The Active Directory integration involves four steps:
- Domain Configuration
- Importing Users from AD/LDAP
- Configuration details
- SAML configuration
Note: Only super admins in Zoho Vault can enable Active Directory integration for their organizations. When you import users from Active Directory to Zoho Vault, an invitation email will NOT be sent to those users, as long as your domain is verified.
Domain Verification
This step is essential to confirm your ownership of the domain. To add and verify your domain:
- Log in to your Zoho Vault account, then click Settings.
- Select AD/LDAP Integration, then click Add Domain
- Enter your domain name, then click Add.
- Verify your domain in one of two ways:
- CNAME Method - Create a DNS entry where your domain’s DNS is hosted (e.g. Godaddy, Eurodns, Bluehost).
- HTML file method - Add the file provided by Zoho Vault in a specific location on your website, then click Verify in the screen below.
Note: Your domain name is not necessarily your AD domain. It's the second part of your email address. For example, if your business email is john@zillium.com, the domain you will have to verify will be zillium.com.
Importing Users from AD/LDAP
To import users from AD/LDAP to Zoho Vault, you will require the provisioning tool. This tool will establish a secure connection between Zoho Vault and the Active Directory. You can fetch the user list from AD groups or organizational units and import required users into Zoho Vault. To get started:
- Download the provisioning tool from the Import Users section under AD/LDAP integration in Zoho Vault.
- Run the app as an administrator.
- Enter the now-verified domain name.
- Select the data center specified when signing up for Zoho Vault, then click Start.
- Open the URL mentioned in the provisioning tool in a new tab.
- Click Accept.
- Click Next in the provisioning tool.
- Select Enable proxy settings to update proxy settings. This is useful if your organization connects to the internet through a proxy.
- Click Next to continue.
LDAP Connection:
- Specify the server hostname in an LDAP URL format.
- If you're using LDAP Secure in your environment, use LDAPS in the LDAP URL, port number 636, and set the option Use SSL as True to establish a connection with the server.
- Log in to your Active Directory and access your Server Manager console.
- Select Tools, then click Active Directory Users and Computers.
- Select View and click Advanced features to access the Attribute Editor.
- Right-click Users, then select Properties.
- Select the Attribute Editor tab, then double-click the distinguishedName attribute. Copy and paste the distinguishedName under the BaseDN field in the provisioning tool.
- Set Scope to either search for users from just one level in the hierarchy or through the complete hierarchy in the Active Directory to fetch the relevant list of users.
-
From the Active Directory and Users screen, right-click the user account, then select Properties. Select Attribute Editor, then double-click distinguishedName. Update the corresponding distinguished name in the Domain username field.
Note: Any account in the AD with read permissions in the domain can be used here.
- Enter the account password and click Next.
Provision
- To import users from your Active Directory to Zoho Vault, select Import Users. Otherwise, select Sync Users to allow the provisioning tool to communicate with your AD and reflect the changes made in your AD to Zoho Vault.
Note: A list of newly added users and the ones removed from the AD will be displayed. You can either swiftly import new users to Vault, or even disable or delete existing users from Vault.
- Double-click on the pre-configured LDAP query to update it, if necessary.
- Set up a default password, then click Next.
Note:
- The default password acts as a backup password during emergencies. If you experience authentication issues with the AD or if the domain controller is down, the super admin of Zoho Vault can temporarily disable AD authentication and allow users to access Zoho Vault using this password. This password is valid only when the AD authentication has been disabled.
- For more information on LDAP queries, please refer to this document.
Attributes
- Configure the required attributes to only fetch specific users from the user list in the selected AD group or your organizational unit.
- Click Next.
- Select the required users from this list, then click Finish to import them to Zoho Vault.
SAML Configuration
Executing the PowerShell script
- Download the PowerShell script and save it under the C:\ drive in your AD FS installation system. Click here to find the steps to configure manually, without using the PowerShell script.
- Run your command prompt as an administrator and execute the following commands
- powershell
- Set-ExecutionPolicy RemoteSigned
- C:\adfsscript.ps1 your-verified-domain-name (eg. C:\adfsscript.ps1 zvaultdemo.com)
Note: Any errors encountered while running the script will be printed in red in the console. If you're unable to set the execution policy to RemoteSigned because of domain policy, you might need to set the same policy in your Domain Controller.
- Copy the displayed output information to Zoho Vault's SAML configuration page and click Save and Enable.
- Login URL: Enter your identity provider's login page URL here. All user login requests will be redirected only to this specified URL.
- Logout URL: Enter your identity provider's logout page URL here. All user logout requests will be redirected only to this specified URL.
- Certificate: Enter the public key certificate of the identity provider here.
- Algorithm: Select the algorithm to be used by Zoho Vault for decrypting SAML responses sent by the identity provider here.
Note: You can use either a CA-signed or a self-signed certificate. If you are using a self-signed certificate, you will see a certificate error in the browser during the login process. This can be ignored.
Manual configuration of the AD/LDAP integration
Creating Relying Party Trust in the ADFS server:
To create Relying Party Trust in the ADFS server:
- Click Tools from the Server Manager, then select ADFS Management.
- Under Actions, click Add Relying Party Trust.
- Select Claims aware, then click Start from the Welcome page.
- Select Enter data about the relying party manually from the Select Data Source page, then click Next.
- Set Zoho Vault as the Display name, then click Next.
- Click Next in the Configure Certificate page.
- Select the Enable support for the SAML 2.0 WebSSO protocol check box in the Configure URL page. Under Relying party SAML 2.0 SSO service URL, enter https://accounts.zoho.com/samlresponse/<your_verified_domain>. Replace <your_verified_domain> with your corresponding verified domain. For example, if your domain is zylker.com, rewrite your URL as https://accounts.zoho.com/samlresponse/zylker.com.
- In the Configure Identifiers page, specify zoho.com , click Add, then click Next.
- Set Choose Access Control Policy to Permit Everyone, then click Next.
- Click Next on the Ready to Add Trust page to save your relying party trust information.
- Deselect Configure claims issuance policy for this application.
- Right-click on the newly created relying party trust, go to Properties, select Advanced, then Secure hash algorithm, select SHA-1, then click OK.
Configuring ADFS relying party claim rules
- Right-click Zoho Vault Relying Party Trust, then click Edit Claim Issuance Policy.
- Click Add Rule under Issuance Transform Rules .
- In the Select Rule Template page, select Send Claims Using a Custom Rule from the list under the Claim rule template, then click Next.
- Set Windows Account Name as the display name under Claim rule name in the Configure Rule page. Under Custom rule, paste the following claim rule language syntax:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
- Click Finish, then click Add Rule.
- Select Send Claims Using a Custom Rule from the list under Claim rule template, then click Next.
- Set Email as the display name under Claim rule name. Under Custom rule, paste the following claim rule language syntax:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
- Click Finish, then click OK.
Creating a SAML logout endpoint:
- To add a new endpoint, click Add SAML... from the Endpoints tab.
- Set the Endpoint type as SAML Logout and Binding as POST.
- Create a URL in the following format for the Trusted URL - https://<ADFS_Server_FQDN>/adfs/ls/?wa=wsignout1.0
- Click OK twice to finish the setup.
You should now have a working relying party trust for Zoho Vault.
Exporting the ADFS signing certificate:
- Click Tools, then select ADFS Management from the Server Manager.
- Navigate to Service, then select Certificates.
- Click the Token-signing certificate.
- Click View Certificate from the Actions section.
- Click the Details tab, select Copy to File, then click Next.
- Select Base-64 encoded X.509 (.CER), then click Next.
- Click Browse, select a location, enter a file name, then click Save.
- Click Next, then Finish.
Configuring the settings in Zoho Vault:
- Log in to Zoho Vault, then click on the Settings tab.
- Select AD/LDAP Integration from the Integrations section, then click SAML Configuration. Fill the following details:
- Login URL: https://<ADFS_Server_FQDN>/adfs/ls
- Logout URL: https://<ADFS_Server_FQDN>/adfs/ls/idpinitiatedsignon?SingleSignOut=SingleSignOut
- Certificate: Upload the exported token signing certificate
- Algorithm: RSA
Single Sign-On will now be activated for Zoho Vault. Users can access Zoho Vault using their domain credentials.