Admin Center lets you manage how you authenticate users. You can use Zendesk's own user authentication (the standard sign-in process) or you can remotely authenticate users using single sign-on (SSO) and then seamlessly sign them in to Zendesk. You can also let users sign in using popular business or social authentication services such as Google, Microsoft, Facebook, or Twitter.
In Admin Center, an end user is any user receiving customer service. If you enable authentication for end users, they'll need to sign in to submit or track their tickets in Help Center. See Configuring end-user access and sign-in in the Support Help Center.
The authentication options for end users apply to Help Center only. To authenticate end users who use the Chat or Web widgets, see Enabling authenticated visitors in the Chat widget or Enabling authenticated visitors in the integrated Web Widget.
A staff member in Admin Center is any user providing customer service, not a person receiving it. A staff member is usually an admin, agent, or account owner. A staff member may also be an employee who has been assigned a custom role.
Topics covered in this article:
- Accessing the security settings from Admin Center
- Enabling Zendesk authentication
- Disabling Zendesk authentication
- Enabling social and business single sign-on (SSO)
- Enabling enterprise single sign-on (SSO)
If you use Zendesk authentication, you can manage additional security settings. See the following topics:
- Restricting access by IP addresses
- Sending password-change notifications
- Requiring 2-factor authentication
- Setting an inactivity time-out period
An alternative to Zendesk authentication is single sign-on (SSO). SSO lets users sign in once to gain access to multiple systems and service providers, including Zendesk Chat. To learn more, see SSO (single sign-on) options in Zendesk in the Support Help Center.
To help Zendesk troubleshoot an issue in your account, you can let a Zendesk agent assume the role of agent in your account for a specified time. See Allowing Zendesk to assume the role of agent.
Accessing the security settings from Admin Center
To access the security settings from Admin Center
- In any product, click the Zendesk Products icon (
) in the top bar, then select Admin Center. - In Admin Center, click the Security icon (
) in the left sidebar. - Select one of the security options.
Enabling Zendesk authentication
You can use Zendesk authentication (the standard sign-in process) for staff members and end users. Zendesk authentication is enabled by default.
For end users, the following conditions must be met before they can use Zendesk authentication:
- Help Center must be activated. Help Center is the only publicly accessible side of Support and Chat for end users. See Getting started with Guide in the Support Help Center.
- End users must register. After registering, an end user is prompted to verify their email address and create a password, which the user can then use to sign in. See Requiring your users to register in the Support Help Center.
To enable Zendesk authentication
- In Admin Center, click the Security icon () in the left sidebar.
- Click the Staff Members or End Users tab.
You can set one sign-in option for staff members and a different one for end users.
The End Users tab is not available until you activate the Help Center. See Getting started with Guide.
- Make sure Zendesk Authentication is selected.
The option is selected by default.
- Set the password security level.
See Setting the password security level in the Support Help Center.
- Click Save.
If you enable Zendesk authentication, you can manage the following additional settings:
Disabling Zendesk authentication
In some cases, you may choose to disable Zendesk authentication and use another authentication method, such as SSO, for staff members and end users.
To disable Zendesk authentication
- In Admin Center, click the Security icon () in the left sidebar.
- Click the Staff Members or End Users tab.
- Deselect Zendesk Authentication.
- Click Save.
If you're disabling Zendesk authentication for end users, also do the following:
- In Support, click the Admin icon (
) in the sidebar, then select Settings > Customers.
- Determine if you want to enable or disable the Anybody can submit tickets setting.
Typically, when Zendesk authentication is disabled for end users, you would disable this setting also to keep unauthenticated end users from submitting tickets. But if you want end users to send email to their support addresses without allowing them to login in anywhere, leave this setting enabled.
If you disable Zendesk authentication for end users, but you still have Anyone can submit tickets enabled, end users will not see a sign up page when they submit a ticket. Instead, they are redirected back to the Help Center home page.
- Save your changes.
Enabling social and business single sign-on (SSO)
Users can sign in to Zendesk using their credentials for certain social and business accounts. The social accounts are Facebook and Twitter. The business accounts are Google and Microsoft.
End users can use all four – Twitter, Facebook, Google, and Microsoft. Staff members can only use Google or Microsoft.
To learn more, see SSO (single sign-on) options in Zendesk in the Support Help Center.
To enable social and business single sign-on
- In Admin Center, click the Security icon () in the sidebar.
- Click the Staff Members or End Users tab.
The End Users tab is not available until you activate the Help Center. See Getting started with Guide.
- Select the social or business SSO option you want to enable.
- If you want users to use only the SSO option, disable the Zendesk Authentication option.
Warning: Disabling Zendesk authentication permanently deletes any Zendesk passwords on record within 24 hours. API requests using an email address and password combination will also fail for both agents and end users.
- Click Save.
Enabling enterprise single sign-on (SSO)
Zendesk supports two enterprise single sign-on solutions:
- Secure Assertion Markup Language (SAML) SAML is supported by many identity provider services, such as Okta, OneLogin, Active Directory, and LDAP. For information on configuring SAML single sign-on, see Enabling SAML single sign-on.
- JSON Web Token (JWT) Credentials and user information is sent in JSON format encrypted using a Zendesk shared secret. For information on configuring JWT single sign-on, see Enabling JWT (JSON Web Token) single sign-on.
To learn more, see Enterprise single sign-on in the Support Help Center.
You can enable SAML or JWT single sign-on only for staff members, only for end users, or for both groups.
To enable SAML or JWT single sign-on
- In Admin Center, click the Security icon () in the sidebar.
- Click the SSO tab.
- Click the Configure link of one of the SSO options and enter the configuration information.
For details, see the following topics:
- After configuring your SSO option, click the Staff members or End users tab and select the External authentication option if not already selected.
- If you want all users to only use the single sign-on method, deselect the Zendesk authentication option.
Any Zendesk passwords will be permanently deleted from the account within 24 hours.
- Select the Single sign-on option in the External authentication section.
For end users, selecting the SSO option deselects the Zendesk Authentication option if enabled.
Warning: Disabling Zendesk authentication permanently deletes any Zendesk passwords on record within 24 hours. - Click Save.
Restricting access by IP addresses
If Zendesk authentication is enabled, you can restrict users from specific IP addresses from accessing your account. For example, to restrict access to users in your company, specify the IP addresses of your company. You can also allow end users to bypass the restrictions. IP restrictions that you manage in Admin Center apply to sign in for all products.
Enabling IP-based access restrictions can break third-party integrations that access your account. Make sure to whitelist all external IPs that access your account through the Zendesk APIs. Some integrations use variable IP addresses that can't be whitelisted. If you want to use these integrations, you must disable IP restrictions.
You can specify ranges of IP addresses, separating each range with a space. Two methods are available to specify a range. The first is to use asterisk (*) wildcards. An IP address consists of four numbers separated by periods, such as 192.168.0.1. You can substitute a single asterisk character (*) for any number group to let Zendesk know that it should accept any value in that space. For example, 192.*.*.* allows any IP address whose first number is 192.
The second way to specify an IP range is to use IP subnet mask syntax. For example, 192.168.1.0/25 specifies all the IP addresses between 192.168.1.0 and 192.168.1.127.
You cannot specify IP ranges where the CIDR (Classless Inter-Domain Routing) value is 0. For example, if you specify 10.0.0.0/0, the /0 is a valid format, but it's not accepted by Zendesk.
To set IP restrictions
- In Admin Center, click the Security icon () in the sidebar.
- Click the Advanced tab.
- In the IP Restrictions section, select Enabled, then enter the Allowed IP Ranges you want to restrict.
- If you don't want the IP restrictions to apply to end users, make sure Customers can bypass restrictions is selected.
- Click Save.
For more information, see Restricting access to Zendesk Support using IP restrictions.
Sending password-change notifications
If Zendesk authentication is enabled, you can send email notifications to staff members and end users when their passwords change.
To send password-change notifications
- In Admin Center, click the Security icon () in the sidebar.
- Click the Advanced tab.
- In the Passwords section, select Password Notifications.
- Click Save.
Requiring 2-factor authentication
If Zendesk authentication is enabled, you can require staff members to use 2-factor authentication when they sign in. Once this setting enabled, all staff members will be required to set up 2-factor authentication the next time they sign in. For instructions for your staff, see Using 2-factor authentication.
To require 2-factor authentication
- In Admin Center, click the Security icon () in the sidebar.
- Click the Advanced tab.
- In the Authentication section, select Require two-factor authentication.
- Click Save.
For more information, see Managing 2-factor authentication.
Setting an inactivity time-out period
If Zendesk authentication is enabled, you can set an inactivity time-out period. If a staff member is inactive for the specified period, the staff member is signed out. Staff members remain signed in as long as they actively use the product. Active use includes typing and clicking links. See Understanding your Zendesk session time.
To set an inactivity time-out period
- In Admin Center, click the Security icon () in the sidebar.
- Click the Advanced tab.
- In the Authentication section, select a time-out period under Session expiration.
- Click Save.
21 Comments
So, can someone tell me how this part works for the inactivity time-out period? We've recently changed the timeout period and I'm not sure which product you're looking for the inactivity.
If an account has Support, Talk and Chat, does the timeout period apply if you're on a phone call but haven't touched a ticket in Support in a while?
Is there any way to set the timeout period differently for different products?
Thanks for your insights!
Hi Heather,
The session expiration is not tied to one product. We look at interactions with the browser such as moving your mouse, that's enough to count as activity. A phone call through the browser in Talk would also count as activity.
It's currently not possible to set a product specific session expiration.
Hope this helps! Caroline
For the purposes of configuring SSO, are Light Agents (Collaboration Add-on) considered Staff Member accounts? Or are staff accounts only licensed users?
Hey Kami,
Light-agents would fall under Staff Members since they would have access to the agent interface.
Let me know if you have additional questions for me.
Cheers!
We have recently activated Zendesk Light Agents on our system, therefore as the previous comment states Light-agents fall under Staff Members, is there a reason why users we have set up as Light Agents have the Two-Factor Authentication disabled?
As these users we have access to potentially sensitive information, we do not feel we can use this role without being able to enable Two-Factor Authentication for them as we already do for existing Helpdesk Staff.
Any advice will be much appreciated.
Hi Rob,
We're creating a ticket for you to look into this further, please keep an eye out for update via email.
Thanks!
Does this mean I have to log in 5 times a week now?
Regarding the note mentioned by Andreas Schuster, what will be the future session timeout?
Can admins still change it in the admin-center?
We didn't get any information about this change.
Is there a reason behind what options are available in the session expiration dropdown? It's fairly granular up to 8 hours then jumps straight to 2 weeks. It would be great if there were more options between 8 hours and 2 weeks (12, 24, 48 hours, for example).
The session timeout for inactive agents will be whatever the admin configures it to be in Admin Center, that functionality remains unchanged. The option we're removing is for agents to override that session expiration by selecting the Stay Signed In checkbox upon login.
This change is being communicated here in this article, and on the login form when the Stay Signed In checkbox is selected.
Why did my post got deleted?
Now I don't remember the question I asked... there's a difference between a "moderator" and a "deleter" in Forum roles... are post deletions ultimate and non-recoverable? I asked something about the non-agents and stuff but can't recall correctly what!
Hi Bryan Joshua Pedini,
I found your question in an email notification. I'm pasting it here for you, minus the first part of your comment, which was addressing another user. Here's your question:
"Anyway, will this enforcement mean that I have to login multiple times a day, and most importantly, check if I'm still logged in after writing an essay reply to a support ticket to the Plesk team, since the last time I tried doing such, I wasted more than one hour of writing skills and perfectioning every aspect of the ticket to make them understand what was going wrong but without seeming too angry or in a bad mood, to finally discover that ZenDesk had kicked me out and I had to redo the entire thing because the damn system was not even capable of Javascript-recognizing my typing and the fact I was still active and doing things right in the stupid platform I was kicked from? Is that what will be forced to happen?"
Hey Bryan,
The session expiration for inactive agents will be whatever your admin configures it to be in Admin Center. If you're active in the product and writing replies to a support ticket, you shouldn't be logged out.
Dear Caroline,
I agree with you, it shouldn't, however it happened and it wasn't pleasant. Plesk support replied a minute afterwards (something never happens on a "non-enterprise" support ticket) with something around the "we know ZenDesk is having issues right now, please be patient with it" lines.
Removing the "stay logged in" function for everyone (instead of only agents) would mean that something like that, all tho the likelyhood is very low, but could happen again, and waste more time from poor people that are trying to receive support, and present their answers in the best possible manner; since nobody in the Plesk support team is either any of my colleagues nor related to me, hence I surely cannot two-lines reply without thanking for the previous answer and wishing a great day afterwards and not explaining the problem in details, you get the point, it takes time, which could let to disconnections...
PS: thank you so much Jennifer!
Thanks in advance,
Bryan.
Bryan,
I absolutely agree with you that it's something that shouldn't happen and do apologise for what you experienced. I'll keep an eye out amongst our own Advocacy for any tickets about session expiry not behaving as it's intended to, and losing your work in the process, and see if we can find a pattern around what happened to you and possibly anyone else.
I know you understand that we're not deliberately trying to build unpleasant or disruptive experiences within our product, but I again apologise for the frustration you had to deal with.
Thanks for sharing your feedback, it's much appreciated.
Dear Caroline,
As you noted, I clearly understand that you're not trying to upset people or create unpleasant user experiences.
Anyway, it could have been a one-off case, and as the Plesk team also stated, it could have been a day full of issues for everybody using ZenDesk at that time and I have been just unlucky to need to reply that specific day.
Thanks for the insights and consideration too, that is also much appreciated from a mainly business-to-business oriented company, to see that they also read and care about single users' comments!
Have a nice day,
Bryan.
Does the removal of 'stay signed in' apply to customers as well?
It does, Erin. End-user inactivity time-out is 8 hours by default.
Yo this sucks.
I keep several tickets open in tabs depending on what's being worked on, and these tabs generally outlive a day (or weekend). My routine has now been extended because I have to click sign in on every single one of them, every single day. Sometimes, if I'm particularly organised, it's multiple times per day.
Why is my use of a product's feature so basic as _logging in_ being controlled by someone else? Should I expect an update next year that limits my WPM, or prevents me from maximising the window?
I too would like to suggest, as did Emily Graham 8 months ago it seems, that there be a couple more choices between 8 hours and 2 weeks. 1, day, 2 days, and perhaps 4 days for those with bank holidays type thing. 2 weeks seems too long and 8 hours too short as most clock off at 5pm and back on at 8 or 9 am, so the only option that works is 2 weeks.
Oddly, this auto session logout only seems to kick in when an agent uses another computer to login and that new computer is then affected. The old computer/browser doesn't seem to be affected. I noticed this due to Covid19 where we were banished from the office. RDP to office desktop still confirms that those sessions remain active overnight while a residential login is booted out nightly due to the 8 hour setting.
Hi Chris and those others of you who've requested additional session expiration timeframe choices: If you wouldn't mind, please add your requests and the reasons behind them to this thread in our Feedback on Support post, and upvote this post: session expiration longer than 8 hours but less than 2 weeks
The more information we have about the impact to your workflow, the better. Thanks!
Please sign in to leave a comment.