Custom Authentication with ADFS enables SAML-based single sign-on (SSO) from ADFS to Zoho One. With SSO, you and your employees can sign in to ADFS and access Zoho One directly, without having to sign in to Zoho One.
To set up custom authentication with ADFS:
A. Obtain the Sign-in URL, Sign-out URL and the certificate from ADFS:
- Sign in to ADFS 3.0 server and open the Management Console.
- Right-click Service in the left-pane menu, then choose Edit Federation Service Properties.
- Under General, ensure that your DNS entries and certificate names are correct.
- Using your Federation Service name, use a browser and go to "https://{federationservicename}.com/federationMetaData/2007-06/FederationMetaData.xml".
The Sign-in URL and Sign-out URL are present in the XML file as SingleSignOnService and SingleLogoutService tags respectively.
- Export the Token-Signing certificate:
- Right-click Certificate in the left-pane menu and click View Certificate.
- Click the Details tab.
- Click Copy to File, then click Next.
- Make sure No, do not export the private key is selected, then click Next.
- Select Base-64 encoded X.509 (.cer), then click Next.
- Choose where to save the file and name it.
- Click Next.
- Select Finish.
- Submit this data to Zoho to set up SAML in Zoho One.
B. Add a Relying Party Trust:
- Under Trust Relationships in the left-pane menu, right-click Relying Party Trusts, then click Add Relying Party Trust.
- In Select Data Source, select Enter Data about the relying party manually.
- In Specify Display Name, enter "zoho.com" as the Display Name.
- In Choose Profile, select AD FS profile.
- Click Next.
- In Configure URL, check the Enable support for the SAML 2.0 WebSSO protocol.
- Enter the ACS URL provided on Zoho One's Custom Authentication page in the Service URL text box.
- In Configure Identifiers, choose one.zoho.com as the Relying Party Trust Identifier.
- In Configure Multi-factor Authentication now, choose I do not want to configure multi-factor authentication settings for this relying party trust at this time .
- In Choose Issuance Authorization Rules, select Permit all users to access this relying party.
- In the final screen, click Close.
You can create claim rules once the relying party trust is created. By default, the Claims Rule editor opens once you create a trust.
- Click Add Rule to create a new rule.
- In Choose Rule Type, select Send LDAP Attribbutes as Claims in the drop-down menu.
- Click Next.
- In Configure Claim Rule:
- Enter a Claim rule name.
- Choose Active directory under Attribute Store.
- Choose E-Mail Addresses under LDAP Attribute.
- Choose E-Mail Address under Claim Type.
- Click Finish.
- Create another claim rule and select the Transform an Incoming Claim template.
- In Configure Claim Rule:
- Enter a Claim rule name
- Choose E-Mail Address under Incoming claim type.
- Choose Name ID under Outgoing claim type.
- Choose Email under Outgoing Name ID format.
- Select Pass through all claim value.
- Click Finish.