Issue symptoms

Agents in the Zendesk Support interface see inline images as broken links.

Conditions

An account has these settings:

• The help center is host-mapped
• Attachments require authentication to download
• Agents authenticate through single sign-on (SSO)

Resolution steps

This issue happens because of how these settings interact. When the help center is host-mapped, end users view the help center on a custom-branded domain, while agents access their workspace on the standard Zendesk domain. Attachments open on the host-mapped domain, so end users can see them.

With SSO, agents can authenticate directly into the agent interface without a help center sign-in. SSO authenticates agents on the Zendesk domain, but not on the host-mapped domain. When this happens, agents don't have permission to see attachments at first because attachments live on the host-mapped domain. As a result, inline images appear broken for agents until their session authenticates on that domain.

Agents can fix this issue at any time by opening Knowledge. To switch from Support to Knowledge, use the product tray.

SSO admins can fix this for all agents. Include the host-mapped domain in the SSO setup.

Change the agent's return_to URL, the destination after successful authentication in an SSO flow, to the host-mapped domain with /agent at the end. This ensures the agent signs in on the same domain where attachments are stored.

For example, if mycompany.zendesk.com is host-mapped to support.mycompany.com, set the return_to URL to support.mycompany.com/agent. This sends agents directly to the agent interface with the host-mapped credentials applied. Use this for agents only. It causes an authentication error for end users.