When you integrate with Active Directory you will have to run an application on your Windows system. This application, called the Provisioning App, will sync your company's existing users, add new and delete users with Zoho Corp.
Requirements for AD integration:
- A Zoho Connect account.
- A domain name for your company. You will have to verify your domain. To do so,
- Go to Setup > Active Directory > Domain management
- Add your domain and click Verify
There are two ways to verify.
- CNAME method
- HTML method
- Log in to your domain provider and access your account
- Click on the Launch button across your domain name
- In the Domain details page, click the domain name you've added in Zoho Connect
- Find the DNS manager and click the launch link
- Under CNAME (Alias), click on Quick Add to create a CNAME record
- Paste your unique code in the new CNAME record
- Click Save Zoho File
- Click OK in the confirm dialog box and verify
- Use this option only if you have permission to upload files in your website
- Download the HTML verification file
- Create a folder 'zohoverify' under root
- Upload the file to ad.com/zohoverify/verifyforzoho.html
- Confirm upload and click verify
Once domain verification is done download the provisioning app to import users from your Active Directory setup.
The app runs only on Windows systems of 4.0 .NET Framework. So you'll need a Windows system.Knowledge about LDAP queries: (The Lightweight Directory Access Protocol (LDAP) is an open application protocol to access and maintain directory information services over an Internet Protocol network.)
The Provisioning App utility should be used to import users present in your active directory to Zoho Connect.
Steps to import using Provisioning App
- Enter the user email and password of your Zoho Connect account. Note that this account should be an admin of Zoho Connect.
- Provide the LDAP Connection details.
- Choose the operation and provide LDAP Queries and Exclusions as needed.
- Provide the necessary attributes.
- Review the LDAP Query Results and click 'Finish'.
- The list of users imported is displayed.
The provisioning app can also be configured to run as a scheduled task in windows to automatically synchronize users between your AD and Zoho Connect on a periodic basis.
Note : As the Provisioning App adds or deletes users from your connect account in Zoho, it is important that you configure the LDAP queries and exclusion rules correctly in the app.
The Provisioning App gets a list of users from LDAP and compares it to the users in Zoho Connect. The following use cases are handled:
The users available in LDAP but not in Zoho:
These users would be added to Zoho and then be added as Requesters in Zoho Connect.
The Users available in Zoho, but not in LDAP:
These users will be deleted or disabled in Zoho Connect based on your sync preference.
Types of Syncronisation:
Synchronisation can happen by three ways.
- By Manual Sync
- By Schedule Sync
By Manual Sync
- Run the Provisioning App tool and fill in the details as mentioned previously
- Select your sync option – whether to delete or disable users, when user is deleted in LDAP
- Verify the list of users to be added or deleted
- Select Finish to start the sync
- Click on “Save settings for sync”, and save the file "provisioning.conf". This file will have all your configurations saved for your future sync
By Schedule Sync
To completely automate the process of syncing users, you can configure the below command in the Windows Task Scheduler to periodically sync users from your LDAP to Zoho Connect
“provisioningapp.exe --action=sync --conf=<path to provisioning.conf> --mailto=<an email it to send the sync result>”
An email would be sent to the email address in the above command whenever new users are added or users are deleted/disabled.
Setting up single sign on
Single sign on enables your users to access Zoho Connect with their existing corporate credentials.
- For SAML Authentication, the login and logout requests will be redirected to the Identity Provider installed in your network.
- You need to specify the identity provider's login url & logout url so that requests will be redirected accordingly.
- Once the Authentication is done, users will be redirected to Zoho Connect.
Install any SAML Compliant Identity Provider in your network. We will forward all authentication requests to this Identity Provider. The Identity Provider can perform Active directory/LDAP/custom authentications. Once the user is authenticated, the Identity Provider will send the response to accounts.zoho.com.
Note: You can download AD FS 2.0 here.
For example, we tested SAML Authentication with AD FS 2.0 as Identity Provider. If zillum.com is the verified domain and connect-w2k8 is the system in which the Identity Provider is installed,
Then your input will be as follows.
<samlp:NameIDPolicy AllowCreate="true" />
The expected SAML output would be as follows.
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
Note : Once you have configured SAML authentication, your users must access Zoho Connect through the sub-domain or a customized domain.