Does Zendesk Support OpenID Connect?

Hi Ryan-

At one time we supported the OpenID protocol, but that has since been deprecated from what I have seen after some research. We do not currently support OpenID Connect, and using Zendesk to authenticate users in this fashion is not possible at this time.

I will be moving this over to Product Feedback for other community members as well as our own Product team can continue to engage/upvote.

Thanks for the reply Joseph.

Not sure if it helps the Product team with use cases, but my ideal scenario would be as follows. The separate web app is a developer portal with API documentation and the like. External users who have access to my Zendesk site should also have access to the developer portal, preferably without another login (e.g. Zendesk as an OpenID provider).

I will find a different solution, but I look forward to the outcome of this product request.

I'd have also a use case here for OpenID connect. I'd like to use Azure B2C as the OpenID connect provider and use Accounts configured in B2C to sign in to Zendesk. This would allow us to provide our customers SSO across several applications amongst one is Zendesk.

Would be great to have OpenID connect or OAuth 2.0 protocol support in Zendesk for user authentication. (I know OAuth is supported for API calls, but I can't see a way using it for delegating user authentication)

As far as I can tell, I literally just signed into this site with OAuth to Google, so are we sure this isn't supported? I'd like to enable our AWS Cognito-based applications to pass user IDs over to Zendesk for support submissions.

I am in a similar case. We would like to have our users to all be AWS user pool across Zendesk and an other website we manage. Is that possible?

HI Denis - 

I don't believe anything has changed since Joseph's comment from last May. 

Curious, is this still unsupported? 

I'm curious why Zendesk continues to support and maintain a homegrown one-off JWT SSO protocol whereas a standard JWT-based protocol like OpenID Connect has not been prioritized?

Is ZenDesk any closer to (re-)implementing OpenID Connect?

It seems rather silly to support "JWT" and call your SSO "JWT SSO" without supporting OpenID Connect, or even just OAuth 2.0 with a JWT payload.

OpenID Connect isn't as widely adopted, but why not support OAuth 2.0 as a RP with a possible JWT payload?

Your customers that have IdPs with other solutions want to be able to sign in to ZenDesk with those IdP's, and by having a custom solution instead of an industry standard (RFC) protocol supported, it makes it difficult to make those integrations happen.

+1 for supporting OIDC. We need this to integrate with the rest of our enterprise auth system.

Hey hey,

I'm Caroline from the Product team and I currently own our Authentication Service, which includes our different auth methods. Brian is correct that we've not committed it to our roadmap to add OpenID to the list of auth methods but I appreciate the feedback. I'll loop back on this thread if our roadmap changes and let you know. 

Please continue to add your use cases to the thread! Cheers

Hello. We're also trying to make an Azure B2C for our customers to login to Zendesk, Aha and Litmos, together with our normal Azure B2B that is our company's domain (maybe it's not called that, I'm not a IT pro).

Microsoft struggle with how we should do this. Is this what we are missing? Is it developed yet? 

Hello @...,

Zendesk Support itself is not an identify provider (like Google or Facebook), but there are a number of ways to authenticate into it for API requests. See How can I authenticate API requests?

There are also a number of ways to integrate with identify providers. See SSO (single sign-on) options in Zendesk

Since you're talking about logging in across multiple systems, it sounds like it's the SSO functionality that you're looking for (versus using Zendesk as an "identify provider"/iDP solution, which is what this thread is about). Hope this helps!

Hey Bryan,

Maybe that's the confusion here - because that is what this thread is about. You have it backwards.

People want ZenDesk to act like the RP (Relying Party) in an OpenID scenario where they are bringing their own IdP's such as an Azure AD, Google, or other custom IdP tenant. We aren't asking that Zendesk be an IdP - though I could see scenarios where that may be useful, that should be a separate discussion.

Take a look at the original request: Can I use Zendesk to authenticate Zendesk users on behalf of another application? (like Google Sign In)

In that question, Google is the IdP (which holds the user account), and Ryan wants to be able to authenticate (or, more accurately, authorize) into Zendesk using a Google account (via OpenID Connect).

Zendesk already supports a proprietary mechanism that utilizes JWT tokens - so all you would need to do is enhance that custom implementation to adhere to the OIDC 1.0 standard (which is really just OAuth 2.0 with some extra bits).

Is there an ETA on Zendesk adding support for the OAuth 2.0 or OpenID Connect protocols as a Relying Party (RP)?

Would the missing feature make this work? Can we then do Azure B2C login to Zendesk and not use Auth0?

https://medium.com/the-new-control-plane/connecting-azure-ad-b2c-to-azure-ad-via-the-b2c-custom-identity-provider-42fbc2832e32

and

https://medium.com/the-new-control-plane/connecting-azure-ad-b2c-to-auth0-via-the-b2c-custom-identity-provider-73b931f9348f

I'm so confused...

Hi @... -- you're right and apologies for creating confusion here. Thank you, too, for providing those additional details to make clear what's being discussed in this post.

This issue was surfaced again last year with product management, which is when @... replied. There haven't been any announcements since then for supporting this, so the expectation should be to find or continue with alternatives.

As you've pointed out before, it is definitely a valid use case and painful not to have for those who are using an OpenID Connect based IdP. I'll go back and highlight to product management the continuing discussion here.

@...,

"Would the missing feature make this work?"

It sounds like it might -- but as mentioned, OpenID Connect is not supported. You also mentioned ADFS -- this article may help there: Setting up single sign-on using Active Directory with ADFS and SAML. Also see SSO (single sign-on) options in Zendesk.

The same problem here. We were trying to make integration between Azure B2C and  Zendesk and basically failed. Standard Azure AD accounts work as expected but not B2C local accounts.

When ca we see this gets implemented? 

+1 for supporting OIDC. We need this to integrate with the rest of our enterprise auth system.

+1 for this also.

We will have customer profiles sat in Cognito user pool, B2C should have been easy to do but we will need to implement the custom JWT (remote authentication) route I assume based on these comments.

Our business / agent users will be in AzureAD, therefore B2B is fine.

Looking for a B2C Azure AD support also.

Hey folks,

Thanks for dropping your feedback in here over the last couple of years - it's very much appreciated.

We agree that this is a standard that we need to adopt and have OpenID Connect on our 9-month roadmap. We'll continue to work with the Community team to keep you updated as development starts and the project progresses.

Thanks again for adding your voice to the chorus. 

Ooh, progress, fabulous!

This would be a big solve for us.

+1 for OIDC, we have application teams wondering why we chose this platform without basic federated sign-in for business. Looking forward to seeing this implemented so we can move away from the JWT sign-in.

Also looking for Cognito support for customer (not agent) logins.

The last thing I know is that in August 2021 there were plans to include OpenID Connect support in the 9 months roadmap.

I'm also looking to delegate authentication to our own OpenID Connect provider. Is there any beta version or any place to check the status?