Using different SAML and JWT SSO (single sign-on) for agents and end users

Return to top
Have more questions? Submit a request


  • Niclas Kårlin
    Make sure to provide them with the URL. 

    What would those URL be for SAML or JWT respectively?

  • Niclas Kårlin

    You can also update the article with that you have now implemented a link to switch which method is "Primary".

  • Greg - Community Manager
    Zendesk Developer Support Team

    Hi Niclas Kårlin! In this case, the URL in question would be the remote login for the "non-primary" method. I'll flag this article to be updated with the new functionality, thanks for mentioning this!

  • Frank Rivers

    This functionality seems broken. Whatever is the primary SSO method is the only one that works. If JWT is primary, then it's the only one that seems to work. I can't even do IDP-initiated SSO without Zendesk redirecting to whatever is primary.

    I'm trying to use Azrure AD for agents and JWT for customers. But when I make JWT the primary, there's no way for my agents to log in with Azure. The same is true vice versa. Any suggestions?

  • Brett Bowser
    Zendesk Community Team

    Hey Frank,

    It looks like you have a ticket open with our Customer Care team related to this issue and they're currently investigating to find a solution. Once they have more information they will follow-up with you in the ticket.

    Thanks for taking the time to share this with us!


  • Milton

    We're having similar problems setting this up as the the advice listed here doesn't seem to work for us either.

    It seems that whatever method is set as primary takes precedent, even if you try and navigate to the login url that isn't the primary, it still redirects you to whichever happens to set as primary at the time. Is this actually working for anyone?

  • Raghav Mishra

    Hey Brett Bowser,

    We have a case where we're using JWT for customers and SAML for agent. What we're expecting is, when we register a new end-user, the user gets a verification link. when this verification url is accessed, It does not take the user to be verified, but asks the user to login to my SAML configured SSO page. (Also, my SAML is the primary SSO ) .


    How do I avoid this get my user to verify normally and create a new password to access zendesk? 

  • Grzegorz
    Zendesk Customer Advocate

    Hi Milton,

    I will create a ticket from your comment so that our team can take a closer look at your issue.

    Hi Raghav,

    When a user is added to a Zendesk account, an automatic email notification will be sent to the user. Because they're authenticated with a non-Zendesk password, the profile is created without a password because they don't need to sign in to Zendesk. Since you've set up external authentication and the users don't use Zendesk credentials to sign in, to avoid any confusion, we recommend to:
    - In the Account emails section, deselect Also send a welcome e-mail when a new user is created by an agent or admin
    - In Allow users to change their passwords, deselect this option.

  • Ymeiner

    Its been half a year since this was updated, so what is the URL to get a valid saml SAMLRequest token when JWT is primary?


Please sign in to leave a comment.

Powered by Zendesk