Zendesk provides the ability to create multiple SSO authentication configurations for different collections of users. This could be as simple as one authentication policy for end users and another for team members, or as complex as different authentication policies for specific groups and organizations of users.
After you've created your SSO configurations, you can view and manage them on the Single sign-on page in Admin Center.
Viewing your SSO configurations
Your SSO configurations display on the Single sign-on page in Admin Center in a list sorted from newest to oldest. The list includes the configuration's name, the type of configuration (SAML, OIDC, or JWT), which types of users it's assigned to, and whether it's active or inactive.
- In Admin Center, click Account in the sidebar, then select Security > Single sign-on.
Editing SSO configurations
You may need to edit your SSO configurations after you create them. For example, you may need to create a new shared secret for a JWT configuration or update the remote login page URL.
To edit an SSO configuration
- In Admin Center, click Account in the sidebar, then select Security > Single sign-on.
- Click the option menu icon () and select Edit for the SSO configuration you want to edit.
Activating or deactivating SSO configurations
SSO configurations are active when they are assigned to either team members or end users. To inactivate an SSO configuration, you must unassign it from both team members and end users, if applicable.
To activate or deactivate an SSO configuration
- Open the Security settings for team members or end users:
- In Admin Center, click Account in the sidebar, then select Security > Team member authentication.
- In Admin Center, click Account in the sidebar, then select Security > End user authentication.
- Under External authentication > Single sign-on (SSO), select the configuration you want to activate. To inactivate a configuration, clear the check box.
- Click Save.
Setting the primary SSO configuration
- Let them choose: Display all active authentication options on the sign-in page and allow users to choose how they sign in, or
- Redirect to SSO: Require users to sign in using the primary SSO method.
To set a primary SSO method
- Open the Security settings for team members or end users.
- In Admin Center, click Account in the sidebar, then select Security > Team member authentication.
- In Admin Center, click Account in the sidebar, then select Security > End user authentication.
- For Primary SSO, select the name of the SSO configuration you want to
send users to by default.
The Primary SSO field is visible if you have multiple SSO configurations active and you've selected Redirect to SSO.
- Click Save.
Adding "Continue with SSO" buttons to the Zendesk sign-in page
If you let users choose how to sign in, you can show a Continue with SSO button on the Zendesk sign-in page for each active SSO configuration. Customize the button labels so they are meaningful to your users. If you offer multiple SSO sign-in methods, create unique labels so users know which option to choose.
You might not authenticate users this way. For example, if your users only sign in using an identity provider (Idp-initiated SSO), you don't have to add SSO buttons because your users don't use the Zendesk sign-in page.
To add an SSO button to the Zendesk sign-in page
- In Admin Center, click Account in the sidebar, then select Security > Single sign-on.
- Click the option menu icon () and select Edit for the SSO configuration you want to add to the sign-in page.
- Scroll to the bottom of the page and select Show button when users sign in.
- In the Button name field, enter the text that should follow "Continue
with."
For example, typing team member SSO creates a button labeled Continue with team member SSO.
- Click Save.
- If the SSO configuration is inactive, activate it by assigning it to team members or end users.
Deleting SSO configurations
You can delete inactive SSO configurations.
To delete an SSO configuration
- In Admin Center, click Account in the sidebar, then select Security > Single sign-on.
- If the configuration you want to delete is active, deactivate it first. See Activating or deactivating SSO configurations.
- Click the option menu icon () and select Delete for the SSO configuration you want to delete.