This help page is for users in Creator 6. If you are in the older version (Creator 5), click here. Know your Creator current.
Security Assertion Markup Language (SAML) is a framework which helps us to achieve Single Sign-On (SSO) in a secure and easy manner. SSO is a centralized login system which can authenticate the users with just a single set of login credentials.
In Zoho Creator, Portal administrator can simplify password management for their portal users using SAML. If the administrator already stores the login credentials of their portal users in a SAML provider then they can configure the Portal to be authenticated based on these credentials. The administrator can also configure SAML for multiple portals to enable portal users access all the portals using the same credentials.
When a portal user accesses the portal URL, it will be redirected to the configured login URL for authentication. The Identity Provider (IDP) returns back SAML response specific to that portal user after successful validation. The received response will be decoded based on the configured public key. If the response indicates successful authentication, the portal user will be logged into the portal.
The developer must be familiar with the following terminologies before configuring SAML.
- Service Provider(SP) - The system that provides service to the user. In this case, Zoho Creator Portal acts as the Service provider.
- Identity Provider(IDP) - The system that manages the identity information of the customers. Few sample IDPs are OneLogin, ADFS, miniOrange.
- ACS URL (Assertion Consumer Service URL) - The IDP will send the SAML response to this URL. This URL will be provided by the SP(Zoho Creator Portal).
- Entity ID - A unique ID that allows the SP and IDP to identify each other. The Entity ID will be provided by the Service provider. Entity ID is zoho.com for U.S customers , zoho.eu for E.U customers and zoho.com.cn for China customers.
- Name ID Format - The format in which the name ID must be specified. The name ID format that you specify must be configured in the IDP. Zoho Creator Portal supports only email address Name ID format as specified in the metadata file (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)
- Login URL - The URL to which all the customers of Portal will be re-directed for authentication.
- Logout URL - The URL to which customers are re-directed when are signed-out from Portal under SSO.
- Public key - Key used to decode the response message sent by the Identity provider.
Scenario 1 - Configure SAML for multiple portals: Consider an organization named Zylker whose customers have unique login credentials. Zylker has multiple portals in Zoho creator which has to be accesssed by its customers. To access all the portals the customers has to create multiple login credentials for each portal. But this cumbersome process can be overcome by using SAML authentication. Zylker has to upload the login credentials of all its customers to a third party SAML provider. Zylker can configure SAML in all of its portals and ensure a Single Sign on mechanism for the customers. So when the customers try to access the Zoho Creator portal their login credentials will be authenticated by the third party SAML providers(Like OneLogin, ADFS etc).
Scenario 2 - Configure SAML authentication for already existing portal users: The organisation Zylker has two different portals in Zoho Creator. The portal users of each of the portals have been assigned login credentials specific to that portal. Zylker configures the SAML authentication in order to give the portal users’ a single sign on mechanism. Now when the portal users tries to access the portal they will have to be authenticated by the SAML provider. Their old login credentials will be overridden and only the credentials uploaded in the SAML provider will authenticate the portal users.