Reorder IdP priority
When multiple IdPs are added, IdP priority plays an important role in deciding which ones are applicable to which groups of users. Apart from the multiple IdPs that are added, there is a Default IdP that is enforced for every user in your organization. If an employee is excluded from every other IdP, they can still sign in through the Default IdP. However, even the Default IdP can be excluded for certain users. If that's the case, then they will need to sign in using their Zoho One credentials.
Let's look at an example on how IdP priority works.
There are three IdPs added in addition to the Default IdP, namely, Okta, OneLogin, and Azure. Now, assume the IdP priority list is as follows:
- Okta
- OneLogin
- Azure
- Default
There are also three groups, namely, Austin Office, Pleasanton Office, and Dallas Office. The following table indicates which employees fall in which groups.
Valerie | Sally | Gideon | Roy | |
Austin Office | x | x | ✓ | ✓ |
Pleasanton Office | x | ✓ | x | ✓ |
Dallas Office | ✓ | ✓ | ✓ | ✓ |
While setting up Okta, you enforce it for the Austin Office group, and exclude none.
Valerie | Sally | Gideon | Roy | |
Austin Office | x | x | ✓ | ✓ |
Pleasanton Office | x | ✓ | x | ✓ |
Dallas Office | ✓ | ✓ | ✓ | ✓ |
This means Gideon and Roy will be enforced to sign in through Okta .
Next, while setting up OneLogin, you enforce it for the Austin Office group, and exclude the Dallas Office group.
Valerie | Sally | Gideon | Roy | |
Austin Office | x | x | ✓ | ✓ |
Pleasanton Office | x | ✓ | x | ✓ |
Dallas Office | ✓ | ✓ | ✓ | ✓ |
From the table, it is clear that OneLogin is not enforced for any employee.
The next IdP in the list is Azure. While setting up Azure, you enforce it for the Dallas Office group, and exclude it for the Pleasanton Office group.
Valerie | Sally | Gideon | Roy | |
Austin Office | x | x | ✓ | ✓ |
Pleasanton Office | x | ✓ | x | ✓ |
Dallas Office | ✓ | ✓ | ✓ | ✓ |
Because Sally and Roy are excluded, that leaves Valerie and Gideon.
Between Valerie and Gideon, only Valerie will be enforced to sign in through Azure, as Gideon has already signed in through Okta.
Finally, the Default IdP is enforced for Sally as she was excluded from all the previous IdPs.
Employee | IdP |
Valerie | Azure |
Sally | Default |
Gideon | Okta |
Roy | Okta |
Groups can be excluded from signing in through the Default IdP as well. From our example, if the Dallas Office group is excluded from the Default IdP, then all the employees will be required to sign in using their Zoho One credentials. However, since Valerie, Gideon, and Roy have already signed in through their respective IdPs, only Sally will need to sign in using her Zoho One credentials instead of being redirected to the IdP.
To reorder the IdP priority:
- Sign in to Zoho One, then click Directory in the left menu.
- Go to Security, then click Custom Authentication.
- Click
and drag to reorder the policies. The top policy has the highest priority.
Using the above steps, you can make any of the added IdPs top priority; employees will be required to sign in through an IdP according to the new list.
Zoho CRM Training Programs
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
Zoho DataPrep Personalized Demo
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
- Zoho Workerly Home
- Forums
- Connect With Us:
- Zoho Recruit Home
- Forums
- Connect With Us:
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.
New to Zoho Survey?
Zoho Sheet Resources
Zoho Forms Resources
New to Zoho Sign?
Zoho Sign Resources
Sign, Paperless!
New to Zoho TeamInbox?
Zoho TeamInbox Resources
New to Zoho ZeptoMail?
Zoho DataPrep Resources
Design. Discuss. Deliver.
New to Zoho Workerly?
New to Zoho Recruit?
New to Zoho CRM?
New to Zoho Projects?
New to Zoho Sprints?
New to Zoho Assist?
New to Bigin?
Related Articles
Add an IdP
Sign in to Zoho One, then click Directory in the left navigation menu. Go to Security, then click the Custom Authentication tab. If you are adding your first IdP, click Add Identity Provider. Otherwise, click Add IdP. Enter the name of your IdP in ...Set up custom authentication for Zoho One
Custom authentication enables both SAML and JWT single sign-on (SSO) from your preferred identity providers (such as Okta or OneLogin) to Zoho One. You can set up custom authentication for a specific user group or all users in the organization. ...Deactivate/Activate an IdP
After you add an IdP, you can either activate or deactivate it. If you activate an IdP, it will be applied to certain users based on the priority. They will then have to sign in with SSO via this IdP. If you deactivate an IdP, then users who were ...Edit IdP details
Sign in to Zoho One, then click Directory in the left navigation menu. Go to Security, then click the Custom Authentication tab. Click the IdP whose details you want to edit. Note: The "Default" IdP can neither be renamed, nor can it be applied to ...Delete an IdP
If an IdP is deleted, users who were using that IdP to sign in will be redirected to sign in via a different IdP based on priority. However, if they are excluded from the other IdPs, they will have to sign in using their Zoho One credentials. The ...
New to Zoho LandingPage?
Zoho LandingPage Resources