Summary
This document will guide you through the steps to enable multi-factor authentication and Single-Sign On for the online office suite Zoho (https://www.zoho.com/) using SAML2.
System Requirements
- PhenixID Authentication Server 3.0 or higher
- Zoho administration rights
- The users to be federated must be present in Zoho directory
Instruction
Overview
This document will guide you through the steps to enable multi-factor authentication and Single-Sign on for Zoho
PhenixID Authentication Services acting as SAML IdP
- Login to Configuration Manager.
- Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
- Fetch the user mail value (corresponding to the Zoho userID) from the user store configured.
- Use mail as Name ID attribute.
- Click on the Execution flow tab.
- Change the NameID format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress by adding a Misc param to the AssertionProvider valve:
- Save changes.
- Click General->View SAML Metadata.
- Save the IDP Signing Certificate as a file (follow this instruction)
- Fetch the IdP Post SSO value (Sign-in URL. see below).
- Fetch the IdP Post SLO value (Sign-out URL. see below).
Configure Zoho
- Follow this guide on how to add Custom SAML Authentication for Zoho. Set these values:
- Sign-in URL = <Set to value fetched in previous step>
- Sign-out URL = <Set to value fetched in previous step>
- Change password URL = <Leave blank>
- Verification certificate = <Upload the IDP Signing certificate created in previous step >
- Save
- Click “Download metadata” to download Zoho SAML SP Metadata
- This link is only visible on first config. If you need to reconfigure and download metadata again, you can download the metadata using Zoho Accounts -> Organization -> SAML Authentication.
- Save the metadata file file
Add trust to Zoho on PhenixID Authentication Services
- Login to configuration manager
- Open Scenarios->Federation->SAML Metadata upload
- Click the plus sign
- Add Zoho SAML SP Metadata by uploading the file downloaded in previous step.
Test
- Browse to Zoho
- Enter your email address
- This should result in a redirect to PhenixID Authentication Server
- Authenticate
- If authentication was successful, a redirect to Zoho should occur (with SAML assertion)
- The user should now be logged in.
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.
PhenixID - support.phenixid.se