Page created: 2 Dec 2021 |
Page updated: 7 Dec 2021
Learn how to configure SAML SSO using Zoho and PingOne.
In PingOne, go to and click the + icon.
On the New Application page, click Advanced
Configuration, and on the SAML line,
On the Create App Profile page, enter:
- Application Name (Required)
- Description (Optional)
- Icon (Optional)
- Click Save and Continue.
On the Configure SAML Connection page, in the
Provide App Metadata section, select
On a separate browser tab, sign on to your Zoho Directory admin account
(directory.zoho.com) and go to Setup Now, and note the
ACS URL value.
Copy the ACS URL value from the previous step, go to
your PingOne SSO browser
tab, and paste it into the ACS URLS field.
Input the service provider (SP) data:
Enter the ENTITY ID in PingOne.
This configuration example uses https://directory.zoho.com. See the following table for instructions on which Entity ID to use based on your location.
Zoho Directory account DC Identifier (Entity ID) Relay state
- Update the SUBJECT NAMEID FORMAT to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
In the Assertion Validity Duration (In Seconds)
field, enter a value, for example 3600.
In the Signing Key, click Download
Signing Certificate and select X509 PEM
(.crt) for the format.
You'll need the signing certificate later.
- Enter the ENTITY ID in PingOne.
On the Attribute Mapping tab, in the SAML
Attributes section, map the Outgoing
Value for saml_subject to
This is the only required attribute for a successful connection.
- Click Save and Close.
On the Applications page, next to Zoho
Directory, click the toggle to enable the connection.
On the Configuration tab, in the
Configuration Details section, note the
Single Logout Service and Single SignOn
You'll need these to complete the next step.
- In Zoho, on the Custom Authentication page, paste the Single SignOn Service value from PingOne into the Sign-in URL.
Paste the Single Logout Service value from PingOne into the
Sign-out URL field.
- Optional: If required, enter your site’s password change URL in the Change Password URL field.
In the Verification Certificate section, click
Browse and upload the X509 certificate that you
- Click Save to save the connection and complete the set up.
Before testing the integration, you must create and assign identities in
If you’ve already assigned identities and groups in PingOne, start at step 19.
- In PingOne, go to Identities Groups and click the + icon next to Groups.
On the Create New Group page, enter values for
- Group Name (Required)
- Description (Optional)
- Population (Optional)
Click Finish & Save.
To add identities to the group, on the
Identities tab, go to .