Magdalena Luz

What is the state on this? If there has been some progress could you please share your plans and roadmap? If not, explain why you think a widely supported standard is not important to you...

Thanks for your answer, what I don't understand about it, all our users have access to the Help Center, that is why we want to use SSO, and that is the point of SSO... we authenticate them and Zendesk must trust us that we do it right in our App. There is no way for Zendesk to check that because none of our users is registered with Zendesk. We construct the Zendesk token and with this we say she is fine. So why exactly do you need the redirect?

I would like to enable SSO in Zendesk such that the users already authenticated in my application can access the Zendesk helpdesk without a login step. The users are  authenticated by different IDPs and there is an ever growing number of them (we use a multi tenant approach with one keycloak realm per tenant).

My understanding from the docs is that I have to do a custom implementation for the Zendes JWT SSO mechanism in my system since it does not follow any standard.

Since the users in my application are already authenticated in my application there is no need to redo the authentication step . Hence I  construct the Zendesk JWT token and send it directly to https://myapp.zendesk.com/access/jwt?jwt=&return_to=https://myapp.zendesk.com/hc without accessing the  https://myapp.zendesk.com/hc first and relying on the redirect by zendesk to the configured login url. Zendesk reads the token just fine and authenticates the user and redirects to the helpcenter at https://myapp.zendesk.com/hc. However this call then returns a 404 Page not found. Even though the help center exists. There is most probabely somthing in a cookie by Zendesk that triggers this strange error message. Since I can only access the help center again, if I delete all cookies.
Is there something I can do to make this work? Or is the redirect call mandatory, if so why?

We have a similar setup. Apparently its only working by redirecting to a custom script that das the subdomain resolution. Since you are using already the JWT SSO you must have implemented something custom on the IDP side, you would have to add the IDP resolution there.

check out this post

https://support.zendesk.com/hc/en-us/community/posts/4421947829914-Tip-Enabling-JWT-SSO-with-Multi-Host-Applications?input_string=jwt%20SSO