Multibrand allows you to control all your company brands in a single Zendesk Support instance. However, security settings will only allow you to set up one single URL for remote logins, which might be problematic if you have different user databases for each of your brands.

Fear no more! This approach will allow you to create an easy script between Zendesk Support and the SSO login script in your server that will allow you to route your customers to specific URLs based on which brand they are trying to log into.

This tip assumes that you have already configured JWT on your server. Otherwise, make sure that you follow the instructions listed on the article Setting up single sign-on with JWT (JSON Web Token) first.

I'm using php in this example, but you can adapt it to other languages if you need to.

This article contains the following sections:

• Two or more brands or more set up
• Two or more user authentication systems with JWT configured
• The scripts
• Update security settings
• Troublehooting

Two or more brands set up

In order for this tip to make sense, you will need at least two brands configured. You can create them on Admin > Manage > Brands . For details, see Setting up multiple brands (Professional Add-on and Enterprise) .

After you set it up, save the brand URL and the host mapped brand URL. We will use them in our script later.

Two or more user authentication systems set up with JWT SSO

As mentioned previously, you will need to have set up and configured JWT SSO on your user authentication systems. You can do one for each brand already, but bear in mind that the shared secret that you obtain from security options will have to be the same in all your authentication systems.

Save the login URL and logout URL along with the information from the previous section.

The scripts

Now the fun part begins! Your list of saved URLs might look like this:

Brand 1

Non-Hostmapped URL: https://brand1.zendesk.com

Hostmapped URL: https://support1.example.com

Brand 2

Non-Hostmapped URL: https://brand2.zendesk.com

Hostmapped URL: https://support2.example.com

System 1

Login URL: https://page1.example.com/zdlogin.php

Logout URL: https://page1.example.com/zdlogout.php

System 2

Login URL: https://page2.example.com/zdlogin.php

Logout URL: https://page2.example.com/zdlogout.php

Now, let's create the script. Remove the https:// from the URL for each brand url. Keep them on the website links.

Login Script

<?

$brand_URLs = array(

	"brand1.zendesk.com" => "https://page1.example.com/yourcustomloginjwtscript.php",

	"support1.example.com" => "https://page1.example.com/yourcustomloginjwtscript.php",

	"brand2.zendesk.com" => "https://page2.example.com/yourcustomloginjwtscript2.php",

	"support2.example.com" => "https://page2.example.com/yourcustomloginjwtscript2.php"

	);

foreach($brand_URLs as $k => $v){

	if(strpos($_GET['return_to'],$k)){

		header("Location: ". $v);

		die();

	}

}

?>

Logout Script

<?

$brand_URLs = array(

	"brand1.zendesk.com" => "https://page1.example.com/yourcustomlogoutjwtscript.php",

	"support1.example.com" => "https://page1.example.com/yourcustomlogoutjwtscript.php",

	"brand2.zendesk.com" => "https://page2.example.com/yourcustomlogoutjwtscript.php",

	"support2.example.com" => "https://page2.example.com/yourcustomlogoutjwtscript.php"

	);

foreach($brand_URLs as $k => $v){

	if(strpos($_GET['return_to'],$k)){

		header("Location: ". $v);

		die();

	}

}

?>

Update security settings

1. In any product, click the Zendesk Products icon () in the top bar, then select Admin Center.
2. Click the Security icon () in the left sidebar, then click the Single sign-on tab.
3. For JSON Web Token, click Enabled, then point to the scripts we created. See example below. 
4. Save your changes.

• Remote login URL - This has to be the URL to the Login Script.
• Remote logout - This has to be the URL to the Logout Script.
• Update of external IDs? - In case that some of your customers have an account in more than one user authentication system with the same email address, to avoid any conflicts when logging in, you must select “On” in this option.

Now your agents or customers will be able to authenticate using their specific authentication system, depending on which brand they are trying to access.

You can also find the scripts here:

• zdlogin.php
• zdlogout.php

Note 1: Security risk is low if you use the script as it is. If you modify it extensively other than the changes mentioned here, you may create a security vulnerability on your own server (not Zendesk’s).

Note 2: Since we only provide 1 JWT Token, all your SSO Scripts will use the same tokens in your authentication systems. If one of your systems is compromised, it may lead to all of your brands being compromised.

Note 3: If you get an "Invalid JWT Request" error when you try to SSO, refer to the Troubleshooting instructions below.

Troubleshooting

To prevent invalid JWT request errors, hardcode https://(defaultsubdomain).zendesk.com/ as /access/jwt?jwt= for both brands where (defaultsubdomain) is your main brand subdomain. For example, mydomain.zendesk.com

1. Hardcode https://(defaultsubdomain).zendesk.com into the SSO script, so the JWT payload always gets sent to https://(defaultsubdomain).zendesk.com/access/jwt
2. Implement that snippet into the script to use 'return_to' so the end user is redirected back to the origin Help Center. Make sure to append the payload for both brand marking URLs as fixed as '(defaultsubdomain)' and append 'return_to'.
   
   The snippet for your reference:
   

if(isset($_GET["return_to"])) {
  $location .= "&return_to=" . urlencode($_GET["return_to"]);
}