English (US)
  1. Zendesk help
  2. Account
  3. Account documentation
  4. Global security and user access

Managing security settings in Admin Center

Lisa Kelly
  • Edited
Zendesk Documentation Team

What's my plan?

Suite allall plans

Fastpath: Admin Center > Account > Security

Admin Center lets you manage how you authenticate users. You can use Zendesk's own user authentication (the standard sign-in process) or you can remotely authenticate users using single sign-on (SSO) and then seamlessly sign them in to Zendesk. You can also let users sign in using popular business or social authentication services such as Google, Microsoft, Facebook, or Twitter.

In Admin Center, an end user is any user receiving customer service. If you enable authentication for end users, they'll need to sign in to submit or track their tickets in the help center. See Understanding options for end-user access and sign-in in the Support help center.

The authentication options for end users apply to the help center only. To authenticate end users who use the Chat widget or Web Widget (Classic), see Enabling authenticated visitors in the Chat widget or Enabling authenticated visitors in the integrated Web Widget (Classic).

A team member in Admin Center is any user providing customer service, not a person receiving it. A team member is usually an admin, agent, or account owner. A team member may also be an employee who has been assigned a custom role.

Topics covered in this article:

If you use Zendesk authentication, you can manage additional security settings. See the following topics:

An alternative to Zendesk authentication is single sign-on (SSO). SSO lets users sign in once to gain access to multiple systems and service providers, including Zendesk Chat. To learn more, see SSO (single sign-on) options in Zendesk in the Support help center.

To help Zendesk troubleshoot an issue in your account, you can let a Zendesk agent assume the role of agent in your account for a specified time. See Allowing Zendesk to assume the role of agent.

Accessing the security settings from Admin Center

To access the security settings from Admin Center

  1. In Admin Center, click the Account icon () in the sidebar.
  2. In the Security section, select one of the security options.
Note: Security settings for Support, Chat, Guide and Talk are managed in Admin Center. If you are using Chat legacy versions, security settings are managed from the Chat dashboard. Select Settings > Account, then click the Security tab.

Enabling Zendesk authentication

You can use Zendesk authentication (the standard sign-in process) for team members and end users. Zendesk authentication is enabled by default.

For end users, the following conditions must be met before they can use Zendesk authentication:

  • Help center must be activated. Help center is the only publicly accessible side of Support and Chat for end users. See Getting started with Guide in the Support help center.
  • End users must register. After registering, an end user is prompted to verify their email address and create a password, which the user can then use to sign in. See Requiring your users to register in the Support help center.

To enable Zendesk authentication

  1. Open the security settings for Team members or End users.
    • In Admin Center, click Account in the sidebar, then select Security > Team member authentication.
    • In Admin Center, click Account in the sidebar, then select Security > End user authentication.

      You can set one sign-in option for team members and a different one for end users.

  2. Make sure Zendesk Authentication is selected.

    The option is selected by default.

  3. Set the password security level.

    See Setting the password security level in the Support help center.

  4. Click Save.

If you enable Zendesk authentication, you can manage the following additional settings:

Disabling Zendesk authentication

In some cases, you may choose to disable Zendesk authentication and use another authentication method, such as SSO, for team members and end users.

Warning: Disabling Zendesk authentication permanently deletes any Zendesk passwords on record within 24 hours. We recommend keeping Zendesk authentication enabled as a backup for team members in case your other authentication method fails.

To disable Zendesk authentication

  1. Open the security settings for Team members or End users.
    • In Admin Center, click Account in the sidebar, then select Security > Team member authentication.
    • In Admin Center, click Account in the sidebar, then select Security > End user authentication.
  2. Deselect Zendesk Authentication.
  3. Click Save.

If you're disabling Zendesk authentication for end users, also do the following:

  1. In Admin Center, click People in the sidebar, then select Configuration > End users.
  2. Determine if you want to enable or disable the Anybody can submit tickets setting.

    Typically, when Zendesk authentication is disabled for end users, you would disable this setting also to keep unauthenticated end users from submitting tickets. But if you want end users to send email to their support addresses without allowing them to login in anywhere, leave this setting enabled.

    If you disable Zendesk authentication for end users, but you still have Anyone can submit tickets enabled, end users will not see a sign up page when they submit a ticket. Instead, they are redirected back to the help center home page.

  3. Save your changes.

Enabling social and business single sign-on (SSO)

Users can sign in to Zendesk using their credentials for certain social and business accounts. The social accounts are Facebook and Twitter. The business accounts are Google and Microsoft.

End users can use all four – Twitter, Facebook, Google, and Microsoft. Team members can only use Google or Microsoft.

To learn more, see SSO (single sign-on) options in Zendesk in the Support help center.

To enable social and business single sign-on

  1. Open the security settings for Team members or End users.
    • In Admin Center, click Account in the sidebar, then select Security > Team member authentication.
    • In Admin Center, click Account in the sidebar, then select Security > End user authentication.
  2. Select the social or business SSO option you want to enable.
  3. If you want users to use only the SSO option, disable the Zendesk Authentication option.
    Warning: Disabling Zendesk authentication permanently deletes any Zendesk passwords on record within 24 hours. API requests using an email address and password combination will also fail for both agents and end users.
  4. Click Save.

Enabling enterprise single sign-on (SSO)

Zendesk supports two enterprise single sign-on solutions:

  • Secure Assertion Markup Language (SAML) SAML is supported by many identity provider services, such as Okta, OneLogin, Active Directory, and LDAP. For information on configuring SAML single sign-on, see Enabling SAML single sign-on.
  • JSON Web Token (JWT) Credentials and user information is sent in JSON format encrypted using a Zendesk shared secret. For information on configuring JWT single sign-on, see Enabling JWT (JSON Web Token) single sign-on.

To learn more, see Enterprise single sign-on in the Support help center.

You can enable SAML or JWT single sign-on only for team members, only for end users, or for both groups.

To enable SAML or JWT single sign-on

  1. In Admin Center, click Account in the sidebar, then select Security > Single sign-on.
  2. Click the Configure link of one of the SSO options and enter the configuration information.
    For details, see the following topics:
  3. After configuring your SSO option, click Team members or End users and select the External authentication option if not already selected.
  4. If you want all users to only use the single sign-on method, deselect the Zendesk authentication option.

    Any Zendesk passwords will be permanently deleted from the account within 24 hours.

  5. Select the Single sign-on option in the External authentication section.

    For end users, selecting the SSO option deselects the Zendesk Authentication option if enabled.

    Warning: Disabling Zendesk authentication permanently deletes any Zendesk passwords on record within 24 hours.
  6. Click Save.

Restricting access by IP addresses

If Zendesk authentication is enabled, you can restrict users from specific IP addresses from accessing your account. For example, to restrict access to users in your company, specify the IP addresses of your company. You can also allow end users to bypass the restrictions. IP restrictions that you manage in Admin Center apply to sign in for all products.

Enabling IP-based access restrictions can break third-party integrations that access your account. Make sure to create an allowlist for all external IPs that access your account through the Zendesk APIs. Some integrations use variable IP addresses that can't be included in an allowlist. If you want to use these integrations, you must disable IP restrictions.

You can specify ranges of IP addresses, separating each range with a space. Two methods are available to specify a range. The first is to use asterisk (*) wildcards. An IP address consists of four numbers separated by periods, such as 192.168.0.1. You can substitute a single asterisk character (*) for any number group to let Zendesk know that it should accept any value in that space. For example, 192.*.*.* allows any IP address whose first number is 192.

The second way to specify an IP range is to use IP subnet mask syntax. For example, 192.168.1.0/25 specifies all the IP addresses between 192.168.1.0 and 192.168.1.127.

You cannot specify IP ranges where the CIDR (Classless Inter-Domain Routing) value is 0. For example, if you specify 10.0.0.0/0, the /0 is a valid format, but it's not accepted by Zendesk.

Note: For Zendesk Sell customers, IP restrictions are applied only for customers who access the product with a Zendesk sign in. IP restrictions are not applied to standalone Zendesk Sell accounts or any Zendesk Sell interfaces or APIs.

To set IP restrictions

  1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
  2. On the IP Restrictions tab, select Enabled, then enter the Allowed IP Ranges you want to restrict.
  3. If you don't want the IP restrictions to apply to end users, make sure Allow customers to bypass IP restrictions is selected.
  4. Click Save.

For more information, see Restricting access to Zendesk Support using IP restrictions.

Sending password-change notifications

If Zendesk authentication is enabled, you can send email notifications to team members and end users when their passwords change.

To send password-change notifications

  1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
  2. On the Passwords tab, select Email notifications.
  3. Click Save.

Requiring 2-factor authentication

If Zendesk authentication is enabled, you can require team members to use 2-factor authentication when they sign in. Once this setting enabled, all team members will be required to set up 2-factor authentication the next time they sign in. For instructions for your team, see Using 2-factor authentication.

To require 2-factor authentication

  1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
  2. On the Authentication tab, select Require two-factor authentication (2FA).
  3. Click Save.

For more information, see Managing 2-factor authentication.

Setting an inactivity time-out period

If Zendesk authentication is enabled, you can customize the session expiration period for team members and end users. If a user is inactive for the specified period, they are signed out.

Users remain signed in as long as they actively use the product. Active use includes typing and clicking links. See Understanding your Zendesk session time.

A session expires after 8 hours of inactivity for all users by default. If your security requirements differ for your team members and end users, you can set separate expiration periods for each.

To set an inactivity time-out period

  1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
  2. On the Authentication tab, select a session expiration period for team members and end users under Session expiration.
  3. Click Save.

Allowing Zendesk to assume the role of agent

To troubleshoot an issue, you can let a Zendesk agent assume the role of agent in your account for a specified time. This setting is disabled by default.

This setting can be useful to help Zendesk solve the following issues with your account:

  • Highly-technical issues
  • Issues that Zendesk can't be reproduce anywhere else
  • Issues where Zendesk needs to visually analyze console information that's not obtainable with any other method
  • IP configuration issues
  • Issues where Zendesk needs to create test tickets to test or troubleshoot possible causes and solutions

To allow Zendesk to assume the role of agent in your account

  1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
  2. On the Account Assumption tab, select Enable account assumption.
  3. Select a duration from the Duration menu.
  4. Click Save.
Return to top

7 Comments

  • Chris Grant

    I too would like to suggest, as did Emily Graham 8 months ago it seems, that there be a couple more choices between 8 hours and 2 weeks. 1, day, 2 days, and perhaps 4 days for those with bank holidays type thing. 2 weeks seems too long and 8 hours too short as most clock off at 5pm and back on at 8 or 9 am, so the only option that works is 2 weeks.

    Oddly, this auto session logout only seems to kick in when an agent uses another computer to login and that new computer is then affected. The old computer/browser doesn't seem to be affected. I noticed this due to Covid19 where we were banished from the office. RDP to office desktop still confirms that those sessions remain active overnight while a residential login is booted out nightly due to the 8 hour setting.

    0
  • Dave Dyson

    Hi Chris and those others of you who've requested additional session expiration timeframe choices: If you wouldn't mind, please add your requests and the reasons behind them to this thread in our Feedback on Support post, and upvote this post: session expiration longer than 8 hours but less than 2 weeks

    The more information we have about the impact to your workflow, the better. Thanks!

    0
  • Atul Upadhyay

    Does IP restriction applies on JWT token integration?

    0
  • Salim Cheurfi
    Zendesk Customer Care
    HI Atul, 
     
    IP restrictions apply to third party integration and JWT login, be sure to include all external IPs that need access to your account, more information in our documentation Restricting access to Zendesk Support and your Help Center using IP restrictions
     
    Hope this helps, 
     
    Have a great day 
     
     
    0
  • Federico Vitale

    Hi! I'm in the trial period and I'm trying to set up ZD for my company. I'm trying to get to the point where anyone can fully browse Guide and submit tickets/questions without needing to log in. When I disable any authentication for end-users it returns an error that basically says that "there is no authentication method". What am I doing wrong? Thanks!

    0
  • Jennifer Rowe
    Zendesk Documentation Team

    Hi Federico Vitale,

    Check out this article and see if it helps:
    Enabling anyone to submit tickets

    Let us know. And good luck!

    -1
  • Federico Vitale

    Hi Jennifer Rowe, thanks for your reply! I'm trying to get to the point where the account button on the top right of the HC would not appear, since I'm not going to use the login feature for now (logged users interact on a custom platform) and having it show would confuse users in the end. I'd also prefer not to edit the html code not to fiddle too much and keep things as standard as possible (also I'm not a developer and it would make my life easier) :) Do you think this is feasable?

    0

Please sign in to leave a comment.

More about

Related articles

Powered by Zendesk