Freshdesk Login Guide & Troubleshooting: SSO, Password Reset, Can't Log In
Freshdesk has two front doors that look almost identical but behave very differently, and most login trouble comes from standing at the wrong one. Agents sign in through Freshworks; customers sign in through your support portal. Layer single sign-on on top and a third path appears — one that can quietly lock agents out of the credentials they used yesterday. This guide walks through both login flows, how to reset a forgotten password, how to break the SSO redirect loop with a URL most people never learn about, and what to do when an account is locked. It sticks to the behaviour Freshworks actually documents, and it flags the spots where a setting on one plan or role changes the whole experience.
Agent login vs customer portal login
The single most common Freshdesk login mistake is an agent trying to sign in on the customer portal page, or vice versa. They are separate systems of authentication.
Agents don't log in on the portal at all. Per Freshworks' password reset article, you go to your Freshdesk URL, click Login, then choose "Are you an Agent? Login here" — which redirects you to the Freshworks sign-in page. That redirect is the tell: agent identity lives in Freshworks (the account layer above Freshdesk), not in the help desk itself. On that page you enter your email and password, or use a configured social/SSO button.
Customers log in on your branded support portal — yourcompany.freshdesk.com (or your vanity domain) — where they see a "Log in to support portal" screen with email/password and any social sign-in you've enabled. This is a completely different credential store from your agents'. A customer password reset never touches an agent account, and vice versa.
If your customers are the ones stuck at the door — bounced back to login, "invalid credentials," or an activation email that never arrived — that's a portal-side problem with its own fixes, which we cover in Freshdesk portal login issues.
How to reset a forgotten password
The reset flow is the same shape for both roles; only the starting page differs.
- On the correct sign-in page (Freshworks for agents, your portal for customers), click Forgot Password.
- Enter the primary email address on the account. This matters for SSO users especially — Freshworks only recognises the primary email, not a secondary or alias.
- Freshworks emails a password reset link. Open it and set a new password.
- Log back in with the new password.
If the reset email never arrives, check spam, confirm you used the primary email, and make sure the account actually exists as an agent or contact (a common cause is typing an email that was never invited). Only an admin can resend an agent invite or re-trigger activation for a contact.
One caveat that surprises people: if SSO is enabled on your account, the password-reset path may be irrelevant for agents, because their password lives with your identity provider (Okta, Azure AD, etc.), not with Freshworks. Resetting the Freshworks password won't help — you reset it in your IdP.
Fixing the SSO redirect loop (the /login/normal URL)
Here's the failure mode that generates the most support tickets. You turn on SSO. From then on, the standard agent login redirects everyone to your identity provider — which is the point. But it also means that if your IdP misfires, or an agent isn't provisioned there, or you're an admin who needs in before SSO is fully working, the normal login simply won't accept native Freshdesk credentials. You get stuck in a loop.
The escape hatch is a URL Freshworks doesn't advertise but does support in its community and support threads: append /login/normal to your subdomain.
https://yourcompany.freshdesk.com/login/normal
This bypasses the SSO redirect and presents the classic email-and-password form, letting an agent (or admin) sign in with their native Freshdesk credentials even while SSO is active. It's the go-to move when:
- SSO was just enabled and an admin is locked out mid-configuration.
- The IdP is down or misconfigured and the whole team can't get in.
- One agent isn't in the IdP yet but needs access now.
Keep this URL somewhere your admins can find it. It has saved more than one team from a total lockout during an SSO cutover. Note that whether native login still works alongside SSO depends on how your org's login methods are set — some configurations disable password login entirely, in which case the IdP is the only way in.
Where SSO is actually configured (and who can touch it)
If you're setting SSO up rather than escaping it, know that the controls moved. SSO is no longer configured inside Freshdesk — it lives in the Freshworks Neo Admin Center. Per Freshworks' Single Sign-On in Freshdesk documentation, you navigate to Organization Dashboard → Security → Default Login Methods, and this area is available only to Org Admins. A regular Freshdesk admin can't change it.
Freshworks supports four protocols there — SAML 2.0, OAuth 2.0, OpenID Connect (OIDC), and JWT — so you can wire up Okta, Azure AD, ADFS, OneLogin, Google, and similar providers. SSO itself spans essentially every tier: Free, Growth, Pro, and Enterprise on current Freshdesk plans (plus the legacy Sprout/Blossom/Garden/Estate/Forest tiers and Freshdesk Omni's Growth/Pro/Enterprise). If you had SSO configured the old way inside Freshdesk, Freshworks asks you to reconfigure it in the Neo Admin Center and then disable the legacy setup. For a full walkthrough, see how to set up SSO in Freshdesk and the deeper conceptual piece, Freshdesk SSO explained.
Locked accounts, password policy, and lockouts
Beyond forgotten passwords, two policy-driven states can leave someone unable to log in.
A password-policy change locked me out. Admins can tighten the password policy — minimum length, expiry, no-repeat history, and alphanumeric / mixed-case / special-character requirements (the default floor is 8 characters, and the password may not contain the username). When a policy changes, currently logged-in agents get a prompt to change their password for about an hour, then are logged out; customers are forced to reset on their next login. Freshworks notes that policy changes can take 4–8 hours to fully propagate, so a "wrong password" right after a change may just be timing.
Password policy and SSO don't coexist. A subtle but important limit: you cannot set up a password policy while SSO is enabled. That's by design — when SSO is on, your identity provider owns the credential rules, so Freshworks steps out of the way. If you need Freshworks-enforced password policies, they apply to native login only.
Here's a quick decision guide for the most common "can't log in" situations:
| Symptom | Most likely cause | Fix |
|---|---|---|
| Agent redirected away from login | SSO is enabled | Use /login/normal or sign in via your IdP |
| Reset email never arrives | Wrong/secondary email, or no account | Use the primary email; ask an admin to re-invite |
| "Wrong password" right after a policy change | Policy still propagating (4–8 hrs) | Wait, or have an admin confirm the new rule |
| Agent can't reset password at all | SSO owns the credential | Reset in your identity provider, not Freshworks |
| Customer stuck at portal, not agent | Portal-side auth issue | See the portal login troubleshooting guide |
The honest limits — and where an AI layer fits
Freshdesk's login and SSO story is solid and standards-based. SAML, OAuth, OIDC, and JWT are the right protocols; the Neo Admin Center centralises identity across Freshworks products; and the /login/normal bypass is a genuinely thoughtful safety valve. Credit where it's due — this is not a system that needs replacing.
But notice what login is: a gate, not a workforce. Getting your agents authenticated is table stakes; it does nothing about the queue waiting on the other side. Once your team is in, the real work — reading each ticket, understanding intent, drafting an accurate first reply, looking up an order status — is still entirely manual. Authentication solves who is working, never how much gets done.
That's the seam where an AI agent layer belongs, and it's worth understanding the broader category of AI agents for customer service before reaching for one. Macha is one such layer: it runs on top of the Freshdesk you already use as a native connector — it does not replace your help desk, your login, or your SSO. You connect Macha to Freshdesk with your subdomain and API key (a service-level connection, separate from how your human agents authenticate), and from there it reads and writes the same tickets your team does: drafting or posting grounded first replies, triaging by intent, and looking up order or account status through a custom tool that turns a REST API into something an agent can call. If you want to see that end to end, how to automate Freshdesk with AI walks through it.
Two honest boundaries worth stating plainly: Macha's connector is for Freshdesk specifically — not Freshchat, Freshservice, or Freshcaller — and credits are consumed per AI action, not per resolution (the pricing page breaks that down). Keep Freshdesk as the source of truth for identity and access; layer an agent on top for the work that starts the moment login ends.
FAQ
How do agents log in to Freshdesk? Go to your Freshdesk URL, click Login, then choose "Are you an Agent? Login here." This redirects you to the Freshworks sign-in page, where agent identity lives — enter your email and password, or use your configured SSO/social button. Customers, by contrast, log in on your branded support portal, which is a separate credential system.
How do I reset my Freshdesk password? Click Forgot Password on the correct sign-in page, enter your primary email address (secondary emails won't work), and open the reset link Freshworks emails you. If SSO is enabled for agents, your password lives in your identity provider instead — reset it there, not in Freshworks.
Why does Freshdesk keep redirecting me to SSO and rejecting my password? Because SSO is enabled, and the standard login forwards everyone to your identity provider. To sign in with native Freshdesk credentials — for example, an admin locked out during setup or an agent not yet in the IdP — go to https://yourcompany.freshdesk.com/login/normal, which bypasses the SSO redirect (as long as password login isn't fully disabled for your org).
Where do I configure SSO for Freshdesk? In the Freshworks Neo Admin Center, under Organization Dashboard → Security → Default Login Methods — and only an Org Admin can access it. Freshworks supports SAML 2.0, OAuth 2.0, OpenID Connect, and JWT across Free, Growth, Pro, and Enterprise plans.
Can I add AI to Freshdesk without changing how my agents log in? Yes. An AI agent layer like Macha connects to Freshdesk as a native connector using a subdomain and API key — a service-level connection that's entirely separate from how your human agents authenticate. It runs on top of your existing Freshdesk, login, and SSO rather than replacing any of them.
Ready to put your logged-in team to work faster? Start a free trial of Macha and connect it to your Freshdesk in minutes.
Add AI agents to your Freshdesk
Macha resolves tickets end to end on Freshdesk — no migration, no code.
Zendesk
Freshdesk
Gorgias
Front
Shopify
Stripe
Slack
Notion
Google Workspace
Confluence

