Custom Authentication with ADFS

Custom Authentication with ADFS

Custom Authentication with ADFS enables SAML-based single sign-on (SSO) from ADFS to Zoho One. With SSO, you and your employees can sign in to ADFS and access Zoho One directly, without having to sign in to Zoho One.

To set up custom authentication with ADFS:
A. Obtain the Sign-in URL, Sign-out URL and the certificate from ADFS:
  1. Sign in to ADFS 3.0 server and open the Management Console.
  2. Right-click Service in the left-pane menu, then choose Edit Federation Service Properties.  
  3. Under General, ensure that your DNS entries and certificate names are correct.
  4. Using your Federation Service name, use a browser and go to "https://{federationservicename}.com/federationMetaData/2007-06/FederationMetaData.xml".
  5. The Sign-in URL and Sign-out URL are present in the XML file as SingleSignOnService and SingleLogoutService tags respectively.
  6. Export the Token-Signing certificate:
    1. Right-click Certificate in the left-pane menu and click View Certificate.
    2. Click the Details tab.
    3. Click Copy to File, then click Next.
    4. Make sure No, do not export the private key is selected, then click Next.
    5. Select  Base-64 encoded X.509 (.cer), then click Next.
    6. Choose where to save the file and name it.
    7. Click Next.
    8. Select Finish
  7. Submit this data to Zoho to set up SAML in Zoho One.
B. Add a Relying Party Trust:
  1. Under Trust Relationships in the left-pane menu, right-click Relying Party Trusts, then click Add Relying Party Trust.
  2. In Select Data Source, select Enter Data about the relying party manually.
  3. In Specify Display Name, enter "zoho.com" as the Display Name.
  4. In Choose Profile, select AD FS profile.
  5. Click Next.
  6. In Configure URL, check the Enable support for the SAML 2.0 WebSSO protocol.
  7. Enter the ACS URL provided on Zoho One's Custom Authentication page in the Service URL text box.
  8. In Configure Identifiers, choose one.zoho.com as the Relying Party Trust Identifier.
  9. In Configure Multi-factor Authentication now, choose I do not want to configure multi-factor authentication settings for this relying party trust at this time .
  10. In Choose Issuance Authorization Rules, select Permit all users to access this relying party.
  11. In the final screen, click Close.
C. Create claim rules:
You can create claim rules once the relying party trust is created. By default, the Claims Rule editor opens once you create a trust.
  1. Click Add Rule to create a new rule. 
  2. In Choose Rule Type, select Send LDAP Attribbutes as Claims in the drop-down menu.
  3. Click Next.
  4. In Configure Claim Rule:
    1. Enter a Claim rule name.
    2. Choose Active directory under Attribute Store.
    3. Choose E-Mail Addresses under LDAP Attribute.
    4. Choose E-Mail Address under Claim Type.
  5. Click Finish.
  6. Create another claim rule and select the Transform an Incoming Claim template.
  7. In Configure Claim Rule:
    1. Enter a Claim rule name
    2. Choose E-Mail Address under Incoming claim type.
    3. Choose Name ID under Outgoing claim type.
    4. Choose Email under Outgoing Name ID format.
  8. Select Pass through all claim value.
  9. Click Finish.

    • Related Articles

    • SAML integration with ADFS

      Active Directory Federation Services( ADFS ) is a Single Sign On solution created by Microsoft. ADFS manages authentication through a proxy service hosted between Active Directory (AD) and the target application. You must obtain the login URL, logout ...
    • Configuring ADFS for Zoho Desk with SAML

      Zoho Desk supports SAML 2.0 (Security Assertion Markup Language 2.0), which allows for the use of SSO (Single Sign-On) using enterprise identity providers such as Active Directory. Enabling SSO via SAML 2.0 means that user authentication is handled ...
    • Custom Authentication with OneLogin

      Custom Authentication with OneLogin enables SAML-based single sign-on (SSO) from OneLogin to Zoho One. With SSO, you and your employees can sign in to OneLogin and access Zoho One directly, without having to sign in to Zoho One. To set up custom ...
    • Custom Authentication with Google

      Custom Authentication with Google enables SAML-based single sign-on (SSO) from Google to Zoho One. With SSO, you and your employees can sign in to Google and access Zoho One directly, without having to sign in to Zoho One. To set up custom ...
    • Custom Authentication with Azure

      Custom Authentication with Azure enables SAML-based single sign-on (SSO) from Azure to Zoho One. With SSO, you and your employees can sign in to Azure and access Zoho One directly, without having to sign in to Zoho One. To set up custom ...