Enabling JWT (JSON Web Token) single sign-on

Return to top

25 Comments

  • Rohan Negi

    Hi there,

    As per docs, In JWT single sign-on , email and external_id parameters  are automatically added to the remote logout url.
    But for my application, invalid email id is passed to the Remote Logout url.
    email=invalid%40example.com and external_id is also not passed.
    Could anyone please looked into above issue?

    1
  • Christophe Tiraboschi
    Zendesk Customer Care

    Hi Ursu Alexandr,

    Normally, any user can log in through SSO if your Zendesk instance is open. By open, we mean that anyone can submit a ticket. You can check this setting in In Admin Center > People icon in the sidebar > Configuration > End users:

    You can find more details in this article:

    If the issue happens despite having this setting enabled, please let me know here and I'll create a ticket on your behalf to gather more details and work on a solution.

    1
  • itay mendelawy

    hi @... or anyone from the content team... there's missing information in this article that is very critical for my implementation.

    1. the JWT attributes mention the ability for setting up multi-org membership with the "organizations" attribute. However, this attribute is not documented.

    2. when i'm using the "organization" attribute, will zendesk create the org if it is not created?

    0
  • Simran Khosla

    Hey Charlie thanks so much for your response!
    I actually deleted my comment because I realized we just hadn't hit the button for Team Members to check the box to use JWT. =\ Foolish mistake on my end and all seems to be working fine now!

     But thank you for your note! I can absolutely remove expiration time to clean this up as well ! 

    0
  • Justin H

    Hey Jimmy! 

    Sorry for the delayed response. To answer your questions, if the user's external_id is already in the Zendesk system,

    1. it will not recreate the user

    2. everything on the user's profile associated with that external_id and email address will be applicable in the Zendesk system, including their tags, so this should work as you anticipate it to.  

    Just make sure that the external_ids are paired with the email addresses these end users have. You can't have duplicates of email or external_id, so make sure to triple check that before implementing your SSO solution. 

    0
  • XIECHENG JIN

    We are trying to setup JWT and everything is meeting Zendesk requirement.
    But got the error "JWT signature invalid. The signature cannot be verified ,check that your tokens match."
    We cannot do anything to this message now.Can someone help here?
    Thanks in advance!

    0
  • Eddie Sawyers

    Forgive me if I'm asking a silly question that's already been answered and I missed . . . but we are looking at end-users authenticating two different ways.  Is that possible?  One large group of end-users AND agents that log in with SAML SSO, and a smaller group of external end-users that would log in using JWT single-sign on.  Is this a possibility?  

    0
  • Brenda Cardinez

    Hi Julien, 


    I'm sorry for any inconvenience. I've created a ticket for your question so we can look into your specifics with you. Thank you! 

    0
  • Kumail Raza

    How to increase the jwt token time from 3minutes to some X-time? 

    0
  • Ursu Alexandr

    I get this error, could you please help figure out what could be wrong? Apparently only existing users can SSO.
    https://example.com/zendesk/logout?kind=error&message=Please%20use%20one%20of%20the%20options%20below%20to%20sign%20in%20to%20Zendesk. 

    0
  • Jimmy McDermott

    Hi! This is helpful, thanks. If the user's external_id is already in the Zendesk system as an end-user, two questions:

    1. Will it recreate the user? (I am guessing not) 

    2. Will this enable the user to receive articles that are scoped to the user's tags and therefore user segments? 

    We are planning on already having the user created in the Zendesk system long before they attempt to use the JWT SSO. 

    Thanks! 

    0
  • Simran Khosla

    One more question for you Charlie. 
    We'd like to pass both an organization and an organization_id as part of the JWT when we login / create users. There's a few things I'm confused about -- i

    1. It says if we pass an organization_id claim on the token "If both organization and organization_id are supplied, organization is ignored." -- we're looking to see how we would get both pieces of information in there. Essentially our data is structured with Org#22: Organization Name. So we'd like to pass both pieces of information over here so we can store the ID and the Organization name. How would you suggest we do this? Should we just add it to a custom user field instead and use Organization. 

    2. We also have a case where users can have multiple organizations so we know we can pass strings as the organizations attribute but, is it possible to also supply a set of IDs there?

    Thanks in advance for your assistance!

    0
  • Charles Lloyd

    This for Simran. For some reason I got notified of your comment but can't see it here.

    Remove the exp from your payload. Zendesk doesn't like it. Here is a snip from my C# code:

    JwtSecurityToken token = handler.CreateJwtSecurityToken(descriptor);
    foreach (KeyValuePair<string, object> entry in payload)
    {
    token.Payload[entry.Key] = entry.Value;
    }

    //Zendesk not expecting nbf
    token.Payload.Remove("nbf");

    //Zendesk doesn't support exp
    token.Payload.Remove("exp");

    0
  • Shayne Traqueña
    Zendesk Customer Care

    Hi there!

    Regarding the error you are receiving, please make sure to check out our article here:

    https://support.zendesk.com/hc/en-us/articles/360000795768-How-can-I-troubleshoot-CORS-

    I hope this helps!

    --

    Shayne

    0
  • Justin

    When my nodejs backend redirects to the `https://<mydomain>.zendesk.com?jwt=xxxx` url, I can see that the redirect was blocked because of CORS policy. 

    Access to XMLHttpRequest at 'https://xxxx.zendesk.com/access/jwt?jwt=xxxx' 
    (redirected from 'https://api.mydomain.com/v1/auth/login')
    from origin 'https://dashboard.mydomain.com' has been blocked by CORS policy:
    Response to preflight request doesn't pass access control check:
    No 'Access-Control-Allow-Origin' header is present on the requested resource.

    Is there any setting in the Zendesk Admin panel, that I should change so that zendesk's CORS policy allows redirect from my domain?

    0
  • Fredrik Johansson

    We're using SSO with the JWT endpoint and the external_id field. An issue that we're having is that ZD throws an error when a user changes his/her email at our system and then tries to SSO to an existing account (with the external_id remains the same). An example:

    If our UserId 123 <user@email.com> visit ZD, we use SSO by passing something like this: { external_id: 123, email: "user@email.com", ... } to the endpoint https://nnn.zendesk.com/access/jwt?jwt=...&return_to=yyy. This works great, ZD creates the user.

    Now, if our user changes his/her e-mail to new@email.com in our system, then the next time we use SSO the following JWT is passed: { external_id: 123, email: "new@email.com", ... }. Which results in an error.

    I would like to see a setting in ZD where you may configure SSO to allow updating e-mailaddresses if external_id is provided, via the SSO feature. Thanks!

    0
  • Charles Lloyd

    Hi Simran,

    It was a long time ago when I worked on it, I don't know if you can free form name - value pairs in the payload. 

    The way we do Zendesk is to create many "brands" that correspond to our products and beyond that we use Zendesk tags to create permission groups of who can see what within a brand. Tags are an array so you could encapsulate a lot of logic based on them if you desired.  

     

    // // create payload to log designated Epicor app user onto Zendesk wtih tags
    payload = new Dictionary<string, object>(StringComparer.OrdinalIgnoreCase) {
    { "iat", timestamp },
    { "jti", System.Guid.NewGuid().ToString() },
    {"tags", aryTags },
    { "name", userName },
    { "email", userEmail }
    };

    0
  • Ursu Alexandr

    Thank you Christophe, actually what helped to get rid of that error (https://example.com/zendesk/logout?kind=error&message=Please%20use%20one%20of%20the%20options%20below%20to%20sign%20in%20to%20Zendesk. ) was: Enable external authentication

    0
  • Jason Schaeffer
    Zendesk Customer Care
    Hi Eddie, 

    At this time it is not possible to authenticate End Users using more than one method. However it is possible with agents as you can use SSO, Social, or Basic Authentication. You can also use Split Authentication that differs for Agent and End Users. I have linked that below for you. 

    Split-authentication-methods-for-customers-and-agents


    Thanks!
    0
  • Shayne Traqueña
    Zendesk Customer Care

    Hi Xiengcheng Jin,

    Thanks for reaching out, happy to help here! As for the error, possible cause is that the shared secret used to generate the hashed portion of the payload does not match the shared secret listed under Security > SSO > JSON Web Token.

    Since only the first several characters of the shared secret are displayed in the Zendesk UI, generally users who receive this error must generate a new shared secret and update the JWT script with the new secret.

    Additional cause/s:
    - The supplied JWT headers do not contain the "typ" or "alg" parameter. Most JWT implementations should supply these headers automatically.
    However, if your team rolls your own implementation (or uses an out-of-date version of our Classic ASP implementation) this error may appear. Most JWT implementations should supply these headers automatically. In this case, Base64 decoding the first section (headers) of the request's JWT parameter can confirm this as the cause of the issue. If either the "typ" or the "alg" parameter is missing, the error can appear:

    {"alg":"HS256"}

    I hope this helps and points you in the correct direction.

    Thanks

    Shayne Traqueña

    0
  • Julien Poirot

    Hi

    I'm trying to do the same thing that Raghav requested 2 posts above: once authenticated, redirect to Zendesk with the JWT payload and then back to the application.

    So I'm redirecting to abc.zendesk.com/access/jwt?jwt=token&return_to=https://my_app_url/

    It redirects to the return_to url but the Zendesk session is not opened. Is there another way?

    0
  • Christophe Tiraboschi
    Zendesk Customer Care
    Hi Frederik,
     
    You should indeed have an error if another user in Zendesk uses the email address new@new.com. Otherwise, it should update the user with this email address since one of the points of using external_id is when users email addresses are subject to change. Please double check and let me know here if you are still encountering an error.
    0
  • Jason Schaeffer
    Zendesk Customer Care
    Hi Eddie, 

    Right, it currently is only possible to split authentication methods between agents and end users, and not possible to have both SAML and JWT offered only to end users. I have an inquiry into one of our SSO specialists to verify and see if any workarounds to that are known, and if there is I will follow up with you and let you know what is possible. 

    Cheers!
    0
  • Mike-E

    Hey there... I am interested in using ZenDesk for my .NET6 application and would greatly appreciate any guidance you can provide.  I see the reference posted... from 10 years ago. 😁  It would be valuable to have something that is a little more current.

    Thank you for any assistance/consideration you can provide. 🙏

    0
  • Eddie Sawyers

    Just in case I'm not phrasing it correctly, taking the Agents out of the equation - are you saying that end-users can't have both forms of SSO?  One group of end-users that authenticates using SAML, and other end-users that use JWT?  

    In other words, I have one large group of end-users that currently authenticates using SAML.  I want to have a second group of end-users that would use JWT instead.  

    0

Please sign in to leave a comment.

Powered by Zendesk