English (US)
  1. Zendesk help
  2. Account
  3. Account documentation
  4. Global security and user access

Providing multiple sign-in options for team members and end users

Kristie Sweeney
  • Edited
Zendesk Documentation Team

What's my plan?

Suite allall products

As described in Configuring end-user access and sign-in, Zendesk offers multiple ways to authenticate team members and end users.

Because users may have different security requirements, Zendesk gives you the flexibility to allow multiple authentication methods for each type of user. For example, if you configured SAML SSO for team member sign-in, you can provide another authentication mechanism (such as email and password) if you have a subset of users who can’t sign in through SSO.

This article covers the following topics:
Related articles:

Understanding the sign-in options

When multiple authentication methods are active, you can configure the sign-in experience for each user type by selecting Let them choose or Redirect to SSO.

Redirect to SSO only allows users to authenticate using the primary SSO configuration. Users don’t see additional sign-in options, even if those authentication options are active.

Let them choose allows the user to sign in using any active authentication method.

Providing multiple sign-in options for team members

You can configure the sign-in experience so team members can choose how to sign in. For example, if you have both SAML SSO and Zendesk authentication active for team members, they would see a sign-in screen similar to the one below if you select Let them choose.

To provide multiple sign-in options for team members

  1. To provide SSO as a sign-in option to team members, you must first add the SSO configuration to the Single sign-on page in Admin Center. See Enabling JWT SSO and Enabling SAML SSO.
  2. In Admin Center, click Account in the sidebar, then select Security > Team member authentication.

  3. To provide email address and password as a sign-in option to team members, select Zendesk authentication, then set the password security level.
  4. To provide SSO as a sign-in option to team members:
    1. Select External authentication.
    2. Select Single sign-on (SSO).
    3. Select the SSO configurations (that you set up in step 1).
    4. If you selected more than one SSO configuration, select the Primary SSO.
  5. For How team members sign in, select Let them choose.

    Selecting Redirect to SSO displays the primary SSO as the only available sign-in method.

  6. Click Save.

Providing multiple sign-in options for end users

You can configure the sign-in experience so end users can choose how to sign in. For example, if you activated SAML SSO, Zendesk authentication, and social sign-ins for end users, they would see a sign-in screen similar to the one below if you select Let them choose.

To provide multiple sign-in options for end users

  1. To provide JWT or SAML SSO as a sign-in option for end users, you must first add the SSO configuration to the Single sign-on page in Admin Center. See Enabling JWT SSO and Enabling SAML SSO.
  2. In Admin Center, click Account in the sidebar, then select Security > End user authentication.

  3. To provide email address and password as a sign-in option to end users, select Zendesk authentication and set the password security level.
  4. Select the social logins you'd like to make available to end users.
  5. To provide SAML or JWT SSO as a sign-in option to end users:
    1. Select External authentication.
    2. Select the SSO configurations (that you set up in step 1).
    3. If you selected more than one SSO configuration, select the Primary SSO.
  6. For How end users sign in, select Let them choose.

    Selecting Redirect to SSO displays the primary SSO as the only available sign-in method.

  7. Click Save.
Return to top

18 Comments

  • Chengyu Yang

    Hi,

    I need help finding the option of How <end users/team users> sign in. Is there anything I missed?

    Best

     

    0
  • Kristie Sweeney
    • Edited
    Zendesk Documentation Team

    Hi Chengyu Yang! The option is labeled "How end users sign in" or "How team members sign in," depending on what user type you are setting up. I updated the wording to clarify. Thank you! 

    0
  • Chengyu Yang

    Hi Kristie Sweeney! Thanks for the swift response. Under the "End user authentication" panel, I still do not see the section titled `How end users sign in`. I cannot upload the image in the comment because the browser refuses it. Here is the link to the screenshot:  https://ibb.co/6N5MttY

    I can check the boxes of the Zendesk authentication and the SSO that I set up, but after saving, it would force the user to go through SSO. Is what you described in the doc a premium feature that certain customer tiers can use or is this feature gradually being rolled out?

    0
  • Kristie Sweeney
    • Edited
    Zendesk Documentation Team

    Chengyu Yang This feature is being rolled out gradually until March 2nd, so you might not see it yet in your account. See the Announcement for details. When the rollout is complete, you'll see the How end users sign in field at the bottom of the End user authentication screen, under the SSO fields. I added a note at the top of the article with the rollout date - hopefully, that will help others as well!

    1
  • Mariano Lanza

    Hi team, this seems to be a great option for our company's HR service desk tool (mainly for those floor employees without network/email access). Will ZD require that the user enter the same personal email address that is already in their profile if they select "Email/Password" login option? How does this "verification" works?

    0
  • Barkha Bhatia
    Zendesk Product Manager

    HI Mariano Lanza

    When you say "floor employees without network/email access" - I am assuming that they are end-users in terms of Zendesk user personas.

    If so, the end users can sign up for Zendesk using their email/password (if they have not already done that) and then use that to log in.

    0
  • Manuele Bastianelli - Easy Market

    Hi,

    I am still facing the same situation reported by Chengyu Yang.

    This is what is see in the team member configurations. Screenshot of this morning.

    1
  • Jason Barresi

    Hi everyone, came here to report the same issue as everyone else -- got a nice feature alert about it this morning but it's not visible anywhere in the interface. What's up?

    1
  • Cheeny Aban
    Zendesk Customer Care
    Hi Jason and Manuele, 

    I created a ticket on your behalf so that our Advocacy Team can further help you troubleshoot the issue!
    0
  • Barkha Bhatia
    Zendesk Product Manager

    Hi Manuele Bastianelli - Easy Market and Jason Barresi

    Thanks for your engagement through the community, in order to use this capability you can set up any SSO provider of your choice e.g. Google, Microsoft, Okta, OneLogin, etc you can first create a SAML configuration here

    After that go to the team member authentication page and click Single Sign-on - you will notice the configuration you have created and also the "Let them Choose" button. If you enable the "Let them Choose" button the users will see side by side option to "Continue using SSO" or "username/password".

    For additional security, recommended is that you also enable 2FA for agents along with username/password. Please feel free to email me for any more questions.

     

     

    0
  • Vladimir Shkuratov

    Hi Team,

    What is the best way to enable both options: Google and Single sign-on (SSO) for Agents? As of now I can see you can choose one of them, but not both simultaneously.

    Thanks.

    0
  • Barkha Bhatia
    • Edited
    Zendesk Product Manager

    Hi Vladimir Shkuratov

    You can set up Google and other SSOs using SAML configuration first. Then go to the team members page, and you will be able to multi-select SSOs. You can also choose the Primary SSO method.

     

    1
  • Rolf

    For end user SAML SSO, if we have a single organization that requires this, and only users from that Org should use SSO, is there a way to lock it down so only IPs within the specified range in the SAML setup can see the option for SSO?

    0
  • Barkha Bhatia
    Zendesk Product Manager

    Hi Rolf

    When you set up SAML SSO for end-users, you can specify IP ranges please check the below screenshot, for any specific questions about your setup please feel free to create a customer support ticket and someone will help you. 


    0
  • Mike dela Rosa
    Zendesk Customer Care
    Hi Nick!

    For SSO logins, there would only be 2 options for all end users, either via SSO or the default Zendesk log in. I do understand you want to have specific users be routed to your SSO if they for a higher tier of support but base on this article: Configuring end user access and sign-in (Sign-in). It would only be either SSO or the default Zendesk login.
    0
  • John Walker
    • Edited

    So if I make it to where Team/Agents are required to use SSO option.  How does an admin get back into ZenDesk admin to change this setting to allow direct logins again,  should something be wrong with the IdP?  Just wondering what the options are in this case?

    Thanks

    John

    0
  • Zsa Trias
    Zendesk Customer Care

    Hello John,

    Should there be issues with your SSO, you can still access your Zendesk thru the methods provided on this article: Accessing your Zendesk account when your SSO service is down

    0
  • Vladimir Shkuratov

    Hi Barkha Bhatia,

    Following my question above, I have created two SSO options for Agents 1) JSON Web Token and 2) Google SAML

    I still can see only 1 available button "Continue with SSO", which obviously uses Primary IDP. But how can I enable the possibility for agent to select SSO option ? 

    If you look at the End-user login page - you can allow them to select form different options: Google, MS, own SSO IDP etc, but not for the Agent. Is that possible at all?

    Thanks.

    0

Please sign in to leave a comment.

Powered by Zendesk