You can provide your users with more options for signing in to Zendesk Support by allowing them to use their existing social and business accounts.
- Agents and admins can use Google and Microsoft (Microsoft Entra ID and Office 365) SSO methods to sign into their business accounts.
- End users can use Facebook, Google, and Microsoft SSO methods using their social/personal accounts.
How social and business SSO works
Social and business single sign-on allows team members to access Zendesk using their Google and Microsoft business accounts, and end users to access Zendesk using their personal Facebook, Google, or Microsoft accounts.
When you turn on these SSO methods and select Let them choose on the team member or end user authentication page, sign-in buttons for each active SSO method are added to your help center page. In the example below, the end user can log in using any of their personal Facebook, Google, or Microsoft accounts.
If you select Redirect to SSO, users will be automatically redirected to the primary SSO.
Your users' social and business account sign-in credentials (username and password) are never shared with Zendesk. Only the primary email address contained in the social and business account is shared.
Enabling social and business SSO
You can enable social SSO (for end users) and business SSO (for team members) without any custom configuration. To learn more about how the authentication process works after you enable, see First authentication process.
To enable business SSO for team members
- In Admin Center, click
Account in the sidebar, then select Security > Team member authentication.
- Select External authentication to display options for third-party sign-in services.
- Select the business accounts you'd like to allow the team member to sign in with: Google or Microsoft. You can select one or both options.
- If you selected Microsoft, you must provide the tenant IDs for the Microsoft Entra ID tenants that are permitted to access your Zendesk account (also required for Office 365). In the Allowed tenant IDs field, type the tenant IDs, separated with spaces.
- Select an option for How team members sign in:
- Let them choose allows the team member to sign in using any active authentication method. See Giving users different ways to sign into Zendesk for more information about this sign-in experience.
- Redirect to SSO only allows team members to authenticate using the primary SSO configuration. If you select this option, you must select the primary SSO configuration in the Primary SSO drop-down field that appears.
- Click Save.
-
In Admin Center, click
Account in the sidebar, then select Security > End user authentication.
End user options are not available until you activate your help center. See Getting started with Guide.
- Select External authentication to display options for third-party sign-in services.
- Select each of the SSO options you want to enable.
If you select Microsoft, your end users can sign in with Microsoft identities managed through a personal Microsoft account (for instance, services like Xbox, Teams for Life, or Outlook).
- Select an option for How end users sign in:
- Let them choose allows the end user to sign in using any active authentication method. See Giving users different ways to sign into Zendesk for more information about this sign-in experience.
- Redirect to SSO only allows end users to authenticate using the primary SSO configuration. If you select this option, you must select the primary SSO configuration in the Primary SSO drop-down field that appears.
- Click Save.
If you selected Let them choose, the sign-in links appear for each option on your help center sign-in page.
First authentication process
- Users select one of the social or business sign-on options on your Zendesk account sign-in page.
- Users will be redirected to their social or business sign-in page and must enter their credentials.
- If the credentials are valid, users will be redirected back to your Zendesk Support account.
If the email address matches a user's email address in Zendesk, they are signed in.
If the email address does not match a user in Zendesk, a new user will be created, and Zendesk will send a verification email. If the user is a duplicate of a pre-existing Zendesk user, you can merge the users.
If your Zendesk account is closed or restricted and a user tries to sign in with a business or social account email that does not exist in Zendesk, their request to authenticate is rejected. To allow a user to sign in with a social or business account that uses a different email, you must add the account email to their user profile.
After authenticating, the user is seamlessly signed in to Zendesk. On subsequent visits, if the user is already signed in to their social or business account, they are immediately signed in to Zendesk when they click the associated social or business sign-on button. Otherwise, they are prompted to sign in to their social or business account.
5 comments
The Original DKNY
Is there a method to restrict different brand access when using SSO, eg: Staff with an SSO login get X, Y, & Z brand access, but end-users with SSO only gain access to Brands X & Z.
0
Cheeny Aban
Hi Dave,
As of the moment, SSO will apply to the entire account. There is no native way to restrict the implementation to different brands. However, I understand your need for this functionality and I am marking this comment as product feedback. We truly value customer feedback and your voice and votes in the community help influence future Zendesk functionality.
All the best
0
Mike Englebrecht
Looking for some direction prior to touching base with my internal IT team on how what we need to consider to move forward in our set-up with access/Help Center:
Our situation is we have end users that fall into the following segments:
1. Organization A has end users that they wish to manage via OneLogin
2. Organization B has end users that they wish to manage via Azure Active Directory
3. All other organizations have end users that will login using Zendesk authentication
...specifically so that any one of these end users can submit a ticket, track tickets and even access certain content in the HC (based on their identity/organization).
Is this "mix" possible?
And is it possible to do so in a way where the end users never see/feel a thing - their accounts in Zendesk have the accurate info and however they login, it works?
Any/all input is appreciated.
0
James
Please could someone at Zendesk confirm whether it is on the roadmap to restore business SSO for end users?
In the past, this was possible but was removed on 18 May 2023 for security reasons. I was wondering if a workaround has been found and if we can expect to see this restored.
0
Caroline Kello
Hey James, I'm Caroline from the Product team 👋 I'm assuming you're referencing Microsoft SSO for end users in particular here? We currently don't have any plans to address this in 2025, but I've added your feedback to our internal tool to make sure that it's captured and tracked accordingly.
0