Accessing Zoho via Okta using SAML

Accessing Zoho via Okta using SAML

You can configure SAML-based SSO with Okta as your identity provider (IdP) to let your users sign in to Zoho.

Required items from Okta

You will need the following items from Okta to configure SAML in Zoho. You can follow the configuration steps to get these from Okta.
  1. Identity Provider Single Sign-On URL
  2. X.509 Certificate

Steps to configure SAML-based SSO

  1. Sign in at accounts.zoho.com.
  2. Click Organization in the left menu, then click SAML Authentication. If you can't find Organization, click View more

  3. Click Download Metadata.
  4. Open the downloaded metadata file using your browser or a text editor.
  5. From the metadata file, copy and save the Entity ID and ACS URL.
  6. Sign in to your Okta Admin Console.
  7. Click Applications in the left menu, then click Applications.
  8. Click Create App Integration, select SAML 2.0, then click Next.
  9. Enter a name for the app in the App Name field, then click Next.
  10. Paste the copied ACS URL in the Single sign on URL field and the copied Entity ID in the Audience URI (SP Entity ID) field.
  11. In the Name ID Format field, select EmailAddress.
  12. Scroll down and click Next.
  13. Select I'm an Okta customer adding an internal app, then click Finish.
  14. In the next page, go to the Sign On tab.
  15. Scroll down and click View SAML setup instructions. A new page containing the IdP information will open. 
  16. Copy the Identity Provider Single Sign-On URL and download the X.509 Certificate.
  17. Return to the SAML Authentication page at accounts.zoho.com.
  18. Configure SAML in your Zoho account using the downloaded certificate and copied URLs from Okta.
    1. Paste the Identity Provider Single Sign-On URL in the Sign-in URL field.
    2. Upload the certificate in the X.509 Certificate field. Make sure the certificate is in one of these formats: based-64 coded .cer, .crt, .cert, or .pem file.

Assign users to the app in Okta

Your users in Okta can use this newly configured Zoho app to sign in to Zoho. However, before that, you need to assign your users to this app. You can follow the instructions in the following Okta article to assign your users to the app.

Test the SAML configuration

You can test if the configuration is working properly using the following steps. You will need to test these steps as a user in Okta.

SP-initiated flow:
  1. Go to your Zoho sign-in page.
  2. Enter your email address, then click Next. You will be redirected to Okta for authentication.
  3. If you are not signed in to Okta already, enter your Okta credentials to sign in. You will now be redirected back to Zoho and will be signed in.
IdP-initiated flow:
  1. Sign in to Okta end-user dashboard.
  2. Click on the SAML app you have configured for Zoho. You will be redirected to Zoho and will be signed in.

Enable single logout (SLO)

Okta supports only SP-initiated single logout, i.e., when your users sign out from Zoho, they will be automatically signed out from Okta as well. But not the other way around. To learn more about how Okta SLO works, refer to this article.

Steps to enable Single log-out:
  1. Go to SAML Authentication at accounts.zoho.com, then click Edit.

  2. Copy the Sign-in URL, replace the "sso" part of the URL with "slo", then enter it in the Sign-out URL field.
    Example:
    1. Sign-in URL:
      https://zylker.okta.com/app/zylker_app_1/exkewk79Kq4696/sso/saml
    2. Sign-out URL:
      https://zylker.okta.com/app/zylker_app_1/exkewk79Kq4696/slo/saml
  3. Scroll down and enable Single logout and Generate key pair.
  4. Click Submit. You may need to re-enter the X.509 certificate before this.
  5. Click Download in the top-right corner, then click Metadata.
  6. Open the file "zohometadata.xml" using a browser or text editor. From the metadata file, copy the Single logout URL and the Entity ID.

  7. Click Download in the top-right corner, then click Public Key. A file named "logoutcertificate.pem" will be downloaded.
  8. Go to the Okta admin console, then go to the application you have configured.
  9. Go to the General tab.
  10. Click Edit next to SAML settings.
  11. Click Next to move to Step 2: Configure SAML.
  12. Click Shown Advanced Settings below the General fields.
  13. Select the checkbox Allow application to enable Single Logout.
  14. Enter the copied SLO URL in the Single Logout URL field.
  15. Enter the entity ID in the SP Issuer field.
  16. Click Browse next to Signature Certificate, then browse for and select the previously downloaded "logoutcertificate.pem" file.
  17. Click Upload Certificate.
  18. Click Next, then click Finish.
If you encounter any errors while signing in using SAML, refer to our troubleshooting guide.