  • Avatar
    Anna Everson

    Hello Mike - We do plan on supporting multibrand SSO in the future, but there is no ETA that I can give you. You can comment in this product feedback thread to contribute your thoughts on this:

    https://support.zendesk.com/hc/en-us/community/posts/203403437-Multi-Brand-Feature-Requests

Please sign in to leave a comment.

Powered by Zendesk