Agents who login to Zendesk Support via single sign-on have their role demoted to end-user.
This problem occurs when you have set up an external authentication integration and one of the following is true:
- The integration was enabled only for your Staff members
- This integration was enabled for all users and user creation/updates are handled solely by the SSO tenant
- The integration was enabled for agents with custom roles
The role of staff members who use the SSO authentication method to login to my account changes upon authentication.
Ask your single sign-on server administrator to check the settings for the role attribute assigned to these users. Depending on the integration that you are using as your external authentication provider, access the user directory on your server side and make sure that the role attribute is set to a specific value.
If the role is not set, then users who should get created or updated as agents via the SSO might get their role demoted to the one of an end-user.
The role attribute can be set as in the example below:
role - The user's role. Can be set to user, agent, or admin. Default is user.
When the custom role of an agent changes to end user, you need to set the role as agent and configure:
custom_role_id - Applicable only if the value of the role attribute above
is agent. You can get the ids of your custom roles with the Custom Roles API.
One of the most common issues would be light agents who are demoted to end users when authenticating via SSO.
For more information about the support user attributes, see the articles below: