Steps to Setup SAML with Zoho Accounts:
Before you configure SAML with Zoho Accounts you will need an Org account with Zoho Mail.
There is no need to have an Org Domain to configure SAML using the following steps.
- Log into your Org Admin account in https://accounts.zoho.com.
- Click on the Preferences tab and then go to SAML Authentication.
- In the screen shown below click on Setup Now.
4.You will have to fill in the required details as shown in the form.
Login URL: The user gets redirected to this URL for authentication when he has configured SAML.
Logout URL: The user gets redirected to this URL when he logs out. check the checkbox if you need Logout Response.
Change Password URL: (optional)
Certificate: SHA certificate provided by the Identity provider which will be used at Zoho for validating SAML Response.
Service: Service to which you need to get redirected after SAML Authentication for IDP initiated SSO.
Note: Please make sure that you check the SAML logout box if you need to enable SAML Logout.
5. Once the details are filled in correctly, you can click on the Add button.
Once the SAML Setup is done, the following screen will be shown to you.
You can Enable or Disable the SAML setup for your Org using the drop-down option shown in the above screen.
You can click on the Download link on this screen to get the Service Provider Metadata.
Configuring Zoho as service Provider at IDP:
Once the Service Provider details are downloaded as a metadata file, you can either upload this file at the IDP side or configure the same details in metadata at the Identity Provider.
To configure the Service Provider details manually, you will have to enter the following details at the Identity Provider.
- Entity ID: Here Zoho.com is the issuer which issues the SAML Request.
- Certificate: This can be found next to the <ds:X509Certificate> tag in the metadata file. This certificate is used to verify the Logout Request or Logout Response sent from Zoho.
- Logout URL: Find the tag <md:SingleLogoutService> in the metadata file. The URL found next to the Location attribute is your required Logout Endpoint to be configured at the IDP.
- Assertion Consumer Service URL: This URL can be found in the Location element under the tag <md:AssertionConsumerService>.
Zoho supports only email address Name ID format as specified in the metadata file.
Standard Format - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress