Zoho Single Sign-On (SSO)
Zoho Single Sign-on (SSO) solution by miniOrange provides secure access to Zoho for enterprises and full control over access of Zoho application. Single Sign-On (SSO) solution for Zoho is a cloud based service. With this service you need only one password credentials for all your web & SaaS apps including Zoho using user stored in Active Directory (AD) domain. miniOrange provides secure access and full control to Zoho for enterprises and applications. With the help of the given guide you can configure Zoho easily.
To create a SAML connection between Zoho and miniOrange, you will need to provide some details from Zoho to miniOrange, and vice versa. You can get Zoho's details from the Zoho metadata and provide them to miniOrange while configuring SAML. Similarly, you will need to get the required details from miniOrange to configure SAML in Zoho.
Pre-requisite
- If you're already a Zoho One user, proceed to the next point. If you haven't signed up yet, log in to Zoho One and complete the registration. Registering with Zoho One is necessary to enable Single Sign-On (SSO) configurations in Zoho Accounts.
- Login to Zoho Account.
- In the left panel, under Organization, click SAML Authentication.
- Click Download Metadata. A file named "zohometadata.xml" will be downloaded. (Will be required later)
Follow the step-by-step guide given below for configuring the Zoho Single Sign-On (SSO)
1. Configure Zoho in miniOrange
- Login into miniOrange Admin Console.
- Go to Apps and click on Add Application button.
- In Choose Application, select SAML/WS-FED from the application type dropdown.
- Search for Zoho in the list, if you don't find Zoho in the list then, search for custom and you can set up your application in Custom SAML App.
- Click on Import SP Metadata button.
- Enter the App name as Zoho, select the File format and upload the metadata file we downloaded earlier (in the Prerequisites section) form Zoho Account. Click on Import button.
- Go to the Attributes mapping section and make sure that NameID format is selected as email address.
- Click on Save.
- Go to Apps.
- Search for your app and click on the select against your Zoho app.
- Click on Metadata to get metadata details, which will be required later.
- You'll find two sections here. If your users are going to be stored and authenticated from miniOrange, go to the first section INFORMATION REQUIRED TO SET MINIORANGE AS IDP, and click the Show Metadata Details button.
- If your users will be stored and authenticated from some other user store, proceed to the second section INFORMATION REQUIRED TO AUTHENTICATE VIA EXTERNAL IDPS, and click the Show Metadata Details button.
2. Configure Single Sign-on (SSO) in Zoho Admin Account
- Go to the Zoho Account, in the side navigation go to Organisation > SAML Authentication and click on Set up Now.
- In the SAML Authentication popup, enter the SAML Login URL in Sign-in URL field and SAML Logout URL in Sign Out URL field.
- In X.509 Certificate field, upload the certificate file downloaded in the previous step.
- Click Submit. miniOrange as an IDP is configured successfully.
3. Test SSO Configuration
4. Additional Parameters
Additional Parameters for Zoho SSO (Optional)
- Based on your SAML requirements, you can make use of the following options as well:
Sign SAML requests:
- For SP-initiated SAML, Zoho will send SAML requests to your IdP (to authenticate the user). Your IdP may require that these requests are signed to ensure that:
- The requests are coming from Zoho and not any other source.
- The information sent in the request is not altered by a malicious actor.
- To meet this signature requirement, you can enable the option to sign all SAML requests Zoho sends. A public key will be generated and available for download (on the SAML Authentication page). You'll need to provide this public key to your IdP for verifying the signed requests.
Generate key pair
- After your IdP authenticates a user, it will send a SAML response to Zoho, which contains information about the authenticated user, among other details. To maintain the confidentiality of this information, the IdP may require that SAML responses be encrypted. To meet this requirement, you can generate a cryptographic key pair of public and private key. The private key will be kept secure. The public key will be available for download, and you'll need to provide it to your IdP. Your IdP will use this public key to encrypt the information in SAML responses and send them to Zoho. Since this information can only be decrypted using the private key that Zoho has kept secure, the information sent in responses remains confidential between your IdP and Zoho.
- Note: If you enable the option Sign SAML requests, a key pair will be generated automatically.
Single Logout
- There are two types of Single logout (SLO):
- SP-initiated SLO: When users sign out of Zoho, they will be automatically signed out of the IdP as well.
- IdP-initiated SLO: When users sign out of the IdP, they will be automatically signed out of Zoho as well.
- For SLO to work, it must be supported by the IdP. Some IdPs support only one type of SLO, some support both, and some support none.
- To configure Single logout for your organization, you need to:
- Enable the Single logout option.
- Provide your IdP's sign-out URL to Zoho while configuring SAML.
- Provide Zoho's sign-out URL to your IdP. Zoho's sign-out URL can be found in the metadata file under the tag {md:SingleLogoutService}. For IdPs that are supported, the steps to enable single logout are described in the respective SAML help articles.
Just-In-Time provisioning
- Just-in-Time (JIT) provisioning allows your users to get added to your Zoho organization when they sign in to Zoho for the first time through SAML. They will be added after validating the SAML response and their domain. If JIT is not enabled, you have to manually add your users to your Zoho organization before they can sign in with SSO.
- Using JIT, you can also retrieve and auto-fill some user information fields in Zoho (from the IdP). To do that, map the following Zoho user information fields with the corresponding fields from your IdP when you enable JIT:
- First Name
- Last Name
- Display Name
- Your IdP may either pre-define the attribute names or let you enter an attribute name of your own. If the latter is the case, enter an attribute name in Zoho and use the same name in your IdP.
5. Configure Your User Directory (Optional)
miniOrange provides user authentication from various external sources, which can be Directories (like ADFS, Microsoft Active Directory, Microsoft Entra ID, OpenLDAP, Google, AWS Cognito etc), Identity Providers (like Okta, Shibboleth, Ping, OneLogin, KeyCloak), Databases (like MySQL, Maria DB, PostgreSQL) and many more. You can configure your existing directory/user store or add users in miniOrange.
- Click on Identity Providers >> Add Identity Provider in the left menu of the dashboard
- In Choose Identity Provider, select AD/LDAP Directories from the dropdown.
- Then search for AD/LDAP and click it.
- STORE LDAP CONFIGURATION IN MINIORANGE: Choose this option if you want to keep your configuration in miniOrange. If the active directory is behind a firewall, you will need to open the firewall to allow incoming requests to your AD.
- STORE LDAP CONFIGURATION ON PREMISE: Choose this option if you want to keep your configuration in your premise and only allow access to AD inside premises. You will have to download and install miniOrange gateway on your premise.
- Enter AD/LDAP Display Name and Identifier name.
- Select Directory Type as Active Directory.
- Enter the LDAP Server URL or IP Address against the LDAP Server URL field.
- Click on the Test Connection button to verify if you have made a successful connection with your LDAP server.
- In Active Directory, go to the properties of user containers/OU's and search for the Distinguished Name attribute. The bind account should have minimum required read privileges in Active Directory to allow directory lookups. If the use case involves provisioning (such as creating, updating, or deleting users or groups), the account must also be granted appropriate write permissions.
- Enter the valid Bind account Password.
- Click on the Test Bind Account Credentials button to verify your LDAP Bind credentials for LDAP connection.
- Search Base is the location in the directory where the search for a user begins. You will get this from the same place you got your Distinguished name.
- Select a suitable Search filter from the drop-down menu. If you use User in Single Group Filter or User in Multiple Group Filter, replace the <group-dn> in the search filter with the distinguished name of the group in which your users are present. To use custom Search Filter select "Write your Custom Filter" option and customize it accordingly.
- Click on the Next button, or go to the Login Options tab.
- You can also configure following options while setting up AD. Enable Activate LDAP in order to authenticate users from AD/LDAP. Click on the Next button to add user store.
Here's the list of the attributes and what it does when we enable it. You can enable/disable accordingly.
| Attribute |
Description |
| Activate LDAP |
All user authentications will be done with LDAP credentials if you Activate it |
| Fallback Authentication |
If LDAP credentials fail then user will be authenticated through miniOrange |
| Enable administrator login |
On enabling this, your miniOrange Administrator login authenticates using your LDAP server |
| Show IdP to users |
If you enable this option, this IdP will be visible to users |
| Sync users in miniOrange |
Users will be created in miniOrange after authentication with LDAP |
- Click on the Next button, or go to the Attributes tab.
Attributes Mapping from AD
User Import and Provisioning from AD
- If you want to set up provisioning, click here for detailed information. We will skip this step for now.
Test Connections
- You will see a list of directories under Identity Providers. From the dropdown, select AD/LDAP Directories, search for your configured directory, click the three dots next to it, and select Test Connection.
- A pop-up appears prompting you to enter a username and password to verify your LDAP configuration.
- On Successful connection with LDAP Server, a success message is shown.
Test Attribute Mapping
- You will see a list of directories under Identity Providers. From the dropdown, select AD/LDAP Directories, search for your configured directory, click the three dots next to it, and select Test Attribute Mapping.
- A pop‑up appears to enter a username and click Test.
- The Test Attribute Mapping Result will be displayed.
Set up AD as External Directory configuration is complete.
Note: Refer our guide to setup LDAP on windows server.
miniOrange integrates with various external user sources such as directories, identity providers, and etc.
Connect with External Source of Users
miniOrange provides user authentication from various external sources, which can be Directories (like ADFS, Microsoft Active Directory, OpenLDAP, AWS etc), Identity Providers (like Microsoft Entra ID, Okta, AWS), and many more. You can configure your existing directory/user store or add users in miniOrange.
6. Adaptive Authentication with Zoho
A. Restricting access to Zoho with IP Configuration
You can use adaptive authentication with Zoho Single Sign-On (SSO) to improve the security and functionality of Single Sign-On. You can allow a IP Address in certain range for SSO or you can deny it based your requirements and you can also challenge the user to verify his authenticity. Adaptive authentication manages the user authentication bases on different factors such as Device ID, Location, Time of Access, IP Address and many more.
You can configure Adaptive Authentication with IP Blocking in following way :
- Login to Self Service Console >> Adaptive Authentication >> Add Policy.
- Add a Policy Name for your Adative Authentication Policy.
- Select Action for Behavior Change, click the Edit link, and then choose the appropriate Action and Challenge Type for the user from that section.
Action for behavior Change Options :
| Attribute |
Description |
| Allow |
Allow users to authenticate and use services if Adaptive authentication condition is true. |
| Challenge |
Deny user authentications and access to services if Adaptive authentication condition is true. |
| Deny |
Challenge users with one of the three methods mentioned below for verifying user authenticity. |
Challenge Type Options :
| Attribute |
Description |
| User second Factor |
The User needs to authenticate using the second factor he has opted or assigned for such as
- OTP over SMS
- PUSH Notification
- OTP over Email and, many more.
|
| KBA (Knowledge-based authentication) |
The System will ask the user for 2 of 3 questions he has configured in his Self-Service Console. Only after the right answer to both questions is the user allowed to proceed further. |
| OTP over Alternate Email |
User will receive an OTP on the alternate email they have configured through the Self Service Console. Once the user provides the correct OTP, they are allowed to proceed further. |
- Now click Edit option from the IP Configuration section to configure custom IP range.
- Select Add IP if the User's IP Address is not in the configured list.
- Specify the IP Address that you want to whitelist. For the IP Range other than the whitelisted one, you can select the above setting to reflect.
- Choose either allow or deny by selecting the corresponding option from the dropdown.
- If a user tries to login with the whitelisted IP address, they will always be allowed access.
- We support IP address range in three formats i.e., IPv4, IPv4 CIDR, and IPv6 CIDR. You can choose whichever is suitable for you from the dropdown menu.
- You can add multiple IPs or IP ranges by clicking the + Add IP button.
- Once the changes are made, scroll down to the end and click on Save.
B. Adaptive Authentication with Limiting number of devices
Using Adaptive Authentication you can also restrict the number of devices the end user can access the Services on. You can allow end users to access services on a fixed no. of devices. The end users will be able to access services provided by us on this fixed no. of devices.
You can configure Adaptive Authentication with Device Restriction in following way
- Login to Self Service Console >> Adaptive Authentication >> Add Policy.
- Add a Policy Name for your Adaptive Authentication Policy.
- Select your Action for behavior Change and Challenge Type for user from the Action for behavior Change Section.
- On the Add Policy tab, go to the Device Configuration section and click the Edit button.
- Enter the Number of Device Registrations Allowed as per your requirement. (2-3 devices are recommended.)
- Choose Action if number of devices exceeded (This will override your setting for Action for behavior Change.)
- Challenge: The user needs to verify himself using any of the three methods mentioned in table in step 5.1
- Deny : Deny users access to the system
- Enable Mobile Device Restriction to block logins from mobile devices. This ensures all login attempts from mobile devices will be declined.
- Enable MAC Address Based Restriction if you want to restrict access based on device MAC address.
- Scroll down to the bottom of the page and click on Save.
C. Add Adaptive Authentication policy to Zoho
- Login to Self Service Console >> Policies >> Add Login Policy.
- Click on Edit icon option for predefined app policy.
- Set your policy in the Policy Name and select Password as First Factor.
- Enable Adaptive Authentication on Edit Login Policy page and select the required restriction method as an option.
- From Select Login Policy dropdown select the policy we created in last step and click on Submit.
D. Notification and Alert Message.
How to add a trusted Device
- When End-user log in to the self service console after the policy for device restriction is on, he is provided the option to add the current device as a trusted device.
External References
