Multibrand - Using multiple JWT Single Sign-on URL's (Professional Add-on and Enterprise) Follow

Multibrand allows you to control all your company brands in a single Zendesk Support instance. However, security settings will only allow you to set up one single URL for remote logins, which might be problematic if you have different user databases for each of your brands.

Fear no more! This approach will allow you to create an easy script between Zendesk Support and the SSO login script in your server that will allow you to route your customers to specific URLs based on which brand they are trying to log into.

This tip assumes that you have already configured JWT on your server. Otherwise, make sure that you follow the instructions listed on the article Setting up single sign-on with JWT (JSON Web Token) first.

I'm using php in this example, but you can adapt it to other languages if you need to.

This article contains the following sections:

  • Two or more brands or more set up
  • Two or more user authentication systems with JWT configured
  • The scripts
  • Update security settings

Two or more brands set up

In order for this tip to make sense, you will need at least two brands configured. You can create them on Admin > Manage > Brands . For details, see Setting up multiple brands (Professional Add-on and Enterprise) .

After you set it up, save the brand URL and the host mapped brand URL. We will use them in our script later.

Two or more user authentication systems set up with JWT SSO

As mentioned previously, you will need to have set up and configured JWT SSO on your user authentication systems. You can do one for each brand already, but bear in mind that the shared secret that you obtain from security options will have to be the same in all your authentication systems.

Save the login URL and logout URL along with the information from the previous section.

The script

Now the fun part begins! Your list of saved URLs might look like this:

Brand 1

Non-Hostmapped URL: https://brand1.zendesk.com

Hostmapped URL: https://support1.example.com

Brand 2

Non-Hostmapped URL: https://brand2.zendesk.com

Hostmapped URL: https://support2.example.com

System 1

Login URL: https://page1.example.com/zdlogin.php

Logout URL: https://page2.example.com/zdlogout.php

System 2

Login URL: https://page2.example.com/zdlogin.php

Logout URL: https://page2.example.com/zdlogout.php

Now, let's create the script. Remove the https:// from the URL for each brand url. Keep them on the website links.

Login Script

<?

$brand_URLs = array(

	"brand1.zendesk.com" => "https://page1.example.com/yourcustomloginjwtscript.php",

	"support1.example.com" => "https://page1.example.com/yourcustomloginjwtscript.php",

	"brand2.zendesk.com" => "https://page2.example.com/yourcustomloginjwtscript2.php",

	"support2.example.com" => "https://page2.example.com/yourcustomloginjwtscript2.php"

	);

foreach($brand_URLs as $k => $v){

	if(strpos($_GET['return_to'],$k)){

		header("Location: ". $v);

		die();

	}

}

?>

Logout Script

<?

$brand_URLs = array(

	"brand1.zendesk.com" => "https://page1.example.com/yourcustomlogoutjwtscript.php",

	"support1.example.com" => "https://page1.example.com/yourcustomlogoutjwtscript.php",

	"brand2.zendesk.com" => "https://page2.example.com/yourcustomlogoutjwtscript.php",

	"support2.example.com" => "https://page2.example.com/yourcustomlogoutjwtscript.php"

	);

foreach($brand_URLs as $k => $v){

	if(strpos($_GET['return_to'],$k)){

		header("Location: ". $v);

		die();

	}

}

?>

Update Security Settings

Go to Admin > Settings > Security and update the settings for your JWT configuration so they point at the scripts we created.

  1. This has to be the URL to the Login Script.
  2. This has to be the URL to the Logout Script.
  3. In case that some of your customers have an account in more than one user authentication system with the same email address, to avoid any conflicts when logging in, you must select “On” in this option.

Now your agents or customers will be able to authenticate using their specific authentication system, depending on which brand they are trying to access.

You can also find the scripts here:

Note 1: Security risk is low if you use the script as it is. If you modify it extensively other than the changes mentioned here, you may create a security vulnerability on your own server (not Zendesk’s).

Note 2: Since we only provide 1 JWT Token, all your SSO Scripts will use the same tokens in your authentication systems. If one of your systems is compromised, it may lead to all of your brands being compromised.

Have more questions? Submit a request

Comments

  • 0

    Thanks, this is definitely a useful feature for those of us using MultiBrand with tenanted clients with different implementations of SSO.

  • 0

    This is exactly what I need, but I'm struggling following a little bit here. You have two systems listed with login script URL's. Which do you put inside the Zendesk settings? Do you host a login and logout script at each domain, then just one set inside Zendesk?

    In your example (below) which information would go inside Zendesk? I am using Wordpress too for both sites if that has any effect. Thanks!

    System 1

    Login URL: https://page1.example.com/zdlogin.php
    Logout URL: https://page1.example.com/zdlogout.php

    System 2

    Login URL: https://page2.example.com/zdlogin.php
    Logout URL: https://page2.example.com/zdlogout.php



    Edited by Kevin Miller
  • 0

    Hi Kevin,

    The premise here is that you create a new login script and a new logout script that essentially "funnels" both of your existing login/logout scripts into one. You can download Abel's example scripts using the links in the article, and you would replace the links to reflect your Wordpress login script locations. It would probably look something like this:

    "brand1.zendesk.com" => "https://www.mywordpresssite1.com/wp-login.php",
    "support1.example.com" => "https://www.mywordpresssite1.com/wp-login.php",
    "brand2.zendesk.com" => "https://www.mywordpresssite2.com/wp-login.php",
    "support2.example.com" => "https://www.mywordpresssite2.com/wp-login.php"

    This may be slightly different depending on your Wordpress setup. Save this new script and host that somewhere on your site, then reference the new script in your Zendesk security settings.

    I will reach out to you in a ticket to make sure you have all the info you need.

  • 0

    Does Zendesk plan to allow using of different SSO settings for brands?

  • 0

    Hi Dmitry- 

    At this time, our multi brand feature should be thought of as "ticket management" as opposed to "user management" in other words brands follow tickets, not users. We do however realize this is a major limitation and are actively working to make multibrand better equipped for user management, including users by brand and SSO by brand for user authentication. 

    There is more on this here, where SSO per brand is limited as a limitation we are planning to address:  Multibranding - Known Limitations 

    Edited by Rebecca
  • 0

    Hi all, we ran into a problem which prevent us from using multibrand feature of Zendesk together with SSO at all. If anyone knows a way out please share your experience. Assuming a user has two different registrations on two Brand sites and tickets in two Brands too. E.g. he uses q@q.q in Brand#1 and k@k.k in Brand#2. What will happen with his tickets if he changes his k@k.k e-mail in Brand#2 to q@q.q? Ok, in this case user merge feature of Zendesk seems a logical step. But if after that he changes his e-mail in Brand#2 back to q@q.q how to deal with it? As far as I can see separating tickets is not possible between two authors, because Zendesk don't have an API to change the author of replies/comments.

  • 0

    Hi Petr - All of your users for all of your brands are managed in the same place and are not associated to a particular brand. You might be interested in some other known issues/limitations with multi-brand which can be found here:

    https://support.zendesk.com/hc/en-us/articles/206339578

    So to address your particular questions:

    What will happen with his tickets if he changes his k@k.k e-mail in Brand#2 to q@q.q?

    I'm assuming you mean changing his email address within Zendesk (and not your external auth system.) He will not be allowed to do so, as user q@q.q already exists and no two users can have the same email address. Similarly, user q@q.q will not be able to change their email address to k@k.k.

    Ok, in this case user merge feature of Zendesk seems a logical step.

    I would be cautious of this. When you merge k@k.k into q@q.q,  k@k.k is added as a secondary email address to user q@q.q. A secondary email address will make sure that tickets sent via email from both email addresses are attributed to the same user, but secondary email addresses cannot be used for authentication, so the user will no longer be able to use k@k.k to login.

    The simplest way to address this would be to ensure that one user is using one email address to login. The only other way to get this to work would be to ensure that both external authentication systems have the same external ID for both user profiles. If k@k.k and q@q.q both log in using the same external ID, they will both be logged into the same user profile, and each time they log in their info will be overwritten with whichever email address they used to log in. There are limitations to this approach as well, so if you need more details or need any more help with this, I would recommend submitting a ticket to support@zendesk.com.

    Thanks!

  • 0

    Is this possible to set up with different systems using the same brand?

    Say if page1.example.com and page2.example.com both use brand1.zendesk.com and page3.example.com and page4.example.com both use brand2.zendesk.com.  Is this something that can be achieved? 

  • 0

    Hi Conor - theoretically this should work fine.

  • 0

    This isn't clear in the documentation, but if you are logging out of Zendesk via the /access/logout URL you will need to pass the return_to parameter yourself in order to work with this script.


    e.g.
    1. User is in support1.example.com and clicks logout
    2. Redirect user to brand1.zendesk.com/access/logout?return_to=http://support1.example.com
    3. Zendesk logs the user out and redirects to auth.example.com/zdlogout.php?&brand_id=1234&return_to=http://support1.example.com

    If you don't add return_to in step 2, you won't get it in step 3 and the script provided about will probably show a blank screen.


    Note: If the user clicks logout from inside Zendesk, it will send this parameter for you, this is only required if you are redirecting your logouts through Zendesk.

  • 0

    Thanks for sharing this, Andrew!

Please sign in to leave a comment.

Powered by Zendesk