Single sign-on is a mechanism that allows you to authenticate users in your systems and subsequently tell Zendesk that the user has been authenticated. If you use single sign-on with JSON Web Token (JWT), a user is automatically verified with the identity provider when they sign in. The user is then allowed to access Zendesk without being prompted to enter separate sign-in credentials.
As a Zendesk admin, your role consists of enabling the SSO options. This article describes how to enable multiple JWT single sign-on configurations that can be used to authenticate team members (admins and agents, including light agents and contributors), end users, or both.
At the core of single sign-on is a security mechanism that allows Zendesk to trust the sign-in requests it gets from your systems. Zendesk only grants access to the users who have been authenticated by you. Zendesk SSO relies on JWT to secure the exchange of user authentication data.
The IT team in a company is usually responsible for setting up and managing the company's JWT authentication system. Their role is to implement SSO for Zendesk on the system. Refer the team to the following topic in this article:
Related articles:
How JWT SSO for Zendesk works
Once you enable SSO, sign-in requests are routed to a sign-in page external to Zendesk Support.
Steps of the JWT SSO authentication process:
- An unauthenticated user navigates to your Zendesk Support URL. Example: https://yoursubdomain.zendesk.com/.
- The Zendesk SSO mechanism recognizes that SSO is enabled and that the user is not authenticated.
- Zendesk tries to determine whether the unauthenticated user is an end user or team member and redirects the user to your organization's appropriate remote sign-in page. Example: https://mycompany.com/zendesk/sso.
- A script on the remote server authenticates the user using your organization's proprietary sign-in process.
- The authentication system builds a JWT request that contains the relevant user data.
- The authentication system redirects the user to the following Zendesk endpoint with the JWT payload:
https://yoursubdomain.zendesk.com/access/jwt
- Zendesk parses the user details from the JWT payload and then grants the user a session.
As you can see, this process relies on browser redirects and passing signed messages using JWT. The redirects happen entirely in the browser and there is no direct connection between Zendesk and your systems, so you can keep your authentication scripts safely behind your corporate firewall.
Requirements for enabling JWT SSO
Meet with the team in your company responsible for the JWT authentication system (usually the IT team) to make sure that Zendesk-bound traffic is over HTTPS, not HTTP.
- The remote login URL where Zendesk users should be redirected when they attempt to access Zendesk
- (Optional) The remote logout URL where Zendesk can redirect users after they sign out of Zendesk
- (Optional) A list of IP ranges to redirect users to the appropriate sign-in option. Users making requests from the specified IP ranges are routed to the remote JWT authentication sign-in form. Users making requests from IP addresses outside the ranges are routed to the normal Zendesk sign-in form. If you don't specify a range, all users are redirected to the remote authentication sign-in form.
The IT team may require additional information from Zendesk to configure the JWT implementation. Refer them to the Technical implementation worksheet in this article.
After you've confirmed that you meet the requirements and have all of the necessary information, you're ready to enable JWT SSO.
Enabling JWT SSO
Admins can enable JWT single sign-on only for end users, only for team members (including light agents and contributors), or for both groups. You can create multiple JWT SSO configurations. Before you start, obtain the required information from your company's IT team. See Requirements for enabling JWT SSO.
To enable JWT single sign-on
- In Admin Center, click
Account in the sidebar, then select Security > Single sign-on. - Click Create SSO configuration then select JSON Web Token.
- Enter a unique Configuration name.
- For Remote Login URL, enter the URL where your users should be redirected when they attempt to access your Zendesk URL.
Zendesk automatically adds a brand_id parameter to the URL. This is the Zendesk Support brand the user was on when they attempted to sign in.
- (Optional) For Remote Logout URL, a logout URL where users should be redirected after they sign out of Zendesk.
Zendesk automatically adds email, external_id, and brand_id parameters to the logout URL. If you prefer not having email and external id information in the URL, specify blank parameters in the logout URL. Example:
https://www.xyz.com/user/signout/?email=&external_id=
Note: If you're using an Ember.js application, you need to amend the logout URL to use blank parameters before the hash. For example,https://somedomain.com/?brand_id=&return_to=&email=#/zendesk-login/. - (Optional) For IP ranges, enter a list of IP ranges if you want to redirect users to the appropriate sign-in option.
Users making requests from the specified IP ranges are routed to the JWT authentication sign-in form. Users making requests from IP addresses outside the ranges are routed to the normal Zendesk sign-in form. Don't specify a range if you want all users to be redirected to the JWT authentication sign-in form.
- If you use external IDs for your users, you can update these in Zendesk Support by selecting On for Update of external ids?.
- Provide the Shared secret to your IT team. They'll need it for their JWT implementation.
Important: Keep the shared secret safe. If it's compromised, all the data in your Support account is at risk.
- Once your JWT SSO configuration is set, click Enabled so you can assign this option to users.
- Click Save.
Assigning JWT SSO to users
After creating your JWT SSO configuration, you must activate it by assigning it to end users, team members, or both.
To assign an SSO configuration to team members or end users
- Open the Security settings for team members or end users.
- In Admin Center, click Account in the sidebar, then select Security > Team member authentication.
- In Admin Center, click Account in the sidebar, then select Security > End user authentication.
- In Admin Center, click
- If you're assigning an SSO configuration to team members, select External authentication to show the authentication options.
These options are already displayed for end users.
- Click Single sign-on (SSO) option in the External authentication section, then select the name(s) of the SSO configuration(s) you want to use.
Single sign-on might not cover all use cases, so Zendesk authentication remains active by default. To require users to sign on using the primary SSO method, see To only allow sign-on using SSO authentication.
- Click Save.
To only allow sign-on using SSO authentication
- Open the Security settings for team members or end users.
- In Admin Center, click Account in the sidebar, then select Security > Team member authentication.
- In Admin Center, click Account in the sidebar, then select Security > End user authentication.
- In Admin Center, click
- For How end users/team members sign in, select Redirect to SSO click Save.
- In Admin Center, click Account in the sidebar, then select Security > Advanced.
- Click the Authentication tab and then select an SSO bypass option.
You can choose whether only the Account owner or all Admins (including the account owner) can be granted access to the account in case the external sign-in provider goes down.
To gain access, the account owner or an admin requests to receive an email containing a one-time access link. Clicking the link grants the person access to the account. No password is required. See Accessing the account if passwords are disabled.
- Click Save.
Managing users in Zendesk after enabling JWT SSO
After enabling JWT single sign-on in Zendesk, changes made to users outside Zendesk sync to your Zendesk account. For example, if a user is added to your internal system, the user is automatically added to your Zendesk account. If a user is deleted in your internal system, the user will no longer be able to sign in to Zendesk However, their account will still exist in Zendesk.
By default, the only user data stored in Zendesk when single sign-on is enabled is the user's name and email address. Zendesk does not store passwords. As a result, you should disable any automated email notifications from Zendesk about passwords. See Disabling password notification emails from Zendesk.
To provide a better customer experience, you might want to store more than just the user's name and email address in Zendesk. You can do this using additional JWT attributes.
Disabling password notification emails from Zendesk
When a user is added to a Zendesk account, an automatic email notification may be sent to the user asking them to verify their email address and to create a username and password.
A Zendesk user profile is created for any new user who accesses your Zendesk account through SAML or JWT. Because they're authenticated with a non-Zendesk password, the profile is created without a password because they don't need to sign in to Zendesk. However, by default every new user gets an email notifying them to verify their email address and create a username and password.
- In Admin Center, click
People in the sidebar, then select Configuration > End users. - In the Account emails section, deselect Also send a welcome e-mail when a new user is created by an agent or admin
- In Allow users to change their passwords, deselect this option.
Generating a new shared secret
In some cases, like if your secret is compromised, you may need to issue a new JWT shared secret and provide it to your IT team or external identity provider. You can generate a new JWT shared secret from Zendesk Admin Center. This action will create a new secret and invalidate the old one. You'll need to inform your IT team or external identify provider of your new shared secret to keep Zendesk SSO account authentication working.
To generate a new shared secret
- In Admin Center, click Account in the sidebar, then select Security > Single sign-on.
- Hover over the JWT configuration you want to create a new shared secret for, then click the option menu icon (
) and select Edit. - Scroll to Shared secret at the bottom of the configuration page and click Reset secret.
A confirmation message appears.
- Click Reset secret to confirm the reset.
You should see a new Shared secret in plain text.
- Click Copy to make a copy of the new shared secret and give it to your IT team or your external identity provider.
- Save your changes.
Switching authentication methods
It's important to note that if you use a third-party SSO method to create and authenticate users in Zendesk, then switch to Zendesk authentication, these users will not have a password available for login. Instruct users to reset their passwords from the Zendesk sign-in page to gain access.
Additional information about JWT
JWT is an open standard that is being driven by the international standards body IETF and has top-level backers from the technology sector (for example, Microsoft, Facebook, and Google).
The fundamental building blocks of JWT are very well understood components and the result of this is a fairly simple spec, which is available here http://tools.ietf.org/html/draft-jones-json-web-token-10. There are a lot of open source implementations of the JWT spec that cover most modern technologies. This means that you can get JWT single sign-on set up without much difficulty.
One thing to be aware of is that the JWT payload is merely encoded and signed, not encrypted, so don't put any sensitive data in the hash table. JWT works by serializing the JSON that is being transmitted to a string. The string is Base64 encoded and then JWT makes an HMAC of the Base64 string which depends on the shared secret. This produces a signature that the recipient side can use to validate the user.
Technical implementation worksheet
This section is for the team in the company responsible for the company's JWT authentication system. It provides details about the Zendesk JWT SSO implementation.
Topics covered:
JWT algorithm
Specify HS256 as the JWT algorithm in the header of your JWT payload:
{
"typ":"JWT",
"alg":"HS256"
}HS256 stands for HMAC SHA 256, a 256-bit encryption algorithm designed by the U.S. National Security Agency.
Zendesk JWT endpoint
After successfully authenticating the user, redirect the user along with the JWT payload to the following Zendesk endpoint:
https://yoursubdomain.zendesk.com/access/jwt
The payload should be base64-encoded and appended to the URL as a query string.
The JWT payload must be sent to your Zendesk Support subdomain using the https protocol. Example:
https://yoursubdmain.zendesk.com/access/jwt?jwt={payload} Host-mapped subdomains are not supported.
JWT attributes
Send attributes to Zendesk as a base64-encoded hash (Ruby) or dictionary (Python). Example using Ruby:
payload = JWT.encode({
:email => "bob@example.com", :name => "Bob", :iat => Time.now.to_i, :jti => rand(2<<64).to_s
}, "Our shared secret")Zendesk requires an email address to uniquely identify the user. Beyond the required attributes listed in the table below, you may optionally send additional user profile data. This data is synced between your user management system and Zendesk Support.
| Attribute | Description |
|---|---|
| iat | Issued At. The time the token was generated, this is used to help ensure that a given token gets used shortly after it's generated. The value must be the number of seconds since UNIX epoch. Zendesk allows up to three minutes clock skew, so make sure to configure NTP or similar on your servers. |
| jti | JSON Web Token ID. A unique id for the token, used by Zendesk to prevent token replay attacks. |
| Email of the user being signed in, used to uniquely identify the user record in Zendesk Support. | |
| name | The name of this user. The user in Zendesk Support will be created or updated in accordance with this. |
| Attribute | Description |
|---|---|
| external_id | If your users are uniquely identified by something other than an email address, and their email addresses are subject to change, send the unique id from your system. Specify the id as a string. |
| locale (for end-users)
locale_id (for agents) |
The locale in Zendesk Support, specified as a number. |
| organization | The name of an organization to add the user to.
If the option Allow users to belong to multiple organizations is enabled, additional organizations append the original organization, and are considered secondary organizations. This does not delete the existing memberships. If you'd like to pass multiple organization names at the same time, use the organizations attribute instead. The organization names must be passed in a string, separated by commas. |
| organization_id | The organization's external ID in the Zendesk API. If both organization and organization_id are supplied, organization is ignored.
If the option Allow users to belong to multiple organizations is enabled, additional organizations append the original organization, and are considered secondary organizations. This does not delete the existing memberships. If you'd like to pass multiple organization IDs at the same time, use the organization_ids attribute instead. The organization IDs must be passed in a string, separated by commas. |
| phone | A phone number, specified as a string. |
| tags | This is a JSON array of tags to set on the user. These tags will replace any other tags that may exist in the user's profile. |
| remote_photo_url | URL for a photo to set on the user profile. |
| role | The user's role. This value can be set to end_user, agent, or admin. The default is end_user. If the user's role is different than it is in Zendesk Support, the role is changed in Zendesk Support. |
| custom_role_id | Applicable only if the role of the user is agent. |
| user_fields |
A JSON hash of custom user field key and values to set on the user. The custom user field must exist in order to set the field value. Each custom user field is identified by its field key found in the user fields admin settings. The format of date values is yyyy-mm-dd. If a custom user field key or value is invalid, updating the field will fail silently and the user will still log in successfully. For more information about custom user fields, see Adding custom fields to users.
Note: Sending null values in the the user_fields attribute will remove any existing values in the corresponding fields.
|
Remote login URL parameter (return_to)
Whether you pass in the return_to parameter or not is optional, but we recommend it for the best user experience. When Zendesk redirects a user to your remote login page, it can pass a return_to URL parameter. The parameter contains the page that Zendesk will return the user after your system has authenticated the user. Append the parameter name and value to the Zendesk JWT endpoint.
For example, suppose an agent who is signed out clicks the following link to open a ticket in Support: https://mycompany.zendesk.com/tickets/1232. The flow is as follows:
- On click, Zendesk redirects the user to your remote login URL and appends the following
return_toparameter to the URL:https://mycompany.com/zendesk/sso?return_to=https://mycompany.zendesk.com/tickets/123 - Your authentication system takes the
return_toparameter from the URL and, after successfully authenticating the user, appends it to the Zendesk JWT endpoint. Example:https://mycompany.zendesk.com/access/jwt?jwt=payload&return_to=https://mycompany.zendesk.com/tickets/123 - Zendesk uses the parameter to open the ticket page for the agent.
The return_to parameter is an absolute URL for the agent interface, and a relative URL for Help Center.
return_to address contains its own URL parameters, make sure that your script URI-encodes the entire return_to value when submitting the JWT token.Error handling
If Zendesk encounters an error while processing a JWT login request, it sends a message that explains the issue. If you specified a remote logout URL when you configured the JWT integration, it redirects to that URL and passes a message and a kind parameter. In case of error, the kind parameter always has the value "error". Zendesk recommends specifying a remote logout URL, as well as logging messages from Zendesk alongside the type. Most of the errors that can happen are ones that you'll want to fix. Examples include clock drifts, rate limits being hit, and invalid tokens.
JWT implementation code examples
The actual JWT implementation is straightforward and most modern languages have libraries that support it. Zendesk provides a series of examples for various stacks in the following JWT SSO GitHub repository:
If you implement JWT in any other stack, we would love to feature an example of that there as well. Add a comment to this article to share what you've implemented.
In case you run IIS/AD and don't want to build your own .NET solution, we provide a full implementation in classic ASP, which requires you to adjust only a couple of variables. Download the ASP authentication script from Github.
42 Comments
Hi
I'm trying to do the same thing that Raghav requested 2 posts above: once authenticated, redirect to Zendesk with the JWT payload and then back to the application.
So I'm redirecting to abc.zendesk.com/access/jwt?jwt=token&return_to=https://my_app_url/
It redirects to the return_to url but the Zendesk session is not opened. Is there another way?
Hi Julien,
I'm sorry for any inconvenience. I've created a ticket for your question so we can look into your specifics with you. Thank you!
We are trying to setup JWT and everything is meeting Zendesk requirement.
But got the error "JWT signature invalid. The signature cannot be verified ,check that your tokens match."
We cannot do anything to this message now.Can someone help here?
Thanks in advance!
Hi Xiengcheng Jin,
Thanks for reaching out, happy to help here! As for the error, possible cause is that the shared secret used to generate the hashed portion of the payload does not match the shared secret listed under Security > SSO > JSON Web Token.
Since only the first several characters of the shared secret are displayed in the Zendesk UI, generally users who receive this error must generate a new shared secret and update the JWT script with the new secret.
Additional cause/s:
- The supplied JWT headers do not contain the "typ" or "alg" parameter. Most JWT implementations should supply these headers automatically.
However, if your team rolls your own implementation (or uses an out-of-date version of our Classic ASP implementation) this error may appear. Most JWT implementations should supply these headers automatically. In this case, Base64 decoding the first section (headers) of the request's JWT parameter can confirm this as the cause of the issue. If either the "typ" or the "alg" parameter is missing, the error can appear:
{"alg":"HS256"}
I hope this helps and points you in the correct direction.
Thanks
Shayne Traqueña
When my nodejs backend redirects to the `https://<mydomain>.zendesk.com?jwt=xxxx` url, I can see that the redirect was blocked because of CORS policy.
Is there any setting in the Zendesk Admin panel, that I should change so that zendesk's CORS policy allows redirect from my domain?
Hi there!
Regarding the error you are receiving, please make sure to check out our article here:
https://support.zendesk.com/hc/en-us/articles/360000795768-How-can-I-troubleshoot-CORS-
I hope this helps!
--
Shayne
This for Simran. For some reason I got notified of your comment but can't see it here.
Remove the exp from your payload. Zendesk doesn't like it. Here is a snip from my C# code:
JwtSecurityToken token = handler.CreateJwtSecurityToken(descriptor);
foreach (KeyValuePair<string, object> entry in payload)
{
token.Payload[entry.Key] = entry.Value;
}
//Zendesk not expecting nbf
token.Payload.Remove("nbf");
//Zendesk doesn't support exp
token.Payload.Remove("exp");
Hey Charlie thanks so much for your response!
I actually deleted my comment because I realized we just hadn't hit the button for Team Members to check the box to use JWT. =\ Foolish mistake on my end and all seems to be working fine now!
But thank you for your note! I can absolutely remove expiration time to clean this up as well !
One more question for you Charlie.
We'd like to pass both an organization and an organization_id as part of the JWT when we login / create users. There's a few things I'm confused about -- i
1. It says if we pass an organization_id claim on the token "If both organization and organization_id are supplied, organization is ignored." -- we're looking to see how we would get both pieces of information in there. Essentially our data is structured with Org#22: Organization Name. So we'd like to pass both pieces of information over here so we can store the ID and the Organization name. How would you suggest we do this? Should we just add it to a custom user field instead and use Organization.
2. We also have a case where users can have multiple organizations so we know we can pass strings as the organizations attribute but, is it possible to also supply a set of IDs there?
Thanks in advance for your assistance!
Hi Simran,
It was a long time ago when I worked on it, I don't know if you can free form name - value pairs in the payload.
The way we do Zendesk is to create many "brands" that correspond to our products and beyond that we use Zendesk tags to create permission groups of who can see what within a brand. Tags are an array so you could encapsulate a lot of logic based on them if you desired.
// // create payload to log designated Epicor app user onto Zendesk wtih tags
payload = new Dictionary<string, object>(StringComparer.OrdinalIgnoreCase) {
{ "iat", timestamp },
{ "jti", System.Guid.NewGuid().ToString() },
{"tags", aryTags },
{ "name", userName },
{ "email", userEmail }
};
hi @... or anyone from the content team... there's missing information in this article that is very critical for my implementation.
1. the JWT attributes mention the ability for setting up multi-org membership with the "organizations" attribute. However, this attribute is not documented.
2. when i'm using the "organization" attribute, will zendesk create the org if it is not created?
We're using SSO with the JWT endpoint and the external_id field. An issue that we're having is that ZD throws an error when a user changes his/her email at our system and then tries to SSO to an existing account (with the external_id remains the same). An example:
If our UserId 123 <user@email.com> visit ZD, we use SSO by passing something like this: { external_id: 123, email: "user@email.com", ... } to the endpoint https://nnn.zendesk.com/access/jwt?jwt=...&return_to=yyy. This works great, ZD creates the user.
Now, if our user changes his/her e-mail to new@email.com in our system, then the next time we use SSO the following JWT is passed: { external_id: 123, email: "new@email.com", ... }. Which results in an error.
I would like to see a setting in ZD where you may configure SSO to allow updating e-mailaddresses if external_id is provided, via the SSO feature. Thanks!
I get this error, could you please help figure out what could be wrong? Apparently only existing users can SSO.
https://example.com/zendesk/logout?kind=error&message=Please%20use%20one%20of%20the%20options%20below%20to%20sign%20in%20to%20Zendesk.
Hi Ursu Alexandr,
Normally, any user can log in through SSO if your Zendesk instance is open. By open, we mean that anyone can submit a ticket. You can check this setting in In Admin Center > People icon in the sidebar > Configuration > End users:
You can find more details in this article:
If the issue happens despite having this setting enabled, please let me know here and I'll create a ticket on your behalf to gather more details and work on a solution.
You should indeed have an error if another user in Zendesk uses the email address new@new.com. Otherwise, it should update the user with this email address since one of the points of using external_id is when users email addresses are subject to change. Please double check and let me know here if you are still encountering an error.
Thank you Christophe, actually what helped to get rid of that error (https://example.com/zendesk/logout?kind=error&message=Please%20use%20one%20of%20the%20options%20below%20to%20sign%20in%20to%20Zendesk. ) was: Enable external authentication
Hey there... I am interested in using ZenDesk for my .NET6 application and would greatly appreciate any guidance you can provide. I see the reference posted... from 10 years ago. 😁 It would be valuable to have something that is a little more current.
Thank you for any assistance/consideration you can provide. 🙏
How to increase the jwt token time from 3minutes to some X-time?
Hi there,
As per docs, In JWT single sign-on , email and external_id parameters are automatically added to the remote logout url.
But for my application, invalid email id is passed to the Remote Logout url.
email=invalid%40example.com and external_id is also not passed.
Could anyone please looked into above issue?
Forgive me if I'm asking a silly question that's already been answered and I missed . . . but we are looking at end-users authenticating two different ways. Is that possible? One large group of end-users AND agents that log in with SAML SSO, and a smaller group of external end-users that would log in using JWT single-sign on. Is this a possibility?
At this time it is not possible to authenticate End Users using more than one method. However it is possible with agents as you can use SSO, Social, or Basic Authentication. You can also use Split Authentication that differs for Agent and End Users. I have linked that below for you.
Split-authentication-methods-for-customers-and-agents
Thanks!
Just in case I'm not phrasing it correctly, taking the Agents out of the equation - are you saying that end-users can't have both forms of SSO? One group of end-users that authenticates using SAML, and other end-users that use JWT?
In other words, I have one large group of end-users that currently authenticates using SAML. I want to have a second group of end-users that would use JWT instead.
Right, it currently is only possible to split authentication methods between agents and end users, and not possible to have both SAML and JWT offered only to end users. I have an inquiry into one of our SSO specialists to verify and see if any workarounds to that are known, and if there is I will follow up with you and let you know what is possible.
Cheers!
Hi! This is helpful, thanks. If the user's external_id is already in the Zendesk system as an end-user, two questions:
1. Will it recreate the user? (I am guessing not)
2. Will this enable the user to receive articles that are scoped to the user's tags and therefore user segments?
We are planning on already having the user created in the Zendesk system long before they attempt to use the JWT SSO.
Thanks!
Hey Jimmy!
Sorry for the delayed response. To answer your questions, if the user's external_id is already in the Zendesk system,
1. it will not recreate the user
2. everything on the user's profile associated with that external_id and email address will be applicable in the Zendesk system, including their tags, so this should work as you anticipate it to.
Just make sure that the external_ids are paired with the email addresses these end users have. You can't have duplicates of email or external_id, so make sure to triple check that before implementing your SSO solution.
Is is possible to go directly to the https://yoursubdomain.zendesk.com/access/jwt link from our SAAS as our user's will already been signed in, save them having to sign in again to access the knowledge base we have in Zendesk
Unfortunately not as the JWT handshake wouldn't have been completed so the payload wouldn't be included in the request.
Sorry for the inconvenience
Eric Nelson Sorry what I meant was during the redirect from our app to https://yoursubdomain.zendesk.com/access/jwt generate a JWT and include that in the payload. The issue we have is that each our clients has a unique url for sign-in so redirecting them to a generic login (https://mycompany.com/zendesk/sso) won't work
Hi, our SSO setup is currently not working, the login attempt does not redirect to our zendesk instance , instead the return url is as follows:
https://*remoteURLdomainName*/en/?email=&external_id=&kind=error&logout=1&message=Please+use+one+of+the+options+below+to+sign+in+to+Zendesk.
JWT has been configured in the Admin center with the correct remote login URL . Any hints as to what this error above could indicate? Our hosting team does not identify that error as coming from them.
thanks,
Diego
Hi Zendesk community,
There's no info about how to create a light agent.
Is it possible to get the info please?
Thank you,
Please sign in to leave a comment.