You can have different SAML and JSON Web Token (JWT) SSO methods for agents and end users. Each group will have their own remote login pages; however, the authentication method is not segregated. Agents and end users can authenticate by either method, because they are both configured to use SSO. Also, Zendesk can only redirect unauthenticated users to one of the two remote login pages.
Zendesk redirects unauthenticated users when they click the Sign in link in Help Center or navigate directly to the sign-in page in Zendesk.
The redirect URL that Zendesk uses is the remote login URL of the SSO method you configure last in Admin Center. For example, if you configure JWT SSO for end users first and SAML SSO for staff members (agents, admins) second, then Zendesk uses the SAML remote login URL to redirect users. For the best customer experience, you should configure the SSO method for end users last to ensure they get the benefit of the redirect.
Although Zendesk implements both methods, when you view the Security page in Admin Center > Security, the last configured method will appear for both agents and end users. This is because Zendesk redirects both groups to that method's remote login page.
The group that must use the other remote login page must navigate to it on their own. Make sure to provide them with the URL. Another solution is asking your web team to add a link on the redirect login page that the group can use to access their login page.
Example set up
In Admin Center, you set up SAML SSO for your agents first and JWT SSO for your end users second. The JWT remote login page for end users is your company's customer login page. The SAML remote login page for agents is your corporate employee login page.
Although SAML SSO is enabled for Zendesk agents, when you review the authentication settings in Admin Center > Security, JWT appears as the authentication method for both end users and agents. Zendesk redirects both groups to the same JWT remote login page.
End users who try to sign in through your Help Center are redirected to the JWT login page -- your company's customer login page. After signing in, they're redirected back to your Help Center.
Agents who try to sign in through your Help Center are also redirected to the customer login page. From there, they can click an I am an agent link directing them to the corporate employee login page. Your web team is responsible for adding the I am an agent link to the customer login page.
6 Comments
What would those URL be for SAML or JWT respectively?
You can also update the article with that you have now implemented a link to switch which method is "Primary".
Hi Niclas Kårlin! In this case, the URL in question would be the remote login for the "non-primary" method. I'll flag this article to be updated with the new functionality, thanks for mentioning this!
This functionality seems broken. Whatever is the primary SSO method is the only one that works. If JWT is primary, then it's the only one that seems to work. I can't even do IDP-initiated SSO without Zendesk redirecting to whatever is primary.
I'm trying to use Azrure AD for agents and JWT for customers. But when I make JWT the primary, there's no way for my agents to log in with Azure. The same is true vice versa. Any suggestions?
Hey Frank,
It looks like you have a ticket open with our Customer Care team related to this issue and they're currently investigating to find a solution. Once they have more information they will follow-up with you in the ticket.
Thanks for taking the time to share this with us!
Cheers!
We're having similar problems setting this up as the the advice listed here doesn't seem to work for us either.
It seems that whatever method is set as primary takes precedent, even if you try and navigate to the login url that isn't the primary, it still redirects you to whichever happens to set as primary at the time. Is this actually working for anyone?
Please sign in to leave a comment.