Multibrand allows you to control all your company brands in a single Zendesk Support instance. However, security settings will only allow you to set up one single URL for remote logins, which might be problematic if you have different user databases for each of your brands.
Fear no more! This approach will allow you to create an easy script between Zendesk Support and the SSO login script in your server that will allow you to route your customers to specific URLs based on which brand they are trying to log into.
This tip assumes that you have already configured JWT on your server. Otherwise, make sure that you follow the instructions listed on the article Setting up single sign-on with JWT (JSON Web Token) first.
I'm using php in this example, but you can adapt it to other languages if you need to.
This article contains the following sections:
- Two or more brands or more set up
- Two or more user authentication systems with JWT configured
- The scripts
- Update security settings
- Troublehooting
Two or more brands set up
For this tip to make sense, you will need at least two brands configured. For details, see Setting up multiple brands (Professional Add-on and Enterprise) .
After you set it up, save the brand URL and the host mapped brand URL. We will use them in our script later.
Two or more user authentication systems set up with JWT SSO
As mentioned previously, you will need to have set up and configured JWT SSO on your user authentication systems. You can do one for each brand already, but bear in mind that the shared secret that you obtain from security options will have to be the same in all your authentication systems.
Save the login URL and logout URL along with the information from the previous section.
The scripts
Now the fun part begins! Your list of saved URLs might look like this:
Brand 1
Non-Hostmapped URL: https://brand1.zendesk.com
Hostmapped URL: https://support1.example.com
Brand 2
Non-Hostmapped URL: https://brand2.zendesk.com
Hostmapped URL: https://support2.example.com
System 1
Login URL: https://page1.example.com/zdlogin.php
Logout URL: https://page1.example.com/zdlogout.php
System 2
Login URL: https://page2.example.com/zdlogin.php
Logout URL: https://page2.example.com/zdlogout.php
Now, let's create the script. Remove the https:// from the URL for each brand url. Keep them on the website links.
Login Script
<?
$brand_URLs = array(
"brand1.zendesk.com" => "https://page1.example.com/yourcustomloginjwtscript.php",
"support1.example.com" => "https://page1.example.com/yourcustomloginjwtscript.php",
"brand2.zendesk.com" => "https://page2.example.com/yourcustomloginjwtscript2.php",
"support2.example.com" => "https://page2.example.com/yourcustomloginjwtscript2.php"
);
foreach($brand_URLs as $k => $v){
if(strpos($_GET['return_to'],$k)){
header("Location: ". $v);
die();
}
}
?>
Logout Script
<?
$brand_URLs = array(
"brand1.zendesk.com" => "https://page1.example.com/yourcustomlogoutjwtscript.php",
"support1.example.com" => "https://page1.example.com/yourcustomlogoutjwtscript.php",
"brand2.zendesk.com" => "https://page2.example.com/yourcustomlogoutjwtscript.php",
"support2.example.com" => "https://page2.example.com/yourcustomlogoutjwtscript.php"
);
foreach($brand_URLs as $k => $v){
if(strpos($_GET['return_to'],$k)){
header("Location: ". $v);
die();
}
}
?>
Update security settings
- In Admin Center, click the Account icon (
) in the sidebar, then select Security > Single sign-on. - For JSON Web Token, click Enabled, then point to the scripts we created. See example below.
- Save your changes.
- Remote login URL - This has to be the URL to the Login Script.
- Remote logout - This has to be the URL to the Logout Script.
- Update of external IDs? - In case that some of your customers have an account in more than one user authentication system with the same email address, to avoid any conflicts when logging in, you must select “On” in this option.
Now your agents or customers will be able to authenticate using their specific authentication system, depending on which brand they are trying to access.
You can also find the scripts here:
Note 1: Security risk is low if you use the script as it is. If you modify it extensively other than the changes mentioned here, you may create a security vulnerability on your own server (not Zendesk’s).
Note 2: Since we only provide 1 JWT Token, all your SSO Scripts will use the same tokens in your authentication systems. If one of your systems is compromised, it may lead to all of your brands being compromised.
Note 3: If you get an "Invalid JWT Request" error when you try to SSO, refer to the Troubleshooting instructions below.
Troubleshooting
To prevent invalid JWT request errors, hardcode https://(defaultsubdomain).zendesk.com/ as /access/jwt?jwt= for both brands where (defaultsubdomain) is your main brand subdomain. For example, mydomain.zendesk.com
- Hardcode https://(defaultsubdomain).zendesk.com into the SSO script, so the JWT payload always gets sent to https://(defaultsubdomain).zendesk.com/access/jwt
- Implement that snippet into the script to use 'return_to' so the end user is redirected back to the origin Help Center. Make sure to append the payload for both brand marking URLs as fixed as '(defaultsubdomain)' and append 'return_to'.
The snippet for your reference:
if(isset($_GET["return_to"])) {$location .= "&return_to=" . urlencode($_GET["return_to"]);}
10 Comments
How access can be restricted to particular brand for a user who is login via SSO (JWT based)? What parameter should JWT token contain to specify brands allowed for user ?
Hi Haseena! It is not possible to restrict end-users to a specific brand via SSO. When you have multiple Help Centers to support multiple brands, all of your Help Centers are accessible to all of your end-users. If you are using SSO, each Help Center will redirect users to the same single sign-in protocol and database. This is because users belong to the account, not to a specific brand.
To keep end-users from logging into brands that you do not wish them to have access to, you can create a script between Zendesk Support and the SSO login script on your server. This script will allow you to route your customers to specific URLs based on which brand they are trying to log into. You can follow the instructions in this Multibrand - Using multiple JWT single sign-on URLs article.
You will also want to set things up so that the list of your brands doesn't get sent out to your customers so, theoretically, unless your customers know the domain/subdomain from the brand you do not wish them to log into, they will never know that it's there.
Hi There
Just want to clarify if the below is possible when using SSO and mutlibrand.
SSO is configured (SAML) for end users.
For Brands 2, 3 and 4 these Help Centers don't require sign in so customers can access the Help Centers no problems (as anonymous users). But if they want to sign in and see their 'My Activities' etc, currently it goes to the SSO.
Not sure if this is possible.
Many thanks
Chad
Hi Chad,
Thanks for patiently waiting! Ideally, it is not possible to apply different SSO options to individual brands, unless using a custom script for JWT. Based on the scenario you provided, it appears that this article is the best suite for your workflow as this approach will allow you to create an easy script between Zendesk Support and the SSO login script in your server that will allow you to route your customers to specific URLs based on which brand they are trying to log into.
I hope this clarifies it!
Many thanks Darenne.
This is clear :)
Cheers
Chad
Hi Darenne -
Are you saying that one could write a routing script that would send users to standard Zendesk auth for some brands but to an SSO page for others? I understand sending users to different SSO pages based on brand but with both returning JWT tokens. I wasn't aware you can use Zendesk native auth as an option.
Hello Kaela Chandrasekaran,
Thank you for your post, hope you are doing well today.
To answer this : Are you saying that one could write a routing script that would send users to standard Zendesk auth for some brands but to an SSO page for others?
Technically speaking, yes, if Zendesk passwords are still enabled, users with a Zendesk username and password can still access the account by browsing to a specific URL, type /access/normal.
For your Staff :
For your End-Users :
For example, you could entirely point your users' login (Staff and/or End-users) for :
Hope this clarifies it, have a great rest of your day.
Best regards,
Could somebody provide or direct me to get a custom script for JWT SSO setup ? I am trying to setup SSO for zendesk with AAD from the past one month using SAML and even after doing all the configuration on both ends, zendesk requires authentication and also when you go ahead and type the credentials , I am not able to log in as well since the external authentication is disabled in Zendesk.Any help would be much appreciated
We don't have any custom script readily available for JWT SSO. However, Additional information about JWT is a good way to start.
We have a company website (not Zendesk) that requires a user to login. I want to embed this page in our Zendesk customer community and once the end customer is logged into the community they can click the link without logging in. Any help would be greatly appreciated
Please sign in to leave a comment.