Configuration Guides

Configuring SAML SSO with Zoho and PingOne

Learn how to configure SAML SSO using Zoho and PingOne.

Configue SAML in PingOne

  1. In PingOne, go to Connections → Applications and click the + icon.

    Screen capture of PingOne application list.

  2. On the New Application page, click Advanced Configuration.

  3. On the SAML line, click Configure.

    Screen capture of PingOne new application advanced configuration.

  4. On the Create App Profile page, enter the following details:

    • Application Name (Required)

    • Description (Optional)

    • Icon (Optional)

    Screen capture of PingOne Create App Profile section with Zoho information filled in.

  5. Click Save and Continue.

  6. On the Configure SAML Connection page, in the Provide App Metadata section, select Manually Enter.

    Screen capture of PingOne SAML connection configuration section with the Manually Enter radio button selected and highlighted in red.

Set up SAML in Zoho

  1. In a separate browser tab, sign on to your Zoho Directory admin account (directory.zoho.com).

  2. Go to Security → Custom Authentication, select Setup Now, and note the ACS URL value.

    Screen capture of Zoho security settings with the ACS URL highlighted in red.

  3. Copy the ACS URL value from the previous step.

  4. Go to your PingOne SSO browser tab and paste this value into the ACS URLS field.

    Screen capture of PingOne configure SAML connection page with the Zoho ACS URLS field highlighted in red.

Input the service provider (SP) data

  1. Enter the ENTITY ID in PingOne.

    This configuration example uses https://directory.zoho.com. Refer to the following table for instructions on which Entity ID to use, based on your location.
    Zoho Directory account DC Identifier (Entity ID) Relay state

    US

    zoho.com

    https://directory.zoho.com

    EU

    zoho.eu

    https://directory.zoho.eu

    IN

    zoho.in

    https://directory.zoho.in

    AU

    zoho.com.au

    https://directory.zoho.com.au

    CN

    zoho.com.cn

    https://directory.zoho.com.cn

  2. Update the SUBJECT NAMEID FORMAT to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

  3. In the Assertion Validity Duration (In Seconds) field, enter a value, for example 3600.

    Screen capture of PingOne SP data with values for Zoho entity ID, subject nameID format, and assertion validity highlighted in red.

  4. In the Signing Key, click Download Signing Certificate and select X509 PEM (.crt)for the format.

    You’ll need the signing certificate later.

    Screen capture of PingOne signing certificate download button and C509 PEM (.crt) highlighted in red.

  5. On the Attribute Mapping tab, in the SAML Attributes section, map the Outgoing Value for saml_subject to Email Address.

    This is the only required attribute for a successful connection.
    Screen capture of PingOne Attribute Mapping section with the Email Address outgoing value highlighted in red.

  6. Click Save and Close.

  7. On the Applications page, next to Zoho Directory, click the toggle to enable the connection.

    Screen capture of Zoho Directory added to PingOne with the toggle highlighted in red.

  8. On the Configuration tab, in the Configuration Details section, note the Single Logout Service and Single SignOn Service values.

    You’ll need these to complete the next procedure.

    Screen capture of Zoho Directory in PingOne with the single logout service and single signon service URLs highlighted in red.

Configure Zoho for SSO

  1. In Zoho, on the Custom Authentication page, paste the Single SignOn Service value from PingOne into the Sign-in URL.

  2. Optional: Paste the Single Logout Service value from PingOne into the Sign-out URL field.

    Screen capture of Zoho Sign-in URL and Sign-out URL highlighted in red.

  3. Optional: If required, enter your site’s password change URL in the Change Password URL field.

  4. In the Verification Certificate section, click Browse and upload the X509 certificate that you downloaded previously.

    Screen capture of Zoho verification certificate.

  5. Click Save to save the connection and complete the setup.

Create and assign identities in PingOne

If you’ve already assigned identities and groups in PingOne, move on to Test the integration.

  1. In PingOne, go to Identities Groups and click the icon next to Groups.

  2. On the Create New Group page, enter values for the following:

    • Group Name (Required)

    • Description (Optional)

    • Population (Optional)

  3. Click Finish & Save.

    Screen capture of PingOne Groups section.

  4. To add identities to the group, on the Identities tab, go to Users → + Add User.

    Screen capture of PingOne Users section with + Add User highlighted in red.

  5. On the Add User page, enter the required information for a user.

    Verify that the email address is correct, as this is the value passed in the SAML assertion.

  6. Click Save.

    Screen capture of PingOne add user section with Save highlighted in red.

  7. Assign the user that you created to the group that you created previously. Locate the user and do the following:

    1. Expand their section.

    2. Select the Groups tab.

    3. Click Add.

    Screen capture of PingOne user with Groups and + Add highlighted in red.

  8. In the Available Groups section, select the group you created and click the icon to add it to the user’s group memberships. Click Save.

    Screen capture of PingOne User under Groups tab with the + icon next to Admin highlighted in red.

  9. On the Connections tab, for the Zoho Directory application, do the following:

    1. Click the Access tab.

    2. Click the Pencil icon to edit the configuration.

      Screen capture of Zoho Directory acces tab with the pencil edit icon highlighted in red.

    3. Select the group that you created and add it to the Applied Groups section. Click Save.

      Screen capture of Zoho Directory edit access section with the plus icon next to Admin highlighted in red.

Test the integration

  1. In the PingOne admin console, go to Dashboard → Environment Properties.

  2. Right-click on the Application Portal URL and open it in a private browser session.

    Screen capture of PingOne environment settings with the application portal URL highlighted with open link in incognito window.

  3. Sign on as the test user that you created and click the Zoho Directory tile.

    Screen capture of PingOne dock with Zoho Directory added as a tile.

    You’re signed on to the user’s Zoho Directory account.