Integration With Microsoft Active Directory (AD) | Zoho Vault

Integration with Microsoft Active Directory

You can integrate Zoho Vault with your corporate identity stores, such as Active Directory (AD) or Lightweight Directory Access Protocol (LDAP), to manage and authenticate users. Acting as the service provider, Zoho Vault integrates with AD and LDAP, and leverages SAML 2.0 to simplify user management and enhance security. 


The Active Directory integration involves four steps: 
  1. Domain Configuration
  2. Importing Users from AD/LDAP
  3. Configuration details
  4. SAML configuration
Note: Only super admins in Zoho Vault can enable Active Directory integration for their organizations. When you import users from Active Directory to Zoho Vault, an invitation email will NOT be sent to those users, as long as your domain is verified.

Domain Verification

This step is essential to confirm your ownership of the domain. To add and verify your domain:

  1. Log in to your Zoho Vault account, then click Settings.


      

  2. Select AD/LDAP Integration, then click Add Domain



  3. Enter your domain name, then click Add.


     

  4. Verify your domain in one of two ways: 

  • CNAME Method - Create a DNS entry where your domain’s DNS is hosted (e.g. Godaddy, Eurodns, Bluehost).



  • HTML file method - Add the file provided by Zoho Vault in a specific location on your website, then click Verify in the screen below. 


Note: Your domain name is not necessarily your AD domain. It's the second part of your email address. For example, if your business email is john@zillium.com, the domain you will have to verify will be zillium.com.


Importing Users from AD/LDAP

To import users from AD/LDAP to Zoho Vault, you will require the provisioning tool. This tool will establish a secure connection between Zoho Vault and the Active Directory. You can fetch the user list from AD groups or organizational units and import required users into Zoho Vault. To get started:
 

  1. Download the provisioning tool from the Import Users section under AD/LDAP integration in Zoho Vault. 



  2. Run the app as an administrator. 
  3. Enter the now-verified domain name. 
  4. Select the data center specified when signing up for Zoho Vault, then click Start.
  5. Open the URL mentioned in the provisioning tool in a new tab.



  6. Click Accept.



  7. Click Next in the provisioning tool.
  8. Select Enable proxy settings to update proxy settings. This is useful if your organization connects to the internet through a proxy.
  9. Click Next to continue.




LDAP Connection:

  1. Specify the server hostname in an LDAP URL format.
  2. If you're using LDAP Secure in your environment, use LDAPS in the LDAP URL, port number 636, and set the option Use SSL as  True to establish a connection with the server. 



  3. Log in to your Active Directory and access your Server Manager console.



  4. Select Tools, then click Active Directory Users and Computers


      

  5. Select View and click Advanced features to access the Attribute Editor.



  6. Right-click Users, then select Properties



  7. Select the Attribute Editor tab, then double-click the distinguishedName attribute. Copy and paste the distinguishedName under the BaseDN field in the provisioning tool. 



  8. Set Scope to either search for users from just one level in the hierarchy or through the complete hierarchy in the Active Directory to fetch the relevant list of users.
  9. From the Active Directory and Users screen, right-click the user account, then select Properties. Select Attribute Editor, then double-click distinguishedName. Update the corresponding distinguished name in the Domain username field. 



    Note: Any account in the AD with read permissions in the domain can be used here.

  10. Enter the account password and click Next  


 Provision

  1. To import users from your Active Directory to Zoho Vault, select Import Users. Otherwise, select Sync Users to allow the provisioning tool to communicate with your AD and reflect the changes made in your AD to Zoho Vault. 
Note:  A list of newly added users and the ones removed from the AD will be displayed. You can either swiftly import new users to Vault, or even disable or delete existing users from Vault.
  1. Double-click on the pre-configured LDAP query to update it, if necessary. 
  2. Set up a default password, then click Next.



Note:  
  • The default password acts as a backup password during emergencies. If you experience authentication issues with the AD or if the domain controller is down, the super admin of Zoho Vault can temporarily disable AD authentication and allow users to access Zoho Vault using this password. This password is valid only when the AD authentication has been disabled. 
  • For more information on LDAP queries, please refer to this document. 

Attributes

  1. Configure the required attributes to only fetch specific users from the user list in the selected AD group or your organizational unit.
  2. Click Next.



  3. Select the required users from this list, then click Finish to import them to Zoho Vault. 




SAML Configuration
 

Executing the PowerShell script

  1. Download the PowerShell script and save it under the C:\ drive in your AD FS installation system. Click here to find the steps to configure manually, without using the PowerShell script.
  2. Run your command prompt as an administrator and execute the following commands
  • powershell
  • Set-ExecutionPolicy RemoteSigned
  • C:\adfsscript.ps1 your-verified-domain-name (eg. C:\adfsscript.ps1 zvaultdemo.com)





Note: Any errors encountered while running the script will be printed in red in the console. If you're unable to set the execution policy to RemoteSigned because of domain policy, you might need to set the same policy in your Domain Controller.


  1. Copy the displayed output information to Zoho Vault's SAML configuration page and click Save and Enable


  • Login URL:  Enter your identity provider's login page URL here. All user login requests will be redirected only to this specified URL.
  • Logout URL:  Enter your identity provider's logout page URL here. All user logout requests will be redirected only to this specified URL.
  • Certificate:  Enter the public key certificate of the identity provider here.
  • Algorithm:  Select the algorithm to be used by Zoho Vault for decrypting SAML responses sent by the identity provider here.



Note: You can use either a CA-signed or a self-signed certificate. If you are using a self-signed certificate, you will see a certificate error in the browser during the login process. This can be ignored.


Manual configuration of the AD/LDAP integration


Creating Relying Party Trust in the ADFS server:

To create Relying Party Trust in the ADFS server:

  1. Click Tools from the Server Manager, then select ADFS Management.
  2. Under Actions, click Add Relying Party Trust.
  3. Select Claims aware, then click Start from the Welcome page.
  4. Select Enter data about the relying party manually from the Select Data Source page, then click Next.
  5. Set Zoho Vault as the Display name, then click Next.
  6. Click Next in the Configure Certificate page.
  7. Select the Enable support for the SAML 2.0 WebSSO protocol check box in the Configure URL page. Under Relying party SAML 2.0 SSO service URL, enter https://accounts.zoho.com/samlresponse/<your_verified_domain>. Replace <your_verified_domain>  with your corresponding verified domain. For example, if your domain is zylker.com, rewrite your URL as https://accounts.zoho.com/samlresponse/zylker.com.
  8. In the  Configure Identifiers page, specify  zoho.com , click Add, then click Next.
  9. Set Choose Access Control Policy to Permit Everyone, then click Next.
  10. Click Next on the Ready to Add Trust page to save your relying party trust information.
  11. Deselect Configure claims issuance policy for this application.
  12. Right-click on the newly created relying party trust, go to Properties, select Advanced, then Secure hash algorithm, select SHA-1, then click OK.


Configuring ADFS relying party claim rules

  1. Right-click Zoho Vault Relying Party Trust, then click Edit Claim Issuance Policy.
  2. Click  Add Rule under Issuance Transform Rules .
  3. In the Select Rule Template page, select Send Claims Using a Custom Rule from the list under the Claim rule template, then click Next.
  4. Set Windows Account Name as the display name under Claim rule name in the Configure Rule page. Under Custom rule, paste the following claim rule language syntax:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]  => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

  5. Click Finish, then click Add Rule.
  6. Select Send Claims Using a Custom Rule from the list under Claim rule template, then click Next.
  7. Set  Email as the display name under Claim rule name. Under Custom rule, paste the following claim rule language syntax:

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

  8. Click Finish, then click OK.


Creating a SAML logout endpoint:
  1. To add a new endpoint, click Add SAML... from the Endpoints tab.
  2. Set the Endpoint type as SAML Logout and Binding as POST.
  3. Create a URL in the following format for the Trusted URL - https://<ADFS_Server_FQDN>/adfs/ls/?wa=wsignout1.0 
  4. Click OK twice to finish the setup.


You should now have a working relying party trust for Zoho Vault.


Exporting the ADFS signing certificate:

  1. Click  Tools, then select ADFS Management from the Server Manager.
  2. Navigate to Service, then select Certificates
  3. Click the Token-signing certificate.
  4. Click View Certificate from the Actions section.
  5. Click the Details tab, select Copy to File, then click Next.
  6. Select Base-64 encoded X.509 (.CER), then click Next.
  7. Click Browse, select a location, enter a file name, then click Save.
  8. Click Next, then Finish.


Configuring the settings in Zoho Vault:

  1. Log in to Zoho Vault, then click on the Settings tab.
  2. Select AD/LDAP Integration from the Integrations section, then click SAML Configuration. Fill the following details:
  • Login URL: https://<ADFS_Server_FQDN>/adfs/ls
  • Logout URL: https://<ADFS_Server_FQDN>/adfs/ls/idpinitiatedsignon?SingleSignOut=SingleSignOut
  • Certificate: Upload the exported token signing certificate
  • Algorithm: RSA


Single Sign-On will now be activated for Zoho Vault. Users can access Zoho Vault using their domain credentials.


    Redefine the way you work
    with Zoho Workplace

      Zoho DataPrep Personalized Demo

      If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.

      Zoho CRM Training

        Create, share, and deliver

        beautiful slides from anywhere.

        Get Started Now


          Get started with Zoho Sign

          in a few quick steps!

          Download Help Guide





                    Secure your business
                    communication with Zoho Mail


                    Mail on the move with
                    Zoho Mail mobile application

                      Stay on top of your schedule
                      at all times


                      Carry your calendar with you
                      Anytime, anywhere




                              Zoho Sign Resources

                                Sign, Paperless!

                                Sign and send business documents on the go!

                                Get Started Now


                                    Zoho SalesIQ Resources



                                        Zoho TeamInbox Resources



                                                Zoho DataPrep Resources



                                                  Zoho DataPrep Demo

                                                  Get a personalized demo or POC

                                                  REGISTER NOW


                                                    Design. Discuss. Deliver.

                                                    Create visually engaging stories with Zoho Show.

                                                    Get Started Now











                                                                          • Related Articles

                                                                          • Integration with Azure Active Directory

                                                                            Zoho Vault can easily be integrated with Microsoft's Azure Active Directory for efficient collaboration and user management. With this integration, you can manage users' access to Zoho Vault from your Azure AD portal, and allow users to access Zoho ...
                                                                          • Import Users from Active Directory

                                                                            Zoho Vault provides a user provisioning app that can import users and periodically be in sync with your AD/LDAP user list, simplifying user management. In Windows, you can configure the provisioning app as a scheduled task to automatically add, ...
                                                                          • Integration with Microsoft Office 365

                                                                            Thousands of businesses use Office 365 to manage their operations. With Zoho Vault's integration with Office 365, admins can quickly import users from Office 365, and help them securely manage their passwords with Zoho Vault, simplify user ...
                                                                          • Webhooks Integration

                                                                            Send instant notification to legacy or third-party applications as and when critical events occur using Zoho Vault's Webhook integration. Using webhooks, you can configure custom workflow rules to trigger critical notifications and custom actions ...
                                                                          • Integration with Google Workspace (Previously G Suite)

                                                                            Several organizations from around the world use Google Workspace's (G Suite) applications for their daily business tasks, and to improve their overall productivity. If you own an account as well, you can now quickly import users from your Google ...
                                                                          Wherever you are is as good as
                                                                          your workplace

                                                                            Resources

                                                                            Videos

                                                                            Watch comprehensive videos on features and other important topics that will help you master Zoho CRM.



                                                                            eBooks

                                                                            Download free eBooks and access a range of topics to get deeper insight on successfully using Zoho CRM.



                                                                            Webinars

                                                                            Sign up for our webinars and learn the Zoho CRM basics, from customization to sales force automation and more.



                                                                            CRM Tips

                                                                            Make the most of Zoho CRM with these useful tips.



                                                                              Zoho Show Resources