SAML Authentication

SAML Authentication for Creator On-Premise

Zoho Creator on-premise supports integrating with SAML-based identity provider (IdP). This enables your users to use their existing credentials to access your organization's on-premise Creator applications.

Set up SAML based single sign-on (SSO) for your Creator applications

  1. Access your Creator On-Premise web client.
  2. Click the Setup icon near the top-right corner. You'll be taken to the Setup page.
  3. Select SAML Authentication under User Management.
  4. Enter your IdP's login URL.
  5. Enter your IdP's logout URL.
  6. Enter your IdP's URL where users can reset their password.
  7. Select the required algorithm. This will be used to secure the user's credentials while it is exchanged between Creator and the IdP.
  8. Upload the certificate containing your IdP's public key. This helps Creator validate the response it receives from the IdP.
  9. Click Save.

  10. You'll then be able to download the logout certificate and metadata, which you'll have to use in your IdP:

Configure AD FS using SAML

Active Directory Federation Services (AD FS) is a Single Sign On (SSO) solution created by Microsoft. AD FS manages authentication through a proxy service hosted between Active Directory (AD) and the target application (Creator app).


  •  You must obtain the login URL, logout URL and the certificate from AD FS.
  • After creating the user in AD, click on the user's properties and add an Email Address for that user.
  • Ensure to check that the time of your AD machine and the machine in which creator is hosted should match.
  • In case of any error, refer to this page.
  1. Ensure that your Active Directory Federation Service (AD FS) is configured and is up and running.
  2. Log in to the AD FS 3.0 server and open the Management console.
  3. Right-click Service in the left-pane menu and choose Edit Federation Service Properties.
  4. Under General, ensure that your DNS entries and certificate names are correct.

  5. Using your Federation Service name, use a browser and go to the following URL:


    The login URL and logout URL are present in the XML file as SingleSignOnService and SingleLogoutService tags.

  6. Export the Token-Signing certificate:
    • Right-click Certificate in the left-pane menu and click View Certificate.

    • Select the Details tab.

    • Click Copy to File. The Certificate Export Wizard will open.
    • Click Next.
    • Make sure the No, do not export the private key option is selected, and then click Next.
    • Select Base-64 encoded X.509 (.cer), then click Next.

    • Choose where to save the file and name it, then click Next.

    • Select Finish. The instance requires that this certificate be in .cer or .pem format.

  7. Configure Single Sign-On URL and Entity ID URLs at Zoho.

Submit metadata at AD FS

 After having configured the AD FS in IAM Accounts, we need to configure your Creator account details in AD FS, for which the following are to be added.

  • Relying Party Trust - Tells AD FS to trust requests from a party and provide them response.
  • Claim Rules - Helps configure which claim details will be present in the incoming request and which has to be sent in the response.

Add a Relying Party Trust

  1. Under Trust Relationships in the left-pane menu, right-click Relying Party Trusts and select Add Relying Party Trust. This will open the Add Relying Party Trust Wizard.

  2. On the Select Data Source screen, choose one among the below options:
    • Select Import data about the relying party from a file and choose the file which you've downloaded from IAM accounts page. 
      To download this file go to Accounts home page -> Settings -> Preferences -> SAML Authentication page and click on Download icon near metadata.
    • If you want to input the required data manually, select Enter data about the relying party manually.

  3. On the Specify Display Name screen, enter as the display name.

  4. On the Choose Profile screen, select AD FS profile and click Next.

  5. Browse the required certificate and click Next.

  6. On the Configure URL screen, check the Enable Support for the SAML 2.0 WebSSO protocol option and enter the ACS URL present in the metadata you downloaded from zoho in the service URL text box.

  7. On the Configure Identifiers screen, choose as the Relying Party Trust Identifier.

  8. On the Configure Multi-factor Authentication Now screen, choose I do not want to configure multi-factor authentication settings for this relying party trust at this time and click Next.

  9. On the Choose Issuance Authorization Rules screen, select the Permit all users to access this relying party button.

  10. The wizard will display an overview of your settings on the next two screens.

  11. On the final screen, use the Close button to exit and open the Claim Rules editor.

Creating Claim rules

You can create claim rules once the relying party trust is created. By default, the claim rule editor opens once you create a trust.

  1. Click Add Rule to create a new rule. This will launch the Add Transform Claim Rule Wizard.

  2. On the Choose Rule Type screen, select Send LDAP Attributes as Claims in the drop-down menu and click Next.

  3. On the Configure Claim Rule screen:
    • Enter a Claim rule name.
    • Choose Active directory from the dropdown menu for the Attribute Store.
    • On the LDAP Attribute column, choose E-Mail Addresses from the drop-down menu.
    • On the Outgoing Claim Type column, select E-Mail Address from the dropdown menu.

  4. Click Finish to save the rule.
  5. Create another claim rule and select the Transform an Incoming Claim template.
  6. On the Configure Claim Rule screen:
    • Enter a Claim rule name.
    • Choose E-Mail Address as the Incoming claim type from the drop-down menu.
    • Select Name ID as the Outgoing claim type from the drop-down menu.
    • Select Email as the Outgoing name ID format.
  7. Select the Pass through all claim values button.

  8. Click Finish to create the claim rule.
  9. If you have selected Do you need Logout Response? at Zoho:
    • Download the logout certificate at Zoho Accounts in the SAML Authentication page.
    • Go to Relying Party Trust under Trust Relationships and select
    • Go to Endpoints on the top navigation bar and click Add.
    • Select the Endpoint type as SAML Logout.
    • Enter the logout URL generated from the metadata file you downloaded from your Zoho account.
    • Go to Signature on the top navigation bar and click Add.
    • Upload the logout certificate.
    • Go to Advanced on the top navigation bar.
    • Select the Secure hash algorithm as SHA-256.

Related Topics

Share this post : FacebookTwitter

Still can't find what you're looking for?

Write to us: