When multiple IdPs are added, IdP priority plays an important role in deciding which ones are applicable to which groups of users. Apart from the multiple IdPs that are added, there is a Default IdP that is enforced for every user in your organization. If an employee is excluded from every other IdP, they can still sign in through the Default IdP. However, even the Default IdP can be excluded for certain users. If that's the case, then they will need to sign in using their Zoho One credentials.
Let's look at an example on how IdP priority works.
There are three IdPs added in addition to the Default IdP, namely, Okta, OneLogin, and Azure. Now, assume the IdP priority list is as follows:
- Okta
- OneLogin
- Azure
- Default
There are also three groups, namely, Austin Office, Pleasanton Office, and Dallas Office. The following table indicates which employees fall in which groups.
| Valerie
| Sally
| Gideon
| Roy
|
Austin Office
| x
| x
| ✓
| ✓
|
Pleasanton Office
| x
| ✓
| x
| ✓
|
Dallas Office
| ✓
| ✓
| ✓
| ✓
|
While setting up Okta, you enforce it for the Austin Office group, and exclude none.
| Valerie
| Sally
| Gideon
| Roy
|
Austin Office
| x
| x
| ✓
| ✓
|
Pleasanton Office
| x
| ✓
| x
| ✓
|
Dallas Office
| ✓
| ✓
| ✓
| ✓
|
This means Gideon and Roy will be enforced to sign in through Okta .
Next, while setting up OneLogin, you enforce it for the Austin Office group, and exclude the Dallas Office group.
| Valerie
| Sally
| Gideon
| Roy
|
Austin Office
| x
| x
| ✓
| ✓
|
Pleasanton Office
| x
| ✓
| x
| ✓
|
Dallas Office
| ✓
| ✓
| ✓
| ✓
|
From the table, it is clear that OneLogin is not enforced for any employee.
The next IdP in the list is Azure. While setting up Azure, you enforce it for the Dallas Office group, and exclude it for the Pleasanton Office group.
| Valerie
| Sally
| Gideon
| Roy
|
Austin Office
| x
| x
| ✓
| ✓
|
Pleasanton Office
| x
| ✓
| x
| ✓
|
Dallas Office
| ✓
| ✓
| ✓
| ✓
|
Because Sally and Roy are excluded, that leaves Valerie and Gideon.
Between Valerie and Gideon, only Valerie will be enforced to sign in through Azure, as Gideon has already signed in through Okta.
Finally, the Default IdP is enforced for Sally as she was excluded from all the previous IdPs.
Employee
| IdP
|
Valerie
| Azure
|
Sally
| Default
|
Gideon
| Okta
|
Roy
| Okta
|
Groups can be excluded from signing in through the Default IdP as well. From our example, if the Dallas Office group is excluded from the Default IdP, then all the employees will be required to sign in using their Zoho One credentials. However, since Valerie, Gideon, and Roy have already signed in through their respective IdPs, only Sally will need to sign in using her Zoho One credentials instead of being redirected to the IdP.
To reorder the IdP priority:
- Sign in to Zoho One, then click Directory in the left menu.
- Go to Security, then click Custom Authentication.
- Click and drag to reorder the policies. The top policy has the highest priority.
Using the above steps, you can make any of the added IdPs top priority; employees will be required to sign in through an IdP according to the new list.