English (US)
  1. Zendesk help
  2. Admin Center
  3. Advice and troubleshooting
  4. Authentication and user access

How can I set up two Zendesk SSO integrations?

Alexander Popa
  • Edited
Zendesk Engineering

Suite Growth, Professional, Enterprise, and Enterprise Plusprofessional enterprise plans

Question

How can I set up two Zendesk SSO integrations?

Answer

The default Zendesk authentication method allows the creation of two SSO options, but only directs users to one (primary) SSO method for login (for example clicking the Sign-in link in the Help Center or navigating directly to the Sign-in page). This is the main reason why we recommend enabling SAML or JWT for both agents and end-users.

However, there is a workaround. The caveat is that you need to set a primary SSO method which will be what is used when a user goes to Zendesk and clicks log in from the Help Center or navigates directly to the sign-in link.

The non-primary SSO method needs to have users logging in using an IDP-initiated login rather than an SP. This means they would need to start at the SSO provider, something like the OKTA start page, that can be used to get to Zendesk and other sites. 

As long as they are IDP-initiated logins and have the proper shared secret for JWT or certificate for SAML, we would let them in. If you would like to know more about how a customer can host a script that would allow multiple IDPs and not require IDP initiated logs, see the article: Multibrand - Using multiple JWT Single Sign-on URL's (Professional Add-on and Enterprise)

The diagrams below help explain IDP and SP. The examples are for SAML but it works the same way as JWT essentially.

SP initiated login:
SP_Initiated_login_workflow_flow_chart.png
IDP initiated login:
IDB_Initiated_Login_flow_chart.png
You could also have both SAML and JWT enabled, keep the JWT as the default one and create an “agent tab" on your custom landing page for JWT.

Return to top

4 Comments

  • Tkachev Oleg

    > keep the JWT as the default one and create an “agent tab" on your custom landing page for JWT.

    How to organize this tab? Is it just an URL like an */access/normal/ ?

    0
  • Cheeny Aban
    Zendesk Customer Care

    Hi Tkachev Oleg,

    Thank you for creating a post on our community.

    You may need to create a custom login button on your page that will log in agents through JWT. That is because JWT is linked based on user credentials.

    I hope that helps!

     

    0
  • Ben Adelmann

    In testing this I've found that there is another requirement for SAML auth to work aside from just passing the expected certificate. The entity id passed in a saml idp-initiated login must match the primary sso method's entity id.

    0
  • Tomer Ben-Arye

    Ben Adelmann,

    Mind sharing more data and information, any base instructions of how you implemented it?
    We're looking for a guide for adding the second SAML implementation, and this article is too shallow and we need more details on the implementation.

    0

Please sign in to leave a comment.

Related articles

Powered by Zendesk