为多个品牌使用多个 JWT 单点登录 URL

Hi Sarah. 
 
Apologies for the wait regarding your question.
 
User passwords are not brand restrictive within Zendesk. You would need to implement custom routing based to the brand URL that you created. You can also toggle the SSO setting for end users to "Let them choose" which would give them the option for a Zendesk Login or SSO. You can customize the SSO button's text to signal they users to sign in using the correct method. 
 
https://support.zendesk.com/hc/en-us/articles/5380943678106-Giving-users-different-ways-to-sign-into-Zendesk
 
I'll set this to Solved for now, but if you have an further questions, please raise a ticket and we will be happy to help troubleshoot for you. 
 

Have this set up but have run into issues with the password reset loop. Brand 1 is SSO redirecting to /access/normal for those attempting to access Brand 2. We're able to get through admin managed password resets through the /password end point but anything going through the /verification endpoint like welcome emails or users resetting their own passwords for Brand 2 gets bounced to SSO. Any advice here so that we aren't relying solely on admins to manage end user credentials for an entire brand?

@ Chris

I think the answer is YES to both questions one and two. The big issue with Zendesk is that you have one single User Registry and one single Authentication status for the whole account. So, if you log into Zendesk via the Brand 2, you are automatically logged in Brand 1 as well.   It doesn't matter if you're logged in via SSO or not, you are just authenticated, stop!

The only work-around I see is to restrict access to HelpCenters based on Users/Organizations tags (Users segmentation).

Let's hope to get some better official answer from Zendesk...

I have some questions regarding this scenario.

• Brand 1 uses JWT login script. Authenticating users via 3rd party SSO.
• Brand 2 uses Zendesk helpcenter login URL

1. If a user is created through the SSO option via Brand 1, and then later goes to Brand 2 to log in, would they be presented with the option to reset their Zendesk password?

2. If yes, does that mean they would be able to log into Zendesk via the Brand 2 help center by using their Zendesk credentials rather than their 3rd party SSO credentials?

Hello, I have been watching this thread for some time, and through various web searches have been unable to clearly define the steps needed.  I am looking for an A-B-C checklist, I have most of it together but then it drops entirely at implementing the JWT login scripts.

For example:

1. Configure Okta SSO JWT authentication within Zendesk (COMPLETE)

2. Configure Multiple Brands within Zendesk (COMPLETE)

3. Configure Multiple Help Centers > 1 or 2 per brand (COMPLETE)

4.  FACT - we are using Okta as the SSO solution passing the JWT to Zendesk (confirmed working) -- NEEDED is dependent upon the users email domain (@domain111.com, @domain222.com) this would direct the user to the necessary Help Center

5. QUESTION - where should the proposed login scripts reside, Zendesk or Okta or?  This step is very vague and does not seem to describe "how" the JWT identifies the logged in user to direct them to the appropriate help center.  For example, a user with email @domain111.com would be directed to support-domain111.zendesk.com , similarly if the user email domain is @domain222.com then they would be directed to support-domain222.zendesk.com .

When setting up a JWT for end users to login vs. agents with SSO. the login page is missing the forgot password link.  Any way to add that back?  Our customers are unable to request a password reset.