You can only use one authentication method for agents and admins
When our agents went to login today we were met with a new login screen. Looking into this further, the security page now forces you to choose one authentication method for login:
Administrator and agent sign-in authentication
By default, your administrators and agents are authenticated and signed in using Zendesk’s user authentication. You can however bypass this and require your administrators and agents to sign in using Google or a single sign-on solution using JWT or SAML (available in Plus and Enterprise).
You can only use one authentication method for agents and admins. This is a recent change to improve the security of your Zendesk.
You currently have the following authentication options enabled:
- Twitter
- Facebook
- Google
- Zendesk
Social media sign-in is no longer supported for agents and admins. You must choose just one of the remaining authentication options below.
As a simple example of why this is annoying: I use Zendesk authentication and some of our agents use Gmail authentication.
A few questions:
* How does changing from Zendesk to Gmail authentication affect API access?
* Why aren't we allowed to choose "all" or "some" anymore?
* Why wasn't there an announcement of this change?
Understanding how this might affect API access is the most important as we have an outside process that queries Zendesk to help in reporting and analytics and I don't want that to break.
-
Hello Nick,
It's still possible to use the native Zendesk authentication, as well as Google authentication. When turning on Google authentication, the URL to log in would be yoursubdomain.zendesk.com/agent/
The URL yoursubdomain.zendesk.com/access/normal/ will allow you to log into the Zendesk Agent interface with your native Zendesk username and password.
How does changing from Zendesk to Gmail authentication affect API access?
With the API, the the authentication uses the email addresses of an Administrator or Agent and their Zendesk password. However, the recommended method which I suggest is to use API Tokens:
https://developer.zendesk.com/rest_api/docs/core/introduction#security-and-authentication
This way, no matter what the password or authentication method is used, you can use the API token, which will remain the same. Here's an example of the API token in use:
jdoe@example.com/token:6wiIBWbGkBMo1mRDMuVwkw1EPsNkeUj95PIz2akv
Why aren't we allowed to choose "all" or "some" anymore and why wasn't there an announcement of this change?
This was an internal decision which was mainly based around the security of the authentication offered for Admin's and Agents. It wasn't publicly announced, but the notice you saw was how we informed our customers.
I hope this answers your questions.
Regards,
Saajan.
-
Saajan,
That's helpful. It does leave the question of: Why can't an agent just choose both google and normal (zendesk) from the same page if I'm able to access them from two different pages?
-
Hi Nick,
The /access/normal URL is intended as a back-up for when your SSO implementation breaks. It's not intended as a second option for logging in. For security purposes it's best if your agents stick to one login method.
Thanks for your questions!
-
Hi there,
I'm facing the similar issue that Nick raised.
My agent tried signing in via Google, as well as the /access/normal URL method but upon doing so, both led up to a page which says 'Access Denied'.
However, when I tried logging into the agent's account via both methods, it worked fine for me.
So I'm not too sure what could possibly be the error.
Hopefully I'll be able to resolve it soon. Thanks!
-
Hey Hui,
This sounds like it is outside of expected behavior, so I am going to create a ticket to look into this a bit further - keep an eye out for an email from me!
Please sign in to leave a comment.
5 Comments