Custom Authentication - Okta | Admin Guide - Zoho Directory

Custom authentication with Okta

Custom Authentication with Okta enables SAML-based single sign-on (SSO) from Okta to Zoho Directory. With SSO, you and your employees can sign in to Okta and directly access Zoho Directory, without having to sign in to Zoho Directory.

Prerequisites

In Zoho Directory - Roles that can perform this action:
  1. Organization Owner
  2. Organization Admin
  3. Custom admin roles with permissions to view apps, assign apps, and import users
In Okta - Roles that can perform this action:
  1. Standard admin roles

In Okta: Login and generate web tokens

  1. Sign in to Okta, then click Applications in the left panel.
  2. Click Applications in the drop-down menu, then click Create App Integration.
  3. Select SAML 2.0, then click Next.
  4. Provide a name for the app and click Next.
  5. Fill out the fields as given below:
    1. Single sign-on URL: Enter the ACS URL from Zoho Directory.
    2. Note: You can find your ACS URL in Zoho Directory's Custom Authentication page.
    3. Audience URI: Enter "zoho.com".
    4. Name ID format: Select the preferred format.
  6. Click Next.
  7. Follow the on-screen instructions and fill out the feedback form. This is an optional step.
  8. Click Finish. The app details page opens once the app is created.
  9. Click More details, copy the Sign-on URL to your clipboard, and download the Signing Certificate.

In Zoho Directory: Add Okta as IdP and complete configuration

  1. Sign in to Zoho Directory.
  2. In the left menu, click Admin panel, then click Security.
  3. Under the Custom Authentication tab, click Add IdP. If Okta is the first IdP you are configuring in your Zoho Directory organization, then click Add Identity Provider and select Specific Groups under the Used By option.
  4. Enter a Display name for the IdP, and select the user groups to configure authentication using Okta.
  5. Select the IdP Priority from the drop-down. During authentication, Okta will be prioritized just above the selected IdP.
    Example: Suppose the existing order of IdP priority is OneLogin, Azure, Default. If you select Azure from the drop-down menu, then the new order of priority will be OneLogin, Okta, Azure, Default. Okta will be prioritized just above Azure.
    6. Notes
    1. If Okta is the first IdP you're adding, this option is not applicable.
    2. If you have added only the default IdP, then the IdP priority will automatically be Default and cannot be changed.
  6. Under Configuration, choose SAML as the SSO Protocol.
  7. Under Sign-in URL, enter the Sign-on URL copied from Okta.
  8. Upload the Signing Certificate downloaded from Okta under Verification Certificate.
  9. Click Save.