One of the steps in setting up your Zendesk account is deciding how you want to configure end-user access. Based on the type of support you provide, you may allow anyone to submit support requests or limit it to a select group of users. You can configure Zendesk Support for either scenario.
You'll need to configure end-user access, registration, and sign-in options.
This article covers the following topics:
Options for end-user access
You have internal and external users. Your agents and other support staff are your internal users, also called team members. Your end users, also called customers, are the people to whom you provide support and whose tickets you manage in Zendesk Support. These are your external users. While your support staff must sign in to your Zendesk account, your end users may not have to, depending on how you set up access to Zendesk Support.
You can use the allowlist and blocklist to restrict the external users who can access your Zendesk Support instance. For example, you might want to allow only end users from a specific email domain and reject all others.
You can set up your Zendesk Support access to be completely open to all users, restrict it to a specific group or groups of users, or close your Zendesk Support instance and allow only the users you add to your Zendesk account.
- Open means that everyone can see your help center and submit support requests. For example, you'd choose this configuration if you sell products and provide support to the general public. This option allows anyone to submit support requests. A new user account is then created in Zendesk for users who haven't submitted support requests before.
- Closed means your help center is visible to everyone, but only the users you add to your Zendesk account can sign in and submit support requests. Each user's account must be created before they can submit support requests, and signing in is required. This is typically how an in-house IT help desk would configure their Zendesk Support instance.
- Restricted means that your help center is visible to everyone, but only users with email addresses in domains you approve can submit support requests successfully. All other users' requests are rejected. This configuration allows you to restrict access to Zendesk Support but also allows your users to request support without first being added to your Zendesk account, as is the case with a closed Zendesk Support instance.
Setting up your Zendesk Support instance for all three options is described in the following topics:
Options for end-user registration
You can require that your end users register before they can begin a conversation with your Zendesk instance. This means that users must first register (sign up) by providing their name and email address.
- Visits your help center and clicks Submit a request
- Visits your help center and clicks Sign in for the first time and then Sign up
- Sends an email support request to your support email address for the first time
After signing up, users receive a welcome email message that prompts them to verify their email address and create a password to sign in to Zendesk.
Requiring your end users to register helps you ensure that the support requests you receive are legitimate and not spam. Registration does not guarantee that spam won't get through to your Zendesk account, but other tools are provided to handle those that do manage to get through. See Understanding and managing suspended tickets and spam.
- Submit tickets in your help center without being prompted to provide their email address
- Track their tickets in your help center
- Comment on articles in your help center, participate in community discussions, and more. See Getting started with Guide for your help center: Setting up.
- Update their user profile and add additional contact information (email addresses and social media accounts) so that they can submit requests from any of these accounts, and Zendesk will pair them to their Zendesk user account
Allowing unregistered users to submit requests
You can still provide support to your end users without requiring them to register and sign in. They lose the benefits that registration provides, but the ticket workflow is the same for your agents. Many companies provide email-only support and never require their end users to register because they don't want or need their end users to visit and use their help center.
Even when you don't require your end users to register, a user account is created for each of them in your Zendesk account. This is required because Zendesk (and you) need to communicate with them via email. The user account contains their email address and other personal data. These users remain unverified in your Zendesk account, which is fine because you don't require registration.
When unregistered users submit a support request, they receive an email notification informing them that their request has been received. They don't receive the new user welcome email message. And, unlike when requiring registration, the ticket is immediately added to your Zendesk Support instance.
See Managing end user settings for more information about setting up your Zendesk Support instance to allow unregistered users.
End user accounts created by agents
In addition to self-registration, your agents can manually add end users. Administrators can bulk import a list of users using a CSV file or add users via the Zendesk API.
If you require registration, you can send a welcome message to the end users you've added. This is an admin setting called Also send a welcome email when a new user is created by an agent or administrator. Choosing this setting prompts end users to verify their email and choose a password just as if they had created the user account themselves. If you don't require registration, don't choose this option.
Options for end-user sign-in
If you've decided that your end users must sign in to access Zendesk Support, determine how you want to authenticate them so that you're assured that they are who they say they are. You can use Zendesk's user authentication (the standard sign-in process) or remotely authenticate your end users outside of Zendesk and then seamlessly sign them into your Zendesk Support instance. You can also allow your end users to sign in using popular social media such as Facebook, Google, and X (formerly Twitter).
When discussing users that are authenticated outside of your Zendesk account, you will see these terms: single sign-on (or SSO) and remote authentication. Single sign-on is often used interchangeably with remote authentication. For clarity, it's best to think of single sign-on as allowing your users to sign in to your Zendesk Support instance using a password from an outside system. That's made possible by remote authentication; users are authenticated outside of your Zendesk account and then seamlessly sign in.
You can set one authentication method for end users and another for team members (agents and admins). For example, you can specify stricter password requirements for agents who have access to more sensitive information. You can also provide different single sign-on options for each set of users.
Zendesk provides a lot of flexibility regarding configuring sign-in options for your users. You can offer multiple sign-in options and let users choose how to sign in or require users to sign in using SSO.
Standard Zendesk sign-in
This is the user authentication that Zendesk provides. You set your Zendesk account to require registration, and the end user signs up (registers), verifies their email address, and creates a password. They then sign in to your help center using their email address and password. All user data is contained and managed within your Zendesk account.
- Set the security level for passwords, password expiration rules, and so on. See Setting the password security level.
- Turn on two-factor authentication for agents and administrators individually. After entering their password as usual, they'll be asked to enter a 6-digit passcode. The passcodes can be received in text messages, or they can be generated by a two-factor authentication app installed on a mobile device. See Managing two-factor authentication (2FA).
Social and business SSO
In addition to the end user's Zendesk user account sign-in (email address and password), you can allow your end users to sign in to your Zendesk Support instance using their Facebook, X (formerly Twitter), Google, and Microsoft accounts.
These social and business sign-in options are convenient for your end users, so they don't need to remember another password to sign in to your Zendesk account.
The social media account, rather than Zendesk, is authorized to authenticate the end user. Zendesk trusts Facebook, for example, to make sure that the user is who they say they are.
For more information, see Enabling social and business single sign-on (SSO).
Single sign-on with JSON Web Token (JWT)
You can also create a locally hosted custom remote authentication script that connects to your external user management system. This is possible using JSON Web Token (JWT). Single sign-on is based on a shared secret between your local authenticating script and Zendesk. This secret is used to securely generate a hash (one-way encryption) that Zendesk uses to ensure that users who sign in to your account using remote authentication are who they claim to be and have been pre-approved to do so by implicitly knowing the shared secret.
For more information about JWT, see Enabling JWT single sign-on.
Single sign-on with SAML
If you prefer to manage your users and their sign-in to your Zendesk account yourself, you have the option of using identity provider services such as OneLogin, Okta, and PingIdentity. These use SAML (Secure Assertion Markup Language) to store all your user data or connect to your enterprise user management systems such as Active Directory and LDAP.
You might set up your Zendesk sign-in this way if you're using Zendesk Support as corporate IT help desk, for example. You have complete control over your users; they don't need a separate password to sign in to your Zendesk account. Instead, when users visit your Zendesk Support instance and attempt to sign in, they are seamlessly redirected to your SAML server for authentication. When authenticated, users are redirected back to your Zendesk Support instance and automatically signed in.
The only user data in your Zendesk account is the user's email address or an external ID you define.
For more information about setting up your Zendesk account to use a SAML identity provider, see Enabling SAML single sign-on.
27 Comments
I've been trying to set & reset a zendesk password for almost 6 weeks and need HELP! I freelance with a company that recently switched to zendesk. They assigned me a new email address (myname@theircompany.com) I'm supposed to be able to communicate with their clients and they with me on their website (via zendesk, I assume.) FYI, I first log in to their website with my username & password where I see what work is due, set my schedule, etc.
When not on their site I'm notified about new jobs via email. Work orders and communication are supposed to be forwarded to my gmail account. (THAT’s the address I used to register here to post.) The orders come to my gmail account just fine, but any communication (to be done ONLY from their website) from me to the clients or them to me is not being forwarded to my gmail address.
When I try to reset my password, I‘ve been told to put in myname@theircompany.com as the email address, and a reset link is supposed to be sent there. But since I have no access to that email account, (as it’s only on their site as a forwarding address) I don’t get those reset links. The company sends reset links as well, but my point to them is… since I have NO ACCESS and forwarding doesn’t seem to be working, I am not getting them!
They have my correct gmail address. I get things from them all the time. Nothing from zendesk is being blocked or moved to my spam folder. AND communication I receive from them THROUGH zendesk i.e. “support@theircompany.zendesk.com” comes through without a problem. The company says, “It’s simple!” It’s not. I’m no troglodyte, and actually computer savvy, but I’ll be damned if I can figure this out. Any help would be GREATLY appreciated!
Hey Charlie 👋 It seems like you need to get in touch with this company that you freelance for and either ask them to set a new password for your account and share that with you, or update your profile with the email address whose inbox you do actually have access to. Are you able to get in touch with them at all?
In an 'Open' instance of Support where Zendesk registration is not required to submit a ticket, can an organisation automatically create (or merge) an end user at the point where the customer registers with the organisations in their mobile app AND also automatically register the end user in Zendesk? If so, would a welcome email be sent to the end user to complete the registration/verification process? If all is possible, please explain how to set that up correctly.
Thanks!
I'm wondering if there is any way to not have CCed email addresses automatically added as end users? We want the requestor added, but not everyone who they CC.
I am trying to set up a second Help Center under a different brand for our employees. Is it possible to have two Help Centers; one that is Open for our customers and another that is Closed for our employees?
Yes, it's possible to have multiple Help Centers with different sign in options. The number of Help Centers you can create will depend on your plan. For more information, please refer to Creating a help center for one of your Support brands.
Hello,
Can I enable both Zendesk authentication (username/password) and SSO through (JWT)?
I hope all is well! Yes, that is possible! You can find a detailed description in the article: Enabling JWT single sign-on
I hope this helps!
Hi,
topic: Sign-in for end user with SSO
The users are led to the zendesk support page through our platform but are not logged-in.
The users still have to press the Sign-in button to be able to log in. After pressing the sign-in button, the login is automatic but we want the user to be already signed-in as soon as they arrive on zendesk. Is that possible ?
I'd be happy to check to further review your inquiry and send you an email! I look forward to your reply
From the point of view of Explore, where you can see if end users or staff members have viewed article, do light agents could as end users or staff?
Hello Steve,
Article views is an available metric in the Guide: Knowledge Base dataset.
Light agents would reflect as "Staff member" in this report.
The user registration email is valid for 24 hours.
Is it possible to extend the email validity period? If so, how?
Both account verification emails and password reset emails expire after 24 hours. The verification email can be resent to the user, and the user can also request a new password reset email after it expires. I'm afraid, it is not possible to extend the email validity period.
For reference, please see this article: How long are account verification emails and password reset emails valid?
I hope that answers your question. Thank you!
👍❤
Is there a way to allow users to register but have an approval step to where we review pending registrations and approve them? Otherwise it's left completely open to where the general public can find the login page, register, set password, and then get entry to the help center and see content/submit tickets.
Hi Team,
Are there any issues with SAML and emailed support tickets? We have some groups within Zendesk that still allow for emailed support tickets. My hope is that with a SAML Okta/Zendesk integration these tickets will still come through Zendesk and not get sent to the Suspended Tickets queue.
Any help would be appreciated! :)
Same question as Ali:
Sign-in for end user with SSO
The users are led to the zendesk support page through our platform but are not logged-in.We want the user to be already signed-in as soon as they arrive on zendesk. Is that possible ?
Hi Francisco,
This is possible using Enterprise SSO. Users can start the sign-on process from your corporate server or the third-party identity provider sign-in page. They will then be authenticated automatically when accessing Zendesk.
Hope this helps.
.
We are moving from a model where anyone could email support and have an account created on Zendesk to requiring authentication via Enterprise SSO. We want to disable the current open email model but trying to understand the impact to current customers who have previously emailed and have an active account. Will they be able to still email support based on their account? Once they authenticate via Enterprise SSO, will Zendesk know to bring them to their previous account created via email submission? Thanks!
I have enabled SSO but for some reason MFA is not working even though its enabled. what could be possible reason
Is there a way to search our End Users to see who is setup to View and Comment on Own Tickets vs View All Org Tickets?
Hi Luke Aleo
I'm afraid we can't use the access field to search for end-users based on the kind of access they have. As a workaround, you may add or assign a user tag to end-users who have access to the user's org tickets and another tag for who can only view and edit their own tickets moving forward. Then, you may use the tag as a search parameter. https://support.zendesk.com/hc/en-us/articles/4408835086106-Using-Zendesk-Support-advanced-search#topic_c2b_gwj_h2b
Hi Neil Senior
As long as the email authenticated via SSO is the same email they used previously to submit a request, the system will record tickets under the same user.
Hello, wondering where I can generate a list or report of End Users with verified email addresses/ have registered with my company's Zendesk support platform?
Thank you,
Hi Luis! Welcome to our Community!
You can utilize the Incremental Export API for Users and side load identities to find users with verified = true. More info here for Incremental User Export
The URL/Endpoint that you would want to use is: https://yoursubdomain.zendesk.com/api/v2/incremental/users.json?start_time=1&include=identities
You can also use our data export feature under Admin > Manage > Reports. This will include a JSON file with the same data from the incremental export and you can then filter users based on the `"verified" : true` parameter.
Please sign in to leave a comment.