SAML Integration with Microsoft Entra ID

Accessing Zoho via Microsoft Entra ID using SAML

By configuring SAML based SSO with Microsoft Entra ID, you can let your users sign in to Zoho using their Entra ID credentials.

Required items from Microsoft Entra ID

You will need the following items from Microsoft Entra ID to configure SAML in Zoho. You can follow the configuration steps to get these.
  1. Certificate (Base 64)
  2. Login URL
  3. Logout URL

Steps to configure SAML

A. Create an app in Microsoft Entra ID

  1. Sign in to Microsoft Entra admin center as an admin.
  2. Under Entra ID in the left menu, click Enterprise Apps.
  3. Click New application.

  4. Click Create your own application.

  5. Enter a name for your application under What's the name of your app?  (If you get any suggestion to use existing Zoho apps in the gallery when naming your app Zoho, please ignore and proceed to create one)
  6. Select Integrate any other application you don't find in the gallery, then click Create.
  7. Your app will be created and you will be redirected to the app's page.

B. Configure Zoho details in Microsoft Entra ID

  1. In a new tab, sign in at accounts.zoho.com.
  2. Go to Organization from the left menu. If you can't find Organization, click View more.
  3. Under SAML Authentication, click Download Metadata. A file named zohometadata.xml will be downloaded.

  4. Open the metadata file using a browser or a text editor. (In Safari browser, Go to Settings > Advanced > Enable Show features for web developers to show the meta data)
  5. From the metadata file, copy and save the Entity ID and ACS URL.
  6. Return to the app's page in Microsoft Entra admin center.
  7. Click Set up single sign-on under the Getting Started section.

  8. Select SAML.
  9. Go to Step 1: Basic SAML Configuration, then click Edit.
  10. Paste the copied Entity ID in the Identifier field.
  11. Paste the copied ACS URL  in the Reply URL field.

  12. (optional) In the Relay State field, enter the URL  of the app to which users need to be redirected to after signing in. For example, https://mail.zoho.com.
  13. Click Save.

C. Configure Microsoft Entra ID details in Zoho

  1. Go to Step 3: SAML Signing Certificate, and download Certificate (Base 64).

  2. Go to Step 4: Set up {application name}, and copy the Login URL and Logout URL.
  3. Return to the SAML Authentication page in accounts.zoho.com.
  4. Configure SAML in your Zoho account using the downloaded certificate and copied URLs from Microsoft Entra ID.
    1. Paste the Login URL in the Sign-in URL field.
    2. Paste the Logout URL in the Sign-out URL field.
    3. Upload the Certificate in the X.509 Certificate field. Make sure the certificate is in one of these formats: based-64 coded .cer, .crt, .cert, or .pem file.
  5. Click Configure.

D. Assign users to the app in Microsoft Entra ID

Your users in Microsoft Entra ID can use this newly configured Zoho app to sign in to Zoho. However, before that, you need to assign your users to this app. You can follow the instructions in the following article to assign your users to the app.

Test the SAML configuration

You can test if the configuration is working properly using the following steps as a user in Microsoft Entra ID.

SP-initiated flow:
  1. Go to your Zoho sign-in page.

  2. Enter your email address, then click Next. You will be redirected to Microsoft Entra ID for authentication.
  3. If you are not signed in already, enter your Microsoft Entra ID credentials to sign in. You will now be redirected back to Zoho and will be signed in.
IdP-initiated flow:
  1. Go to myapplications.microsoft.com and make sure you have signed in.
  2. Click on the Zoho app you have configured.

  3. You will be redirected to Zoho and will be signed in.

Enable single logout (SLO)

Microsoft Entra ID supports both IdP-initiated and SP-initiated single log-out. If you enable single logout, when your users sign out from Zoho, they will be automatically signed out from Microsoft Entra ID and vice-versa.

Steps to enable single log-out:
  1. Sign in to Microsoft Entra admin center as an admin.
  2. Go to the configured application's page.
  3. Click Single sign-on in the left menu.
  4. Go to Step 4: Set up {app name}, then copy the Logout URL.
  5. Go to SAML Authentication at accounts.zoho.com, then click Edit.

  6. Enter the copied URL in the Sign-out URL field.
  7. Scroll down and enable Single logout
  8. Click Submit. You may need to re-enter the X.509 certificate before this.
  9. Click Download in the top-right corner, then click Metadata.
  10. Open the downloaded file using a browser or a text editor, then copy the Single Logout URL present under the tag <md: SingleLogoutService>.

  11. Return to the Microsoft Entra admin center.
  12. Click Edit next to Step 1: Basic Configuration.
  13. Enter the copied Single logout URL in the Logout URL field, then click Save.
If you encounter any errors while signing in using SAML, you can refer to our troubleshooting guide.