In addition to the user authentication provided by Zendesk, you can also use single sign-on (SSO) to authenticate your users outside of Zendesk. There are three types of SSO: social account, business account, and enterprise.
This article covers the following topics:
Essential facts for SSO
Below are some essential facts about the available SSO options. These are explained in greater detail in this article.
- Admins and agents can sign in with their Google, Microsoft, and Zendesk accounts, or can sign in directly by going to their Zendesk URL and entering their username and password. End users can sign in with social accounts and their Zendesk accounts.
- If your Zendesk account is closed or restricted, and a user tries to sign in with a different email than the one registered in Zendesk Support, their request will be rejected.
- You can have multiple active SAML, JWT, and OpenID Connect (OIDC) SSO configurations, which can be assigned to different collections of users. Each will have their own remote sign-in pages.
- No matter what authentication method you choose, Zendesk stores all users in the same database.
- If you're using a third-party identity provider to authenticate, you must configure the Zendesk app with the identity provider.
- It is not possible to apply different SSO options to individual brands, unless you use a custom script for JWT.
- If you place a wildcard (*) in the blocklist, users will no longer be able to authenticate or create an account with SSO. See Using the allowlist and blocklist to control access to your Zendesk.
Social and business account SSO
- Agents and admins can use Google and Microsoft (Microsoft Entra ID and Office 365) SSO methods to log into their business accounts.
- End users can use Facebook, Google, and Microsoft SSO methods using their social/personal accounts.
When using business account SSO, it's important to note that the Google sign-in supports both Gmail and Google Workspace.
To add social and business account SSO to your sign-in page, see Enabling social and business account single sign-on.
Enterprise SSO
You can require users to sign in using enterprise SSO, or you can activate multiple sign-in options (for example, enterprise SSO and Zendesk authentication) and let users decide how they want to sign in. (The word "enterprise" in this context doesn't refer to Zendesk Enterprise plans.) See Giving users different ways to sign into Zendesk.
About enterprise SSO
When you direct users to enterprise SSO, you're bypassing Zendesk and authenticating your users externally. When users navigate to your Zendesk sign-in page or click a link to access your Zendesk account, they can authenticate by signing into a corporate server or a third-party identity provider, such as OneLogin or Okta. Enabling enterprise SSO also affects the iOS and Android versions of the Zendesk mobile app.
- Users navigate to a Zendesk page or subdomain.
- If not already authenticated, users are redirected to your corporate server or third-party identity provider sign-in page, depending on the enterprise SSO option you selected.
- Users enter their sign-in credentials.
- If valid, users are redirected back to the original Zendesk page.
Both your end users and team members can sign in to your Zendesk using enterprise SSO. You can configure enterprise SSO only for end users, team members, or a mix of both.
The advantage of using enterprise SSO is that you have complete control over your users behind your firewall. You authenticate your users once, against your own user authentication system, and then grant them access to many other resources both inside and outside of your firewall. Your user management is performed outside of Zendesk, but your corporate user authentication system is still synced with Zendesk. When you add a user account for a new employee, they will have immediate access to Zendesk, or if you delete a user account, that employee will no longer have access to Zendesk.
By default, the only data that Zendesk stores for each user is their name and email address, but it's possible to sync more user data to Zendesk, like the user's organization.
You have the option of keeping Zendesk authentication with your enterprise SSO authentication. If you decide to turn off Zendesk authentication, all Zendesk user passwords will be permanently deleted within 24 hours.
If your SSO service is temporarily unavailable, you can still access your Zendesk account. See Accessing your Zendesk account when your SSO service is down.
Enterprise SSO options
- Secure Assertion Markup Language (SAML): SAML is supported by many identity provider services, such as Okta, OneLogin, Active Directory, and LDAP. For information on configuring SAML SSO, see Enabling SAML single sign-on.
- OpenID Connect (OIDC): Built on the OAuth 2.0 framework, OIDC uses ID tokens to verify the identity of users based on the authentication performed by an authorization server. See Setting up single sign-on with OpenID Connect (OIDC).
- JSON Web Token (JWT): Credentials and user information is sent in JSON format encrypted using a Zendesk Shared Secret. For information on configuring JWT SSO, see Enabling JWT single sign-on.
You can use the same option for all users or different options for different collections of users. This is ideal if you have separate sets of users in different locations that you don't want to merge. If you use more than one enterprise SSO configuration, you can present users with multiple SSO sign-in options on the Zendesk sign-in page or redirect users to the primary SSO. See Giving users different ways to sign into Zendesk.
46 comments
Rakesh Singh
Hello,
I have a site that is hosted on an AWS server with authentication. I want to know if users log in to Zendesk and when they click on the site link within Zendesk, they are able to access the site without them to login again on that site. Any help would be really appreciated.
0
James Skene
Hi
Our platform has multiple customers. some log in via username and password and some log in via their own internal SSO. Once they have logged into our application, I would like them to be able to click a link and be re-directed to our help centre without having to log in again, albeit to a different site. Is this possible? If so, what is the best way to achieve this?
Thanks
James
0
Barkha Bhatia
Hi James Skene The way you are describing your use case it looks possible. Do you mind creating a support ticket for this where someone from Zendesk can help you and also have the opportunity to ask questions specific to your setup?
0
Barkha Bhatia
Hi Rakesh Singh
Could you please create a support ticket and provide additional details of your use case, screenshots anything else which can help support agent to understand your setup? Thanks.
0
Akshay Kolipakula
Does this SSO feature of Zendesk allow the end-user to sign in to other applications from Zendesk?
Example: If I add an external link in the user's data in the details field and then on clicking it the corresponding URL will load and the authentication needs to be handled by Zendesk SSO. Is it possible?
0
Mike DR
That would depend on how you Setup your SSO, following the steps here will integrate your own SSO to be used in Zendesk. If you sent a Zendesk link to them and they are required to sign in using SSO, they will be redirected to that login.
0
Luciano Rocha
Hi. I'd like to have two different SSO options, one for team members, and another for end users. However, when I enabled the different settings, a team member was presented and able to use the end-user SSO to login to their team member account, granting admin privileges bypassing our 2FA requirement, which we want to avoid.
Is it possible to require a specific SSO for team members? And if using the other SSO, that the user would be logged in only as an end-user?
Thanks.
0
Cheeny Aban
I created a ticket on your behalf so that one of our Engineers will be able to help you with your desired SSO configuration.
I hope that helps!
0
James Skene
Hi
When sending a link to an article to resolve a customer issue, is it possible to validate that user as a Zendesk user and allow them to view the article without logging in?
Thanks
James
0
Ivan Miquiabas
Thanks for reaching out!
This will actually be upon the settings of your Help center, If required sign in is enabled, then most probbably users will still need to log in. But if its not, then it will not prompt them to login. Hope that helps!
Cheers!
0
Tom Matthews
Hi there,
We're on the Professional plan and want to know if it's possible to allow some articles to be seen publicly, without the need to sign into our platform? We've got the articles set to ‘Everyone’ but this is everyone who is logged in. We've got some technical articles we want visible publicly to non-platform users, i.e. developers implementing our tool.
Thanks!
1
Tony
According to this article, by setting the access to Open or Closed, and by setting the proper visibility to the article, I think that should be possible. It also depends on which settings you currently have in your instance, but generally speaking these two articles should respond to your question.
Feel free to reach out ot our support if you want to investigate your settings.
Best,
0
Kevin Dsouza
Hello Im trying to setup SSO via SAML using AWS Cognito but keep getting when I try to create a SAML identity provider and upload the metadata file with my subdomain. Any ideas?
requestId: c11a3874-619a-49b3-96d8-92df08fb985c time: Thu Sep 05 2024 18:45:17 GMT+1000 (Australian Eastern Standard Time) code: InvalidParameterException message: Unable to find IDPSSODescriptor in provided idp metadata object
0
Eoin Gill
Hi there,
I just want to clarify that we can implement Enterprise SSO on JWT/SAML for our end users using their login information from our website we currently use.
Enabling JWT (JSON Web Token) single sign-on.
Enabling SAML single sign-on
I feel like a lot of the language in the docs is vague enough I'm worried it actually might not be possible.
Thanks,
Eoin
0
Irfan Zahoor
hi All
some advise will be highly appreciated, we have deployed Zendesk app through Intune on Andriod Devices but when users try to login to the app using google SSO it fails as intune uses one common (corporate) google account to deploy the aap and when user tries to login, App picks up the default account and throws the error login failed. is there any way to change the google login options which allow users to login to the app as an individuals ?
thanks so much Malik
0
James Casserly
Does Zendesk saml support Azure Entra B2C ?
0