Configuring SAML-based SSO in CRM portals
This document will provide instructions on how to enable SAML-based SSO for your CRM's portal users.
For an overview of SAML-based SSO, see SAML based Single Sign On (SSO) in CRM portals - Overview.
Prerequisite
Glossary
Prerequisite
- Editions: Enterprise and Ultimate
- Bundles (CRMPlus and Zoho One)
- Trial: No
- Developer: No
- Sandbox: No
- Mobile: No
- Permission: Users with the Manage Portals permission (Under Setup permissions > Admin level permissions) can configure SAML based SSO for their CRM's portal and manage it.
Glossary
- Authentication
- Authentication is the process of confirming a user's identity before providing access to a system. This is used to secure the system against impostors.
- SAML
Security Assertion Markup Language (SAML) is a standard for communication that helps in authentication. It eases the exchange of authentication-related information between systems. - SSO
Single Sign On (SSO) is a method of authentication where a user needs to log in just once to access multiple apps and services. This improves user experience and security. - IdP
Identity provider (IdP) is a system that stores users' identities and authenticates them when they want to access an app or service. It helps improve the security of multiple systems by centralizing authentication and enabling SSO. - SP
Service provider (SP) is an app or service that a user wants to access. - ACS URL
Assertion Consumer Service (ACS) URL is where the IdP sends SAML responses. SAML responses are messages from the IdP to the SP that confirm a user's identity. - Issuer
Issuer is the unique identifier of an IdP or SP. It helps ensure that the SAML requests and responses are being sent to the right place. - Default Relay State
This is the URL where the user lands after login authentication in IdP. - Single Logout (SLO) URL
This is the URL where the IdP sends the logout request. - Login URL
This is the login URL for the IdP. If a user isn't logged in to the IdP, they will be redirected to this page when they try to access an app or service. - Logout URL
This is the logout URL for the IdP. When a user logs out of an app or service managed by the IdP, the log out request is sent here. - Public Key/ Certificate
Public keys are used by SP and IdP to verify the signature and encrypt (or decrypt) SAML messages. - Algorithm
This is the algorithm used to encrypt and decrypt messages sent between the IdP and the SP.
SSO works because of communication between the IdP and SPs. To ensure that this happens smoothly, you've got to add some IdP-related details in the SP and vice versa.
It is helpful to keep the following key details ready:
- Login URL (IdP-related, needs to be obtained from the IdP)
This is the login URL for the IdP. If a user isn't logged in to the IdP, they will be redirected to this page when they try to access an app or service. - Logout URL (IdP-related, needs to be obtained from the IdP)
This is the logout URL for the IdP. When a user logs out of an app or service managed by the IdP, the log out request is sent here. - Public Key/ Certificate (IdP-related, needs to be obtained from the IdP)
Public key used by SP to verify the signature and encrypt (or decrypt) SAML messages from IdP.
Pre-requisite:
Users with the Manage Portals permission (Under Setup permissions > Admin level permissions) can perform the steps mentioned below.
Point to remember: This configuration will be common for all portal user types created in that portal.
To enable SAML-based SSO for CRM portals
- Navigate to Setup > Channels > Portals.
- Click SAML configuration.
- In the popup that appears, do the following:
- Enter the Login URL from IdP
- Enter the Logout URL from IdP
- Enter the Public key/ certificate from IdP
- Copy the following details. You'll need to use them when you add the CRM portal to the IdP:
- Assertion consumer service(ACS) URL: The URL where the IdP sends SAML responses.
- Issuer: The unique identifier of the SP.
- Default Relay State: The URL where the user lands after login authentication in IdP (when login is initiated by IdP)
- Single Logout (SLO) URL: The URL where the IdP sends the logout request
- Click Enable.
You've enabled SAML authentication for your CRM portal.
Next steps
- For the SSO to work, please ensure that:
- The CRM portal has been added as an SP/app to the IdP.
- The IdP-related details have been added correctly to the portal.
- The user has been added to the IdP.
- If any of the above conditions are not met, the user will be shown an error page.
Make sure the IdP is set up correctly, so users can begin using single sign-on in the CRM portal. The following details can be copied from the configuration popup seen in the instructions mentioned before. They can be used when you add the CRM portal as a SP to your IdP:
- ACS URL
Assertion Consumer Service (ACS) URL is where the IdP sends SAML responses. SAML responses are messages from the IdP to the SP that confirm a user's identity. - Issuer
Issuer is the unique identifier of an SP. It helps ensure that the SAML requests and responses are being sent to the right place. - Default Relay State
Default Relay State is the URL where the user lands after the IdP authenticates the user. - Single Logout (SLO) URL
This is the URL where the IdP sends the logout request to the SP.
Instructions for how to do this depend on the chosen IdP. Links to documentation of common IdPs can be found in the section below.
Configuring the Identity Provider
There are multiple IdPs like Zoho Vault, Okta, One Login, Auth0, Google Workspace, Microsoft Entra ID (formerly Azure Active Directory), Keycloak IDP, Zitadel IDP, etc. The ACS URL and Issuer details of the SP will need to be used here.
Please ensure that you've added the CRM portal as SP in the IdP. Instructions for the same can be found in that specific IdP's help documentation. The instructions for some commonly used IdPs can be found in the links below:
Disabling SAML-based SSO
You may want to switch IdPs or let portal users log in with the credentials they'd used while signing up to the portal.
Pre-requisite
Users with the Manage Portals permission (Under Setup permissions > Admin level permissions) can perform the steps mentioned below.
Point to remember
If you disable SAML SSO for your portal, portal users will be able to log in to the CRM portal using the credentials they used when signing up.
To disable SAML-based SSO
- Navigate to Setup > Channels > Portals.
- Click View Details.
- In the popup that appears, click Disable.
Next step: To re-enable SAML authentication, follow the steps in the Enabling SAML-based SSO section.
Access your files securely from anywhere
Zoho CRM Training Programs
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
Zoho DataPrep Personalized Demo
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
- Zoho Workerly Home
- Forums
- Connect With Us:
- Zoho Recruit Home
- Forums
- Connect With Us:
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.
New to Zoho Survey?
Zoho Sheet Resources
Zoho Forms Resources
New to Zoho Sign?
Zoho Sign Resources
Sign, Paperless!
New to Zoho TeamInbox?
Zoho TeamInbox Resources
New to Zoho ZeptoMail?
Zoho DataPrep Resources
Design. Discuss. Deliver.
New to Zoho Workerly?
New to Zoho Recruit?
New to Zoho CRM?
New to Zoho Projects?
New to Zoho Sprints?
New to Zoho Assist?
New to Bigin?
Related Articles
SAML based Single Sign On (SSO) in CRM portals - Overview
This document will provide a basic overview of SAML based Single Sign On (SSO). For instructions on enabling it for your CRM's portal users, see: Configuring SAML-based SSO in CRM Portal Supported editions Glossary Supported editions Enterprise ...FAQs: Zoho CRM Integration with Zoho Desk
Why should I integrate Zoho CRM with Zoho Desk? Zoho Desk is a cloud-based help desk application that lets you manage and resolve your customer inquiries, complaints, and doubts along with offering self-help articles to help your customers resolve ...Zoho Directory integration with CRM
Integrating CRM with Zoho Directory gives the CRM administrators a stronger hold on the organization's CRM account by enforcing password security, IP restrictions, and other policies. Read more about Zoho Directory here. Benefits of integrating CRM ...Understand your CRM Account
Key CRM Terminologies In any business environment, there are terms such as Leads, Deals, Campaigns, Invoices, etc. Following are the list of such terms and their definitions as used in Zoho CRM. You can refer to more such terms in the Zoho CRM's ...Frequently Asked Questions on CRM for Everyone
Zoho CRM for Everyone is available on the Early Access mode for customers upon request. Request access here. Are Zoho CRM and CRM for Everyone the same CRM or is it a new CRM from Zoho? We are introducing an upcoming upgrade to your existing Zoho ...
New to Zoho LandingPage?
Zoho LandingPage Resources