Single Sign-On in Zoho
What is SSO?
Before understanding what Single Sign-On is we must go through how traditional authentication works.
- A service will present the user with a login page where the user must submit a set of login credentials i.e., username and passwords. Some services might ask for more authentication information such as a one-time password.
- The credentials submitted by the user are validated against the ones present in the database at the service.
Traditional authentication is quite intuitive; everything is managed within the service, providing a simple way for users to authenticate. However, if a user needs to access multiple applications with a different set of login credentials for each application, it quickly turns cumbersome for the user. The user must remember multiple credentials and comply with different password policies.
Single Sign-On is a feature which lets you access Zoho as well as third-party applications with a single submission of user credentials. Users aren't required to remember an array of usernames and passwords for each application they need access to. Zoho uses SAML to achieve SSO with third-party applications.
What is SAML?
SAML stands for Security Assertion Markup Language. It is an industry standard specification for federated authorization. Federated authorization lets users gain access to applications without transferring or storing user credentials.
SSO User flow
- Identity Provider (IdP)
- An Identity provider maintains a directory of user credentials.
- An IdP authenticates a user and sends authorization information about the user to the service provider.
- Service Provider (SP)
- A website which hosts services or applications for users.
- A service provider relies on the IdP to authenticate a user.
IdP initated flow
- The user wants to access a Zoho service.
- The user logs in to their IdP and chooses the Zoho application.
- IdP will create a signed SAML assertion response, which is sent to the ACS (Assertion Consumer Service) URL endpoint at Zoho.
- Zoho will validate the SAML assertion response. Upon successful validation, the user will be granted access to any Zoho services they are authorized for.
Note: ACS URL - This URL is the Zoho destination URL where SAML response should be sent by IdP.
Note: Entity ID- Issuer who issues SAML request Zoho.com
SP initated flow
- The user wants to sign-in to a Zoho service.
- Zoho generates an SAML authentication request and sends it to IDP via HTTP-Redirect binding.
- IdP will authenticate the user and form a signed SAML assertion response, which is sent to the ACS URL endpoint at Zoho.
- Zoho will validate the SAML assertion response. If the user is authorized to use the Zoho service, they will be granted access.
SSO via SAML involves Zoho trusting the assertions provided by your IdP to grant access to your users. This trust must be established by configuring SAML at your IdP and at Zoho.
- Log in as an administrator at your IdP and obtain the login URL, logout URL, and the base 64 encoded certificate.
- Log in to Zoho as an administrator and submit these details in the SAML Authentication tab, under Preferences.
- Once you save the configuration, you will be able to download a metadata file from Zoho. The metadata file will contain the ACS URL, Service provider logout URL, entity ID, and the Zoho certificate (if logout response is enabled).
- Upload this metadata file to your IdP to finish configuration.