Recent searches


No recent searches

Enabling JWT single sign-on



image avatar

Charles Nadeau

Zendesk Documentation Team

Edited Oct 07, 2024


22

82

82 comments

Hi

I'm trying to do the same thing that Raghav requested 2 posts above: once authenticated, redirect to Zendesk with the JWT payload and then back to the application.

So I'm redirecting to abc.zendesk.com/access/jwt?jwt=token&return_to=https://my_app_url/

It redirects to the return_to url but the Zendesk session is not opened. Is there another way?

2


Hi Julien, 


I'm sorry for any inconvenience. I've created a ticket for your question so we can look into your specifics with you. Thank you! 

1


We are trying to setup JWT and everything is meeting Zendesk requirement.
But got the error "JWT signature invalid. The signature cannot be verified ,check that your tokens match."
We cannot do anything to this message now.Can someone help here?
Thanks in advance!

0


image avatar

Shayne Traqueña

Zendesk Customer Care

Hi Xiengcheng Jin,

Thanks for reaching out, happy to help here! As for the error, possible cause is that the shared secret used to generate the hashed portion of the payload does not match the shared secret listed under Security > SSO > JSON Web Token.

Since only the first several characters of the shared secret are displayed in the Zendesk UI, generally users who receive this error must generate a new shared secret and update the JWT script with the new secret.

Additional cause/s:
- The supplied JWT headers do not contain the "typ" or "alg" parameter. Most JWT implementations should supply these headers automatically.
However, if your team rolls your own implementation (or uses an out-of-date version of our Classic ASP implementation) this error may appear. Most JWT implementations should supply these headers automatically. In this case, Base64 decoding the first section (headers) of the request's JWT parameter can confirm this as the cause of the issue. If either the "typ" or the "alg" parameter is missing, the error can appear:

{"alg":"HS256"}

I hope this helps and points you in the correct direction.

Thanks

Shayne Traqueña

1


When my nodejs backend redirects to the `https://<mydomain>.zendesk.com?jwt=xxxx` url, I can see that the redirect was blocked because of CORS policy. 

Access to XMLHttpRequest at 'https://xxxx.zendesk.com/access/jwt?jwt=xxxx' 
(redirected from 'https://api.mydomain.com/v1/auth/login')
from origin 'https://dashboard.mydomain.com' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the requested resource.

Is there any setting in the Zendesk Admin panel, that I should change so that zendesk's CORS policy allows redirect from my domain?

2


image avatar

Shayne Traqueña

Zendesk Customer Care

Hi there!

Regarding the error you are receiving, please make sure to check out our article here:

https://support.zendesk.com/hc/en-us/articles/360000795768-How-can-I-troubleshoot-CORS-

I hope this helps!

--

Shayne

1


Hey Charlie thanks so much for your response!
I actually deleted my comment because I realized we just hadn't hit the button for Team Members to check the box to use JWT. =\ Foolish mistake on my end and all seems to be working fine now!

 But thank you for your note! I can absolutely remove expiration time to clean this up as well ! 

0


One more question for you Charlie. 
We'd like to pass both an organization and an organization_id as part of the JWT when we login / create users. There's a few things I'm confused about -- i

1. It says if we pass an organization_id claim on the token "If both organization and organization_id are supplied, organization is ignored." -- we're looking to see how we would get both pieces of information in there. Essentially our data is structured with Org#22: Organization Name. So we'd like to pass both pieces of information over here so we can store the ID and the Organization name. How would you suggest we do this? Should we just add it to a custom user field instead and use Organization. 

2. We also have a case where users can have multiple organizations so we know we can pass strings as the organizations attribute but, is it possible to also supply a set of IDs there?

Thanks in advance for your assistance!

0


hi @... or anyone from the content team... there's missing information in this article that is very critical for my implementation.

1. the JWT attributes mention the ability for setting up multi-org membership with the "organizations" attribute. However, this attribute is not documented.

2. when i'm using the "organization" attribute, will zendesk create the org if it is not created?

1


We're using SSO with the JWT endpoint and the external_id field. An issue that we're having is that ZD throws an error when a user changes his/her email at our system and then tries to SSO to an existing account (with the external_id remains the same). An example:

If our UserId 123 <user@email.com> visit ZD, we use SSO by passing something like this: { external_id: 123, email: "user@email.com", ... } to the endpoint https://nnn.zendesk.com/access/jwt?jwt=...&return_to=yyy. This works great, ZD creates the user.

Now, if our user changes his/her e-mail to new@email.com in our system, then the next time we use SSO the following JWT is passed: { external_id: 123, email: "new@email.com", ... }. Which results in an error.

I would like to see a setting in ZD where you may configure SSO to allow updating e-mailaddresses if external_id is provided, via the SSO feature. Thanks!

0


I get this error, could you please help figure out what could be wrong? Apparently only existing users can SSO.
https://example.com/zendesk/logout?kind=error&message=Please%20use%20one%20of%20the%20options%20below%20to%20sign%20in%20to%20Zendesk. 

0


image avatar

Christophe Tiraboschi

Zendesk Customer Care

Hi Ursu Alexandr,

Normally, any user can log in through SSO if your Zendesk instance is open. By open, we mean that anyone can submit a ticket. You can check this setting in In Admin Center > People icon in the sidebar > Configuration > End users:

You can find more details in this article:

If the issue happens despite having this setting enabled, please let me know here and I'll create a ticket on your behalf to gather more details and work on a solution.

1


image avatar

Christophe Tiraboschi

Zendesk Customer Care

Hi Frederik,
 
You should indeed have an error if another user in Zendesk uses the email address new@new.com. Otherwise, it should update the user with this email address since one of the points of using external_id is when users email addresses are subject to change. Please double check and let me know here if you are still encountering an error.

0


Thank you Christophe, actually what helped to get rid of that error (https://example.com/zendesk/logout?kind=error&message=Please%20use%20one%20of%20the%20options%20below%20to%20sign%20in%20to%20Zendesk. ) was: Enable external authentication

0


Hey there... I am interested in using ZenDesk for my .NET6 application and would greatly appreciate any guidance you can provide.  I see the reference posted... from 10 years ago. 😁  It would be valuable to have something that is a little more current.

Thank you for any assistance/consideration you can provide. 🙏

0


How to increase the jwt token time from 3minutes to some X-time? 

0


Hi there,

As per docs, In JWT single sign-on , email and external_id parameters  are automatically added to the remote logout url.
But for my application, invalid email id is passed to the Remote Logout url.
email=invalid%40example.com and external_id is also not passed.
Could anyone please looked into above issue?

1


Forgive me if I'm asking a silly question that's already been answered and I missed . . . but we are looking at end-users authenticating two different ways.  Is that possible?  One large group of end-users AND agents that log in with SAML SSO, and a smaller group of external end-users that would log in using JWT single-sign on.  Is this a possibility?  

0


image avatar

Jason Schaeffer

Zendesk Customer Care

Hi Eddie, 

At this time it is not possible to authenticate End Users using more than one method. However it is possible with agents as you can use SSO, Social, or Basic Authentication. You can also use Split Authentication that differs for Agent and End Users. I have linked that below for you. 

Split-authentication-methods-for-customers-and-agents


Thanks!

0


Just in case I'm not phrasing it correctly, taking the Agents out of the equation - are you saying that end-users can't have both forms of SSO?  One group of end-users that authenticates using SAML, and other end-users that use JWT?  

In other words, I have one large group of end-users that currently authenticates using SAML.  I want to have a second group of end-users that would use JWT instead.  

0


image avatar

Jason Schaeffer

Zendesk Customer Care

Hi Eddie, 

Right, it currently is only possible to split authentication methods between agents and end users, and not possible to have both SAML and JWT offered only to end users. I have an inquiry into one of our SSO specialists to verify and see if any workarounds to that are known, and if there is I will follow up with you and let you know what is possible. 

Cheers!

0


Hi! This is helpful, thanks. If the user's external_id is already in the Zendesk system as an end-user, two questions:

1. Will it recreate the user? (I am guessing not) 

2. Will this enable the user to receive articles that are scoped to the user's tags and therefore user segments? 

We are planning on already having the user created in the Zendesk system long before they attempt to use the JWT SSO. 

Thanks! 

0


image avatar

Justin H

Zendesk Customer Care

Hey Jimmy! 

Sorry for the delayed response. To answer your questions, if the user's external_id is already in the Zendesk system,

1. it will not recreate the user

2. everything on the user's profile associated with that external_id and email address will be applicable in the Zendesk system, including their tags, so this should work as you anticipate it to.  

Just make sure that the external_ids are paired with the email addresses these end users have. You can't have duplicates of email or external_id, so make sure to triple check that before implementing your SSO solution. 

0


Is is possible to go directly to the https://yoursubdomain.zendesk.com/access/jwt link from our SAAS as our user's will already been signed in, save them having to sign in again to access the knowledge base we have in Zendesk

0


image avatar

Eric Nelson

Zendesk Developer Advocacy

Hey Gary,

Unfortunately not as the JWT handshake wouldn't have been completed so the payload wouldn't be included in the request. 

Sorry for the inconvenience

0


Eric Nelson Sorry what I meant was during the redirect from our app to https://yoursubdomain.zendesk.com/access/jwt generate a JWT and include that in the payload. The issue we have is that each our clients has a unique url for sign-in so redirecting them to a generic login (https://mycompany.com/zendesk/sso) won't work 

0


Hi, our SSO setup is currently not working, the login attempt does not redirect to our zendesk instance , instead the return url is as follows:

https://*remoteURLdomainName*/en/?email=&external_id=&kind=error&logout=1&message=Please+use+one+of+the+options+below+to+sign+in+to+Zendesk.

JWT has been configured in the Admin center with the correct remote login URL . Any hints as to what this error above could indicate? Our hosting team does not identify that error as coming from them. 

thanks,
Diego

1


Hi Zendesk community,

There's no info about how to create a light agent.

Is it possible to get the info please?

Thank you,

1


image avatar

Nara

Zendesk Customer Care

Hi Raphael, if you're looking for general information on creating light agents within an account, you can find that information within the Setting Roles and Access in Zendesk article here. Otherwise, if you are looking to pass a light agent role via JWT, note that you can do so by passing the role parameter as agent while also passing the custom_role_id parameter to the id of your light agent role in the Admin Center. Cheers!

0


Hi Team,

I working on replacing  https://myoldcompany.zendesk.com/api/v2/ api with  https://mynewcompany.zendesk.com/api/v2/

the old api works with a specific zendesk login id and password being passed with basic authentication as an encypted format. To work with the new https://mynewcompany.zendesk.com/api/v2/,

the same old login and password does not work for me, Should I need to change something here?

0


Please sign in to leave a comment.