Admin Center lets you manage how you authenticate users. You can use Zendesk's own user authentication (the standard sign-in process) or you can remotely authenticate users using single sign-on (SSO) and then seamlessly sign them in to Zendesk. You can also let users sign in using popular business or social authentication services such as Google, Microsoft, Facebook, or Twitter.
In Admin Center, anend useris any user receiving customer service. If you enable authentication for end users, they'll need to sign in to submit or track their tickets in the help center. SeeUnderstanding options for end-user access and sign-inin the Support help center.
The authentication options for end users apply to the help center only. To authenticate end users who use the Chat widget or Web Widget (Classic), seeEnabling authenticated visitors in the Chat widgetorEnabling authenticated visitors in the integrated Web Widget (Classic).
Ateam memberin Admin Center is any user providing customer service, not a person receiving it. A team member is usually an admin, agent, or account owner. A team member may also be an employee who has been assigned a custom role.
Topics covered in this article:
- Accessing the security settings from Admin Center
- Enabling Zendesk authentication
- Disabling Zendesk authentication
- Enabling social and business single sign-on (SSO)
- Enabling enterprise single sign-on (SSO)
If you use Zendesk authentication, you can manage additional security settings. See the following topics:
- Restricting access by IP addresses
- Sending password-change notifications
- Requiring 2-factor authentication
- Setting an inactivity time-out period
An alternative to Zendesk authentication is single sign-on (SSO). SSO lets users sign in once to gain access to multiple systems and service providers, including Zendesk Chat. To learn more, seeSSO (single sign-on) options in Zendeskin the Support help center.
To help Zendesk troubleshoot an issue in your account, you can let a Zendesk agent assume the role of agent in your account for a specified time. SeeAllowing Zendesk to assume the role of agent.
Accessing the security settings from Admin Center
To access the security settings from Admin Center
- InAdmin Center, click theAccounticon () in the sidebar.
- In theSecuritysection, select one of the security options.
Enabling Zendesk authentication
You can use Zendesk authentication (the standard sign-in process) for team members and end users. Zendesk authentication is enabled by default.
For end users, the following conditions must be met before they can use Zendesk authentication:
- Help center must be activated. Help center is the only publicly accessible side of Support and Chat for end users. SeeGetting started with Guidein the Support help center.
- 最终用户must register. After registering, an end user is prompted to verify their email address and create a password, which the user can then use to sign in. SeeRequiring your users to registerin the Support help center.
To enable Zendesk authentication
- Open the security settings forTeam membersor最终用户.
- InAdmin Center, clickAccountin the sidebar, then selectSecurity > Team member authentication.
- InAdmin Center, clickAccountin the sidebar, then selectSecurity > End user authentication.
You can set one sign-in option for team members and a different one for end users.
- Make sureZendesk Authenticationis selected.
The option is selected by default.
- Set the password security level.
SeeSetting the password security levelin the Support help center.
- ClickSave.
If you enable Zendesk authentication, you can manage the following additional settings:
Disabling Zendesk authentication
In some cases, you may choose to disable Zendesk authentication and use another authentication method, such as SSO, for team members and end users.
To disable Zendesk authentication
- Open the security settings forTeam membersor最终用户.
- InAdmin Center, clickAccountin the sidebar, then selectSecurity > Team member authentication.
- InAdmin Center, clickAccountin the sidebar, then selectSecurity > End user authentication.
- DeselectZendesk Authentication.
- ClickSave.
If you're disabling Zendesk authentication for end users, also do the following:
- InAdmin Center, clickPeoplein the sidebar, then selectConfiguration > End users.
- Determine if you want to enable or disable theAnybody can submit ticketssetting.
Typically, when Zendesk authentication is disabled for end users, you would disable this setting also to keep unauthenticated end users from submitting tickets. But if you want end users to send email to their support addresses without allowing them to login in anywhere, leave this setting enabled.
If you disable Zendesk authentication for end users, but you still haveAnyone can submit ticketsenabled, end users will not see a sign up page when they submit a ticket. Instead, they are redirected back to the help center home page.
- Saveyour changes.
Enabling social and business single sign-on (SSO)
Users can sign in to Zendesk using their credentials for certain social and business accounts. Thesocialaccounts are Facebook and Twitter. Thebusinessaccounts are Google and Microsoft.
最终用户can use all four – Twitter, Facebook, Google, and Microsoft. Team members can only use Google or Microsoft.
To learn more, seeSSO (single sign-on) options in Zendeskin the Support help center.
To enable social and business single sign-on
- Open the security settings forTeam membersor最终用户.
- InAdmin Center, clickAccountin the sidebar, then selectSecurity > Team member authentication.
- InAdmin Center, clickAccountin the sidebar, then selectSecurity > End user authentication.
- Select the social or business SSO option you want to enable.
- If you want users to use only the SSO option, disable theZendesk Authenticationoption.Warning:Disabling Zendesk authentication permanently deletes any Zendesk passwords on record within 24 hours. API requests using an email address and password combination will also fail for both agents and end users.
- ClickSave.
Enabling enterprise single sign-on (SSO)
Zendesk supports two enterprise single sign-on solutions:
- Secure Assertion Markup Language (SAML)SAML is supported by many identity provider services, such as Okta, OneLogin, Active Directory, and LDAP. For information on configuring SAML single sign-on, see支持SAML单点登录.
- JSON Web Token (JWT)Credentials and user information is sent in JSON format encrypted using a Zendesk shared secret. For information on configuring JWT single sign-on, seeEnabling JWT (JSON Web Token) single sign-on.
To learn more, seeEnterprise single sign-onin the Support help center.
You can enable SAML or JWT single sign-on only for team members, only for end users, or for both groups.
To enable SAML or JWT single sign-on
- InAdmin Center, clickAccountin the sidebar, then selectSecurity > Single sign-on.
- Click theConfigurelink of one of the SSO options and enter the configuration information.For details, see the following topics:
- After configuring your SSO option, clickTeam membersor最终用户and select theExternal authenticationoption if not already selected.
- If you want all users to only use the single sign-on method, deselect theZendesk authenticationoption.
Any Zendesk passwords will be permanently deleted from the account within 24 hours.
- Select theSingle sign-onoption in theExternal authenticationsection.
For end users, selecting the SSO option deselects the Zendesk Authentication option if enabled.
Warning:Disabling Zendesk authentication permanently deletes any Zendesk passwords on record within 24 hours. - ClickSave.
Restricting access by IP addresses
If Zendesk authentication is enabled, you can restrict users from specific IP addresses from accessing your account. For example, to restrict access to users in your company, specify the IP addresses of your company. You can also allow end users to bypass the restrictions. IP restrictions that you manage in Admin Center apply to sign in for all products.
Enabling IP-based access restrictions can break third-party integrations that access your account. Make sure to create an allowlist for all external IPs that access your account through the Zendesk APIs. Some integrations use variable IP addresses that can't be included in an allowlist. If you want to use these integrations, you must disable IP restrictions.
You can specify ranges of IP addresses, separating each range with a space. Two methods are available to specify a range. The first is to use asterisk (*) wildcards. An IP address consists of four numbers separated by periods, such as192.168.0.1. You can substitute a single asterisk character (*) for any number group to let Zendesk know that it should accept any value in that space. For example,192.*.*.*allows any IP address whose first number is 192.
The second way to specify an IP range is to useIP subnet mask syntax. For example,192.168.1.0/25specifies all the IP addresses between 192.168.1.0 and 192.168.1.127.
You cannot specify IP ranges where the CIDR (Classless Inter-Domain Routing) value is 0. For example, if you specify10.0.0.0/0,/0is a valid format, but it's not accepted by Zendesk.
To set IP restrictions
- InAdmin Center, clickAccountin the sidebar, then selectSecurity > Advanced.
- On theIP Restrictionstab, selectEnabled,n enter theAllowed IP Rangesyou want to restrict.
- If you don't want the IP restrictions to apply to end users, make sureAllow customers to bypass IP restrictionsis selected.
- ClickSave.
For more information, seeRestricting access to Zendesk Support using IP restrictions.
Sending password-change notifications
If Zendesk authentication is enabled, you can send email notifications to team members and end users when their passwords change.
To send password-change notifications
- InAdmin Center, clickAccountin the sidebar, then selectSecurity > Advanced.
- On thePasswordstab, selectEmail notifications.
- ClickSave.
Requiring 2-factor authentication
如果启亚博用了Zendesk认证,你可以require team members to use 2-factor authentication when they sign in. Once this setting enabled, all team members will be required to set up 2-factor authentication the next time they sign in. For instructions for your team, seeUsing 2-factor authentication.
要求2因素身份验证
- InAdmin Center, clickAccountin the sidebar, then selectSecurity > Advanced.
- On theAuthenticationtab, selectRequire two-factor authentication (2FA).
- ClickSave.
For more information, seeManaging 2-factor authentication.
Setting an inactivity time-out period
If Zendesk authentication is enabled, you can customize the session expiration period for team members and end users. If a user is inactive for the specified period, they are signed out.
Users remain signed in as long as they actively use the product. Active use includes typing and clicking links. SeeUnderstanding your Zendesk session time.
A session expires after 8 hours of inactivity for all users by default. If your security requirements differ for your team members and end users, you can set separate expiration periods for each.
To set an inactivity time-out period
- InAdmin Center, clickAccountin the sidebar, then selectSecurity > Advanced.
- On theAuthenticationtab, select a session expiration period for team members and end users underSession expiration.
- ClickSave.
Allowing Zendesk to assume the role of agent
To troubleshoot an issue, you can let a Zendesk agent assume the role of agent in your account for a specified time. This setting is disabled by default.
This setting can be useful to help Zendesk solve the following issues with your account:
- Highly-technical issues
- Issues that Zendesk can't be reproduce anywhere else
- Issues where Zendesk needs to visually analyze console information that's not obtainable with any other method
- IP configuration issues
- Issues where Zendesk needs to create test tickets to test or troubleshoot possible causes and solutions
To allow Zendesk to assume the role of agent in your account
- InAdmin Center, clickAccountin the sidebar, then selectSecurity > Advanced.
- On theAccount Assumptiontab, selectEnable account assumption.
- Select a duration from theDurationmenu.
- ClickSave.
7 Comments
I too would like to suggest, as did Emily Graham 8 months ago it seems, that there be a couple more choices between 8 hours and 2 weeks. 1, day, 2 days, and perhaps 4 days for those with bank holidays type thing. 2 weeks seems too long and 8 hours too short as most clock off at 5pm and back on at 8 or 9 am, so the only option that works is 2 weeks.
Oddly, this auto session logout only seems to kick in when an agent uses another computer to login and that new computer is then affected. The old computer/browser doesn't seem to be affected. I noticed this due to Covid19 where we were banished from the office. RDP to office desktop still confirms that those sessions remain active overnight while a residential login is booted out nightly due to the 8 hour setting.
Hi Chris and those others of you who've requested additional session expiration timeframe choices: If you wouldn't mind, please add your requests and the reasons behind them to this thread in our Feedback on Support post, and upvote this post:session expiration longer than 8 hours but less than 2 weeks
The more information we have about the impact to your workflow, the better. Thanks!
Does IP restriction applies on JWT token integration?
知识产权限制apply to third party integration and JWT login, be sure to include all external IPs that need access to your account, more information in our documentationRestricting access to Zendesk Support and your Help Center using IP restrictions
Hope this helps,
Have a great day
Hi! I'm in the trial period and I'm trying to set up ZD for my company. I'm trying to get to the point where anyone can fully browse Guide and submit tickets/questions without needing to log in. When I disable any authentication for end-users it returns an error that basically says that "there is no authentication method". What am I doing wrong? Thanks!
HiFederico Vitale,
Check out this article and see if it helps:
Enabling anyone to submit tickets
Let us know. And good luck!
HiJennifer Rowe,谢谢你的回复!我想去point where the account button on the top right of the HC would not appear, since I'm not going to use the login feature for now (logged users interact on a custom platform) and having it show would confuse users in the end. I'd also prefer not to edit the html code not to fiddle too much and keep things as standard as possible (also I'm not a developer and it would make my life easier) :) Do you think this is feasable?
Pleasesign into leave a comment.