Active Directory Integration


Active Directory Integration

(Available in Enterprise Edition only)

You can integrate Zoho Vault with your corporate identity stores like Active Directory(AD) or Lightweight Directory Access Protocol (LDAP) to manage and authenticate users. Acting as the service provider, Zoho Vault integrates with AD and LDAP and leverages SAML 2.0 to simplify user management and enhance security. For more information, refer to our FAQs
This document will lay out implementation of Active Directory Integration in four steps:

Note: Only Super-admins in Zoho Vault can enable Active Directory integration for their organizations.

Domain Configuration

This step is essential with confirming your ownership of the domain. It's important to note that your domain name is not necessarily your AD domain. It should be the second part of the email address. For example, if your email is, the domain you will have to verify will be

To verify your domain,

  1. Log in to the Super Admin account of Zoho Vault and click on the Admin tab.
  2. Select AD/LDAP Integration and click Add Domain under the Add & Verify domain section.
  3. Enter your domain name in the field displayed and click Add Domain.

  4. Next, verify your domain in one of two ways:
    1. CNAME Method - Create a DNS entry where your domain’s DNS is hosted (e.g. Godaddy, Eurodns, Bluehost, etc).

    2. HTML file method - Add the file provided by Zoho Vault in a specific location on your website and click Verify in the screen shown below.


Importing Users from AD/LDAP

You can use the provisioning tool to import users from AD/LDAP to Zoho Vault. The provisioning tool establishes a secure connection between Zoho Vault and the Active Directory setup. You can fetch the user list from AD groups or organizational units and import required users into Zoho Vault. You can follow the below steps to get started.

  1. Download the provisioning tool and run the app as an administrator.

  2. Enter the now-verified domain name. 
  3. Select the data center you used when signing up for Zoho Vault and click Start.
  4. Copy the URL specified in the provisioning tool and open it in a new browser tab. 

  5. Click Accept.

  6. Click Next in the provisioning tool.
  7. If your organization connects to the internet through a proxy, select Enable proxy settings to update your proxy settings.

Note: When you import users from Active Directory to Zoho Vault, an invitation email will NOT be sent to those users as long as your domain is verified.


Configuration details

LDAP Connection:

  1. Specify the server hostname in an LDAP URL format.
  2. If you are using LDAP Secure in your environment, use LDAPS in the LDAP URL, port number 636, and set the option Use SSL as True to establish a connection with the server.

  3. Log in to your Active Directory and navigate to your Server Manager console.

  4. Select Tools and click Active Directory Users and Computers

  5. Select View and click Advanced features to access the Attribute Editor

  6. Right-click Users and select Properties.

  7. Select the Attribute Editor tab and double-click the distinguishedName attribute. Copy and paste the corresponding distinguishedName under the BaseDN field in the provisioning tool. 

  8. Set Scope to either search for users from just one level in the hierarchy or through the complete hierarchy in the Active Directory to fetch the relevant list of users.
  9. From the Active Directory and Users screen, right-click the user account, and select Properties. Click Attribute Editor and double-click distinguishedName. Update the corresponding distinguished name in the Domain username field. 

    Note: Any account in the AD with read permissions in the domain can be used here.
  10. Enter the account password and click Next.


  1. Select either Import Users or Sync users to proceed.
    Import Users allows you to import users from your Active Directory to Zoho Vault.
    Sync Users allows the provisioning tool to communicate with your AD to reflect the changes made in your AD to Zoho Vault.(It will display the list of newly added users to the AD for swift import to Vault, and additionally track the list of users removed from the AD, allowing you to either disable or delete them from Vault.) 
  2. Double-click on the pre-configured LDAP query to update it, if necessary.
  3. Set up the default password and click Next.

    Note: The default password acts as a backup password during emergencies. If you experience authentication issues with the AD or if the domain controller is down, the super admin of Zoho Vault can temporarily disable AD authentication and allow users to access Zoho Vault using this password. This password is valid only when the AD authentication has been disabled.


  1. Configure the required attributes to fetch only specific users from the user list in the selected AD group or your organizational unit.
  2. Click Next.

  3. Select the required users from this list and click Finish to import them to Zoho Vault. 


SAML Configuration

Executing the PowerShell script

  1. Download the PowerShell script from this link and save it in C:\ drive in the AD FS installation system. Click here to find the steps to configure manually, without using the PowerShell script.
  2. Run your command prompt as an administrator and execute the following commands
    • powershell
    • Set-ExecutionPolicy RemoteSigned
    • C:\adfsscript.ps1 your-verified-domain-name (eg. C:\adfsscript.ps1


    Note: Any errors encountered while running the script will be printed in red in the console. If you're unable to set the execution policy to RemoteSigned because of domain policy, you might need to set the same policy in your Domain Controller.
  3. Copy the displayed output information to Zoho Vault's SAML configuration page and click Save and Enable
  • Login URL: You should enter your identity provider's login page URL here. All user login requests will be redirected only to this specified URL.
  • Logout URL: You should enter your identity provider's logout page URL here. All user logout requests will be redirected only to this specified URL.
  • Certificate: You should enter the public key certificate of the identity provider here.
  • Algorithm: You should select the algorithm that is to be used by Zoho Vault for decrypting SAML responses sent by the identity provider here.

Note: You can use either a CA-signed or a self-signed certificate. If you are using a self-signed certificate, you will see a certificate error in the browser during the login process. This can be ignored.

Manual configuration of the AD/LDAP integration

Creating Relying Party Trust in the AD FS server:

Follow the below steps to create Relying Party Trust in the AD FS server:​​

  1. Click Tools from the Server Manager and select AD FS Management.
  2. Under Actions, click Add Relying Party Trust.
  3. Select Claims aware and click Start from the Welcome page.
  4. Click Enter data about the relying party manually from the Select Data Source page, and click Next.
  5. Set Zoho Vault as the Display name and click Next.
  6. Click Next in the Configure Certificate page.
  7. Select the Enable support for the SAML 2.0 WebSSO protocol check box in the Configure URL page. Under Relying party SAML 2.0 SSO service URL, enter<your_verified_domain>. Replace <your_verified_domain> with your corresponding verified domain. For example, if your domain is, rewrite your URL as
  8. In the Configure Identifiers page, specify, click Add, and then click Next.
  9. Set the Choose Access Control Policy to Permit Everyone and click Next.
  10. Click Next on the Ready to Add Trust page to save your relying party trust information.
  11. Unselect Configure claims issuance policy for this application.
  12. Right-click on the newly created relying party trust, go to Properties, select Advanced, then Secure hash algorithm, select SHA-1 and click OK.

Configuring ADFS relying party claim rules

  1. Right-click Zoho Vault Relying Party Trust and click Edit Claim Issuance Policy
  2. Click Add Rule under Issuance Transform Rules.
  3. In the Select Rule Template page, select Send Claims Using a Custom Rule from the list under the Claim rule template, and click Next.
  4. Set Windows Account Name as the display name under Claim rule name in the Configure Rule page. Under Custom rule, paste the following claim rule language syntax:
    c:[Type == "", Issuer == "AD AUTHORITY"]  => issue(store = "Active Directory", types = (""), query = ";mail;{0}", param = c.Value);
  5. Click Finish and click Add Rule...
  6. Select Send Claims Using a Custom Rule from the list under Claim rule template, and click Next.
  7. Set Email as the display name under Claim rule name. Under Custom rule, paste the following claim rule language syntax:
    c:[Type == ""] => issue(Type = "", Value = c.Value, Properties[""] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
  8. Click Finish and then click OK.

Creating a SAML logout endpoint:

  1. Click on Add SAML... from the Endpoints tab to add a new endpoint.
  2. Set the Endpoint type as SAML Logout and Binding as POST.
  3. Create a URL in the following format for the Trusted URL - https://<ADFS_Server_FQDN>/adfs/ls/?wa=wsignout1.0 
  4. Click OK twice to finish the setup.

You should now have a working relying party trust for Zoho Vault.

Exporting the AD FS signing certificate:

  1. Click Tools, and select AD FS Management from the Server Manager.
  2. Navigate to Service and select Certificates
  3. Click the Token-signing certificate.
  4. Click View Certificate from the Actions section.
  5. Click the Details tab, select Copy to File, and click Next.
  6. Select Base-64 encoded X.509 (.CER), and click Next.
  7. Click Browse, select a location, enter a file name, and then click Save.
  8. Click Next, and then Finish.

Configuring the settings in Zoho Vault:

  1. Log in to the Super Admin account of Zoho Vault and click on the Admin tab.
  2. Select AD/LDAP Integration and click SAML Configuration. Fill the following details:

      i) Login URL: https://<ADFS_Server_FQDN>/adfs/ls
     ii) Logout URL: https://<ADFS_Server_FQDN>/adfs/ls/idpinitiatedsignon?SingleSignOut=SingleSignOut
    iii) Certificate: Upload the exported token signing certificate
    iv) Algorithm: RSA

On completion of the above steps, Single Sign-On will be activated for Zoho Vault. Users can now log in to their Zoho Vault using the domain credentials.



Share this post : FacebookTwitter

Still can't find what you're looking for?

Write to us: