Recent searches


No recent searches

Using multiple JWT single sign-on URLs for multiple brands



Edited Jan 16, 2025


9

28

28 comments

How access can be restricted to particular brand for a user who is login via SSO (JWT based)? What parameter should JWT token contain to specify brands allowed for user ?

0


image avatar

Bonnie

Zendesk Customer Care

Hi Haseena! It is not possible to restrict end-users to a specific brand via SSO. When you have multiple Help Centers to support multiple brands, all of your Help Centers are accessible to all of your end-users. If you are using SSO, each Help Center will redirect users to the same single sign-in protocol and database. This is because users belong to the account, not to a specific brand.

To keep end-users from logging into brands that you do not wish them to have access to, you can create a script between Zendesk Support and the SSO login script on your server. This script will allow you to route your customers to specific URLs based on which brand they are trying to log into. You can follow the instructions in this Multibrand - Using multiple JWT single sign-on URLs article.

You will also want to set things up so that the list of your brands doesn't get sent out to your customers so, theoretically, unless your customers know the domain/subdomain from the brand you do not wish them to log into, they will never know that it's there.

0


Hi There

Just want to clarify if the below is possible when using SSO and mutlibrand.

SSO is configured (SAML) for end users.

  • Brand 1 (Internal Help Desk, hostmapped) - I want end-users to login via SSO
  • Brand 2 (Customer Facing Retail Brand, hostmapped) - I want end users to login with their Zendesk Credentials
  • Brand 3 (Customer Facing Retail Brand, hostmapped) - I want end users to login with their Zendesk Credentials
  • Brand 4 (Customer Facing Retail Brand, hostmapped) - I want end users to login with their Zendesk Credentials

For Brands 2, 3 and 4 these Help Centers don't require sign in so customers can access the Help Centers no problems (as anonymous users). But if they want to sign in and see their 'My Activities' etc, currently it goes to the SSO.

Not sure if this is possible.

Many thanks
Chad

0


image avatar

Darenne

Zendesk Customer Care

Hi Chad, 

Thanks for patiently waiting! Ideally, it is not possible to apply different SSO options to individual brands, unless using a custom script for JWT. Based on the scenario you provided, it appears that this article is the best suite for your workflow as this approach will allow you to create an easy script between Zendesk Support and the SSO login script in your server that will allow you to route your customers to specific URLs based on which brand they are trying to log into.

I hope this clarifies it! 

0


Many thanks Darenne.

This is clear :)

Cheers

Chad

0


Hi Darenne -

Are you saying that one could write a routing script that would send users to standard Zendesk auth for some brands but to an SSO page for others? I understand sending users to different SSO pages based on brand but with both returning JWT tokens. I wasn't aware you can use Zendesk native auth as an option.  

0


image avatar

Remi

Zendesk Customer Care

Hello Kaela Chandrasekaran,

Thank you for your post, hope you are doing well today.

To answer this : Are you saying that one could write a routing script that would send users to standard Zendesk auth for some brands but to an SSO page for others? 

Technically speaking, yes, if Zendesk passwords are still enabled, users with a Zendesk username and password can still access the account by browsing to a specific URL, type /access/normal.

For your Staff :

For your End-Users : 

 

For example, you could entirely point your users' login (Staff and/or End-users) for :

  • Brand 1 toward your JWT login script page (see login script code in this article), thus using your JWT SSO method.
  • Brand 2 toward our Zendesk login portal URL, ex : https://yourbranddomain.zendesk.com/access/normal, and therefore, using Zendesk credentials and our "portal"

Hope this clarifies it, have a great rest of your day.

Best regards,

1


Could somebody provide or direct me to get a custom script for JWT SSO setup ? I am trying to setup SSO for zendesk with AAD from the past one month using SAML and even after doing all the configuration on both ends, zendesk requires authentication and also when you go ahead and type the credentials , I am not able to log in as well since the external authentication is disabled in Zendesk.Any help would be much appreciated

0


image avatar

Dane

Zendesk Engineering

@Sam,
 
We don't have any custom script readily available for JWT SSO. However, Additional information about JWT is a good way to start.

 

0


We have a company website (not Zendesk) that requires a user to login.  I want to embed this page in our Zendesk customer community and once the end customer is logged into the community they can click the link without logging in.   Any help would be greatly appreciated

0


Is there a setting to force redirection to the login URL if a non-authenticated user hits a brand's help center URL?  We are using multi-brand SSO but all our brand URLs are allowing non-authenticated access - ideally, if you hit a brand URL, we want it to redirect to the login URL (which will be a script similar to what is laid out above) so we can pass them to the proper site to get authenticated.

0


image avatar

Dion

Zendesk Customer Care

Hey Andrew,

To force authentication, all you need to do is to turn on the "require sign-in" in your Guide setting. If this is enabled, this will force anyone who will try to access a Help Center page over to the authentication URL setup in the SSO settings for the account (if you have SSO) or it will prompt with a Zendesk sign-in window if you are only using the Zendesk auth.

Regards,

Dion
 

1


Great information, thank you

I have a question, where should I put this code:

1) customize my theme layout in brand1/script

2) customize my theme layout in brand2/script

3) on my own server and where. I am using IONOS or 1and1

Sorry for the silly question, but I have no programming education.

Kind regards,

Jose

0


Mr. Anton de Young

Excuse me, another question besides where to put that code (brand1 or brand2 themes design at script or in IONO's server (in my case) and where). Both brands must require a login or at least one can have public articles to read without login?

Regards,

Jose

0


image avatar

Brett Bowser

Zendesk Community Manager

Hey AAHHOO,
 
I'd recommend taking a look at our documentation here: Customizing your help center theme
 
If you don't have any developer experience I would recommend reaching out to your account manager as they may be able to get you in touch with our professional services team.
 
Let me know if you have any other questions for me in the meantime.
 

0


Hi, 

I wondering if it's possible to have different JWT methods but both point to the same brand effectively ?

We were making use of multibrands in Zendesk but recently started moving our support over to a single brand in Zendesk . However the applications we use for JWT use different credentials.

Thank you,

Ross

 

0


image avatar

Dainne Kiara Lucena-Laxamana

Zendesk Customer Care

Hi rossp

You can define up to two active JWT and two active SAML authentication configurations. More information can be found here: Single sign-on (SSO) options in Zendesk

0


Will this method also work for two SAML SSOs? Our technical teams supports two organizations (done as two brands in a single ZD instance) and we wanted to allow the second organizations to be able to login via their own SSO.

0


Could you clarify how the `return_to` query parameter, which the example PHP script depends on and uses to redirect users, ends up on the request? If I attempt to log in, I see no such query parameter on the redirect to our auth system.

0


image avatar

Julio H

Zendesk Customer Care

Hi Nick,
 
Currently, you can allow the end user to choose among several SSO options (Google, Microsoft, custom SSO...) or Zendesk default authentication (username and password). 

For more information, please visit: Providing multiple sign-in options for team members and end users. 

Unfortunately, there is not a simple way to achieve this. However, this could be possible to achieve, but using JWT and your own custom authentication. They customer A and B must login to your custom authentication system, and then via JWT, allow them to access Zendesk. 

Or redirect all the login request to the SSO landing page, where you can have an option for them to select their type of account and show the login option for that type of account. 

If you're this link: subdomain.zendesk.com/access/normal you will be able to only allow the user to login with username and password. 

In any case, currently, this is not possible within Zendesk settings. 

I've marked this conversation as product feedback for review, which means that your input will be aggregated as a part of our Voice of the Customer program that provides customer feedback to our product development teams.
 
In addition, I encourage you to create a new post in the General Product Feedback topic in our community to engage with other users who have similar needs and discuss possible workarounds. Conversations with a high level of engagement ultimately get flagged for product managers to review when they go through roadmap planning.
 
Specific examples, details about impact, and how you currently handle things are helpful for our product teams to understand the full scope of the need when working on solutions. You may also want to review the Product feedback guidelines and how to write an effective feedback post [https://support.zendesk.com/hc/en-us/articles/4413820079386-Giving-Product-Feedback-at-Zendesk-].
 
We truly value customer feedback and your voice and votes in the forums help influence future Zendesk functionality.

Greetings. 

0


When setting up a JWT for end users to login vs. agents with SSO. the login page is missing the forgot password link.  Any way to add that back?  Our customers are unable to request a password reset.

 

0


image avatar

Joyce

Zendesk Customer Care

Hi Jason,
 
I can see that you open a messaging request for this concern and were advised to create Product Feedback for your use case.

0


Hello, I have been watching this thread for some time, and through various web searches have been unable to clearly define the steps needed.  I am looking for an A-B-C checklist, I have most of it together but then it drops entirely at implementing the JWT login scripts.

For example:

1. Configure Okta SSO JWT authentication within Zendesk (COMPLETE)

2. Configure Multiple Brands within Zendesk (COMPLETE)

3. Configure Multiple Help Centers > 1 or 2 per brand (COMPLETE)

4.  FACT - we are using Okta as the SSO solution passing the JWT to Zendesk (confirmed working) -- NEEDED is dependent upon the users email domain (@domain111.com, @domain222.com) this would direct the user to the necessary Help Center

5. QUESTION - where should the proposed login scripts reside, Zendesk or Okta or?  This step is very vague and does not seem to describe "how" the JWT identifies the logged in user to direct them to the appropriate help center.  For example, a user with email @domain111.com would be directed to support-domain111.zendesk.com , similarly if the user email domain is @domain222.com then they would be directed to support-domain222.zendesk.com .

0


I have some questions regarding this scenario.

  • Brand 1 uses JWT login script. Authenticating users via 3rd party SSO.
  • Brand 2 uses Zendesk helpcenter login URL

1. If a user is created through the SSO option via Brand 1, and then later goes to Brand 2 to log in, would they be presented with the option to reset their Zendesk password?

2. If yes, does that mean they would be able to log into Zendesk via the Brand 2 help center by using their Zendesk credentials rather than their 3rd party SSO credentials?

1


@ Chris

I think the answer is YES to both questions one and two. The big issue with Zendesk is that you have one single User Registry and one single Authentication status for the whole account. So, if you log into Zendesk via the Brand 2, you are automatically logged in Brand 1 as well.   It doesn't matter if you're logged in via SSO or not, you are just authenticated, stop!

The only work-around I see is to restrict access to HelpCenters based on Users/Organizations tags (Users segmentation).

Let's hope to get some better official answer from Zendesk...

0


Have this set up but have run into issues with the password reset loop. Brand 1 is SSO redirecting to /access/normal for those attempting to access Brand 2. We're able to get through admin managed password resets through the /password end point but anything going through the /verification endpoint like welcome emails or users resetting their own passwords for Brand 2 gets bounced to SSO. Any advice here so that we aren't relying solely on admins to manage end user credentials for an entire brand?

0


Hi Sarah,
 
Thank you for contacting the Zendesk Support Advocacy team. My name is Gerald and I'll be assisting you today.
 
I understand that you want to setup a method to allow agents and admins to reset their passwords by brand. I'm looking into options for you now. 

0


Hi Sarah. 
 
Apologies for the wait regarding your question.
 
User passwords are not brand restrictive within Zendesk. You would need to implement custom routing based to the brand URL that you created. You can also toggle the SSO setting for end users to "Let them choose" which would give them the option for a Zendesk Login or SSO. You can customize the SSO button's text to signal they users to sign in using the correct method. 
 
https://support.zendesk.com/hc/en-us/articles/5380943678106-Giving-users-different-ways-to-sign-into-Zendesk
 
I'll set this to Solved for now, but if you have an further questions, please raise a ticket and we will be happy to help troubleshoot for you. 
 

0


Please sign in to leave a comment.