The default Zendesk authentication method allows the creation of two SSO options, but only directs users to one (primary) SSO method for log in (e.g. clicking the "Sign in" link in the Help Center or navigating directly to the Sign in page). This is the main reason why we recommend to enable SAML or JWT for both agents and end-users.
However, there is a workaround. The caveat is that you need to set a primary SSO method which will be what is used when a user goes to Zendesk and clicks log in from the Help Center or navigates directly to the sign in link.
The non primary SSO method will need to have users logging in using an IDP initiated login rather than an SP. This means they would need to start at the SSO provider, something like the OKTA start page, that can be used to get to Zendesk and other sites.
As long as they are IDP initiated logins and have the proper shared secret for JWT or certificate for SAML, we would let them in. If you would like to know more about how a customer can host a script that would allow multiple IDPs and not require IDP initiated logs, see the following Support Tip: Multibrand - Using multiple JWT Single Sign-on URL's (Professional Add-on and Enterprise)
These diagrams will help explain IDP and SP a bit more (examples are for SAML but it works the same way as JWT essentially:
SP initiated login:
IDP initiated login:
You could also have both SAML and JWT enabled, keep the JWT as the default one and create an “agent tab" on your custom landing page for JWT.