SAML Integration with AWS

Accessing Zoho via AWS using SAML

By configuring SAML-based SSO with AWS, you can let your users sign in to Zoho using their AWS credentials.

Required items from AWS:

You will need the following items from AWS to configure SAML in Zoho. You can follow the configuration steps to get these from AWS.
  1. IAM Identity Center Certificate
  2. IAM Identity Center sign-in URL

Steps to configure SAML

A. Add an app in AWS

  1. Sign in to the IAM Identity Center as a root user (account owner).
  2. Under Application assignments in the left menu, click Applications.
  3. Click Add application.
  4. Under Preintegrated applications, search for the application.
  5. Select the required application, then click Next.
  6. Under IAM Identity Center metadata:
  7. Copy the IAM Identity Center sign-in URL.
  8. Download the IAM Identity Center Certificate.

B. Configure AWS details in Zoho

  1. In a new tab, sign in at accounts.zoho.com.
  2. Go to Organization from the left menu. If you can't find Organization, click View more.
  3. Under SAML Authentication, click Set up Now.
  4. Paste the copied IAM Identity Center sign-in URL in the Sign-in URL field and upload the IAM Identity Center Certificate in the X.509 Certificate field. Make sure the certificate is in one of these formats: based-64 coded .cer, .crt, .cert, or .pem file.
  5. Select the required service in the Zoho Service field.
  6. Click Configure.
  7. Click Download Metadata to download the metadata file.

C. Configure Zoho details in AWS

  1. Return to the App's page in the AWS portal.
  2. Under Application metadata, select Upload application SAML metadata file.
  3. Click Choose file, then upload the metadata file from the file browser.
  4. Click Submit.

Assign users to the app in AWS

Your users in AWS can use this newly configured Zoho app to sign in to Zoho. However, before that, you need to assign your users to this app. You can follow the instructions in the following AWS article to assign your users to the app.
https://docs.aws.amazon.com/singlesignon/latest/userguide/assignuserstoapp.html

Test the SAML configuration

You can request any of your organization's user (to whom the Zoho application is assigned) to test the SP-initiated and IdP-initiated flow using the following steps:

SP-initiated flow:
  1. Go to your Zoho sign-in page.
  2. Enter your email address, then click Next. You will be redirected to AWS for authentication.
  3. If you are not signed in to AWS already, enter your AWS credentials to sign in. You will now be redirected back to Zoho and will be signed in.
IdP-initiated flow:
  1. Go to the AWS access portal URL (The URL available in Dashboard page of the IAM Identity Center console).
  2. Click on the configured Zoho app. You will be redirected to Zoho and will be signed in.
---------------------------------------------------------------------------------------------------------------------------------------------
If you encounter any errors while signing in using SAML, you can refer to our troubleshooting guide.