Configure SAML in Zoho Accounts
You'll need an org account with Zoho before you configure SAML with Zoho Accounts. You can create an org account by signing up for business applications: Zoho One, Zoho Mail, Zoho Docs, and Zoho Vault.
- Log in to your Org Admin account.
- Under the Preferences tab click SAML Authentication.
- Click Setup Now.
- Enter the required details
- Login URL: The IdP URL where the user gets redirected to for authentication at IdP.
- Logout URL: The IdP URL where the user gets redirected to after logging out of Zoho.
Note: Tick the checkbox if you need a logout request/response sent to your IdP.
- Change Password URL: The IdP URL that the user will be redirected to in case they want to change their account's password.
- PublicKey: The certificate with which Zoho can check the digital signature on the SAML assertion response.
Note: Make sure the key is a base-64 encoded .cer , .crt, .cert, or .pem file. We don't accept any other format for the certificate.
- Algorithm: The algorithm with which the PublicKey is generated.
- Just In Time Provisioning: Check this tick-box if you want a user from your IdP to be added to Zoho impromptu. We will add them to Zoho after validating the SAML Response and their domain.
- Zoho Service: The Zoho service page that the user will land on after their login is verified.
- Click Add.
Note: If you chose to send a logout request/response to your IdP, you must upload the logout certificate at your IdP.
- You can enable or disable SAML for your organization by using the status dropdown menu.
- Click Download to download the metadata file. The metadata file contains information you need to provide to your IdP.
- Entity ID: Zoho.com is the entity which issues the SAML Request.
- Certificate: You can find this in the ‹ds:X509Certificate› tag in the metadata file. This certificate is used to verify the Logout Request or Logout Response sent from Zoho.
Note: You will receive this only if you have ticked the Logout response checkbox.
- Logout URL: Find the tag ‹md:SingleLogoutService› in the metadata file. This is your required Logout Endpoint to be configured at the IDP.
- Assertion Consumer Service URL: This URL can be found in the Location element under the tag ‹md:AssertionConsumerService›.This is the URL endpoint where the IdP must send the SAML response to.
Note: Zoho only supports email address Name ID format, as specified in the metadata file.