Accessing Zoho via Keycloak using SAML | Zoho Accounts

Accessing Zoho via Keycloak using SAML

By configuring SAML based SSO with Keycloak, you can allow users sign in to Zoho using their Keycloak credentials.

A. Setup Keycloak as IdP

  1. Sign in to the Keycloak admin console as an admin.
  2. Click Manage realms in the left menu.
  3. Select the realm where you want to setup Zoho integration If you don't have one, create a new realm.

B. Configure Zoho details in Keycloak

  1. In a new tab, sign in to accounts.zoho.com.
  2. Go to the Organization tab from the left menu and select SAML Authentication.
  3. Click Download Metadata.

  4. Open the metadata file using a browser or a text editor.

  5. From the metadata file, copy and save the following:
    1. Entity ID
    2. SingleLogoutService URL
    3. AssertionConsumerService URL(ACS).
  6. Return to Keycloak admin console for configuration.
  7. Navigate to Clients in the left menu and click Create client.

  8. In the General settings section,
    1. Select SAML in the Client type field.
    2. Enter the entityID in the Client ID field.
    3. Fill in the Name and Description.
    4. Click Next.

  9. In the Login settings section,
    1. Paste the ACS URL in the Valid redirect URIs field.
    2. Paste the SingleLogoutService URL in the Valid post logout redirect URIs.
    3. Paste the ACS URL in the Home URL, but replace signin/samlsp to samlauthrequest.
    4. Click Save.

  10. Scroll down to the SAML capabilities section,and do the following:
    1. Select email as the Name ID format.
    2. Enable Force name ID format.


  11. Scroll down to the Signature and Encryption section, and do the following:
    1. Enable Sign documents.
    2. Enable Sign assertions.
    3. Select RSA_SHA256 for Signature algorithm.
    4. Select NONE for SAML signature key name.
    5. Select EXCLUSIVE for Canonicalization method.


  12. Enable Force channel logout in the Logout settings section.
  13. Click Save.
  14. Go to the Keys tab and disable Client signature required.

  15. Click Yes to disable the client signature in the confirmation box that shows up.
  16. Go to the Advanced tab.
  17. Under the Fine Grain SAML Endpoint Configuration section, paste the SingleLogoutService URL (from the Zoho metadata file) in the Logout service POST Binding URL.

  18. Click Save.

C. Configure Keycloak details in Zoho

  1. In Keycloak, go to Realm settings in the left menu under Configure.
  2. Scroll down and click SAML 2.0 Identity Provider Metadata next to Endpoints.

  3. Copy and save the following details from the IdPmetadata XML file:
    1. The X509Certificate details enclosed inside the <ds : X509Certificate> </ds : X509Certificate>
    2. SingleLogoutServiceURL (optional)
    3. SingleSignOnService URL

  4. Click Save.
  5. Return to the SAML Authentication page in your Zoho account.
  6. Fill in the following fields:
    1. Paste the SingleSignOnService in the Sign-in URL field.
    2. Paste the SingleLogoutService in the Sign-out URL field.
    3. Paste the X509Certificate details in the X.509 Certificate field.
  7. Click Submit.

Test the SAML configuration

You can verify that the SAML configuration is working correctly by following these steps as a user in Keycloak:

SP-initiated flow:
  1. Go to your Zoho sign-in page.
  2. Enter the email address, then click Next.
  3. Select Sign in using SAML. You will be redirected to Keycloak for authentication.
  4. Enter your Keycloak credentials and click Sign In. You will be redirected back to Zoho and will be signed in.
IdP-initiated flow:
      1. Sign in to Keycloak.
      2. Go to Applications.
      3. Click Proceed in Review the sign-in URL page. You will be redirected to Zoho and will be signed in.