Single Sign-On for Cloud Apps
(Available in Enterprise Edition only)
With Zoho vault, IT administrators can simplify password management for their users using a highly reliable Single Sign-On mechanism. Once configured, users can utilize their Zoho Vault account to access all their applications. While users enjoy the Single Sign-On experience, administrators can simplify the process of user management, monitor user activities in real-time, and enhance security multifold within the organization.
How it works:
- Administrators configure Single Sign-On for various applications in Zoho Vault by providing the details of all the applications and setting access permissions for users.
- Users log into Zoho Vault and click on any of the applications from the Apps page.
- Users are automatically logged into the application without entering password, skipping the login screen altogether
- The entire authentication process takes place automatically in the backend without any interruption to the users.
- In this process, Zoho Vault is technically the identity provider (IdP) and the respective applications acts as the service provider (SP).
Zoho Vault leverages the most secure and widely-used industry-standard, Security Assertion Markup Language (SAML), for this SSO configuration. So, Single Sign-On can be readily integrated with any service provider that supports SAML 2.0. Zoho Vault SAML supports a growing list of popular applications at present. If you use an application that supports SAML 2.0 that we don't already support out-of-the-box, you can add them manually with our custom option.
To configure Single Sign-On for any application, you should complete the three steps as mentioned below:
- Step 1: Add the application and provide its details
- Step 2: Configure SAML
- Step 3: Map users and the application
Note: Only super admins can configure Single Sign-On for their users.
- The application must support SAML 2.0
- The application (service provider) you wish to configure Single Sign-On should have help documentation that covers SAML-specific information
Step 1: Add the application and provide its details
- Navigate to Apps -> Manage Apps
- Click Add Supported App or Add Custom App
- Zoho Vault SAML supports a growing list of popular applications at present which you can activate from the Supported Apps option. If you use an application that supports SAML 2.0 but is not supported by us out-of-the-box, you can add them manually using our Custom App option
- In the Application Settings tab, you can either upload the SP details using a metadata file or provide the required details manually. These details will generate the XML needed for the application's SAML request.
- Application Name - Provide a name for the application.
- Single Sign-on URL - Provide the Single Sign-On URL of the service provider, i.e., the application's login URL
- Description (Optional) - Add the application's description here, if needed.
- Audience URI (SP Entity ID) - Provide the Entity ID(Issuer) of your application (SP)here. You cannot add more than one application with the same Entity ID.
- Default RelayState (Optional) - Add the URL of the specific page users should land on after the login authentication process.
- NameID Format - Provide the username format required by the application in the SAML response. We only support email address format at this timet and will extend support for more formats in the future.
- Certificate - Provide the application's public key certificate to verify the digital signatures. Browse to select the certificate and upload.
- Logo (Optional) - Add the logo of the application, if needed.
After providing all the details in the Application Settings tab, click the Next button.
Step 2: Configure SAML
To complete the federated Single Sign-On configuration with the application, you need to provide the details of Zoho Vault (IdP) to the application (SP). You can copy the required details for the configuration from here or download it as a metadata file.
- Identity Provider Single Sign-On URL - Zoho Vault's login URL, where all user login requests will be redirected
- Identity Provider Single Logout URL: Zoho Vault's logout URL, where all user logout requests will be redirected
- Identity Provider Issuer: Zoho Vault's Issuer
- Identity Provider Certificate: Zoho Vault's public key certificate
- Download Metadata: Optional metadata file to be used if you don't want to configure the IdP details manually
After providing all the details in the IdP Details tab, click the Next button.
Step 3: Map users and the application
To allow users to access the application using Single Sign-On, you first need to map them in Zoho Vault. This process comes in handy during user onboarding and termination . You can do that by following the below instructions:
- Select the list of users to whom you wish to give access to the application with SSO enabled and click the -> button.
- Click the Save button.
Once you complete this Single Sign-On configuration process, users will be able to see the list of their assigned application in the Apps page. They just need to click the application's icon to log them in without entering a password.
Steps to edit the Single Sign-on Configuration
- Navigate to Apps -> Manage Apps
- From here, you can view the list of applications configured with Single Sign-On along with their name, URI, and description.
- Click the More Actions icon to edit the configuration anytime.
- You can also delete the configuration using the Delete icon.