A. Setup Keycloak as IdP

1. Sign in to the Keycloak admin console as an admin.
   
2. Click Manage realms in the left menu.
   
3. Select the realm where you want to setup Zoho integration If you don't have one, create a new realm.
   

B. Configure Zoho details in Keycloak

1. In a new tab, sign in to accounts.zoho.com.
   
2. Go to the Organization tab from the left menu and select SAML Authentication.
   
3. Click Download Metadata.
   
   
   
   
4. Open the metadata file using a browser or a text editor.
   
   
5. From the metadata file, copy and save the following:
1. Entity ID
   
2. SingleLogoutService URL
   
3. AssertionConsumerService URL(ACS).
6. Return to Keycloak admin console for configuration.
7. Navigate to Clients in the left menu and click Create client.
   
   
8. In the General settings section,
1. Select SAML in the Client type field.
   
2. Enter the entityID in the Client ID field.
3. Fill in the Name and Description.
4. Click Next.
   
   
9. In the Login settings section,
1. Paste the ACS URL in the Valid redirect URIs field.
   
2. Paste the SingleLogoutService URL in the Valid post logout redirect URIs.
   
3. Paste the ACS URL in the Home URL, but replace signin/samlsp to samlauthrequest.
   
4. Click Save.
   
   
10. Scroll down to the SAML capabilities section,and do the following:
1. Select email as the Name ID format.
   
2. Enable Force name ID format.
   
   
   
11. Scroll down to the Signature and Encryption section, and do the following:
1. Enable Sign documents.
   
2. Enable Sign assertions.
3. Select RSA_SHA256 for Signature algorithm.
4. Select NONE for SAML signature key name.
5. Select EXCLUSIVE for Canonicalization method.
   
   
   
12. Enable Force channel logout in the Logout settings section.
13. Click Save.
    
14. Go to the Keys tab and disable Client signature required.
    
    
15. Click Yes to disable the client signature in the confirmation box that shows up.
16. Go to the Advanced tab.
    
17. Under the Fine Grain SAML Endpoint Configuration section, paste the SingleLogoutService URL (from the Zoho metadata file) in the Logout service POST Binding URL.
    
    
18. Click Save.

C. Configure Keycloak details in Zoho

1. In Keycloak, go to Realm settings in the left menu under Configure.
   
2. Scroll down and click SAML 2.0 Identity Provider Metadata next to Endpoints.
   
   
3. Copy and save the following details from the IdPmetadata XML file:
   
1. The X509Certificate details enclosed inside the <ds : X509Certificate> </ds : X509Certificate>
   
2. SingleLogoutServiceURL (optional)
3. SingleSignOnService URL
   
   
4. Click Save.
   
5. Return to the SAML Authentication page in your Zoho account.
   
6. Fill in the following fields:
   
1. Paste the SingleSignOnService in the Sign-in URL field.
   
2. Paste the SingleLogoutService in the Sign-out URL field.
3. Paste the X509Certificate details in the X.509 Certificate field.
7. Click Submit.

Test the SAML configuration

1. Go to your Zoho sign-in page.
   
2. Enter the email address, then click Next.
   
3. Select Sign in using SAML. You will be redirected to Keycloak for authentication.
   
4. Enter your Keycloak credentials and click Sign In. You will be redirected back to Zoho and will be signed in.