Accessing Zoho via Microsoft Entra ID using SAML
By configuring SAML based SSO with Microsoft Entra ID, you can let your users sign in to Zoho using their Entra ID credentials.
Required items from Microsoft Entra ID
You will need the following items from Microsoft Entra ID to configure SAML in Zoho. You can follow the configuration steps to get these.
- Certificate (Base 64)
- Login URL
- Logout URL
Steps to configure SAML
A. Create an app in Microsoft Entra ID
- Sign in to Microsoft Entra admin center as an admin.
- Under Identity in the left menu, click Applications, then click Enterprise applications.
- Click New application.
- Click Create your own application.
- Enter a name for your application under What's the name of your app?.
- Select Integrate any other application you don't find in the gallery, then click Create. Your app will be created and you will be redirected to the app's page.
B. Configure Zoho details in Microsoft Entra ID
- In a new tab, sign in at accounts.zoho.com.
- Go to Organization from the left menu. If you can't find Organization, click View more.
- Under SAML Authentication, click Download Metadata. A file named zohometadata.xml will be downloaded.
- Open the metadata file using a browser or a text editor.
- From the metadata file, copy and save the Entity ID and ACS URL.
- Return to the app's page in Microsoft Entra admin center.
- Click Set up single sign-on under the Getting Started section.
- Select SAML.
- Go to Step 1: Basic SAML Configuration, then click Edit.
- Paste the copied Entity ID in the Identifier field.
- Paste the copied ACS URL in the Reply URL field.
- (optional) In the Relay State field, enter the URL of the app to which users need to be redirected to after signing in. For example, https://mail.zoho.com.
- Click Save.
C. Configure Microsoft Entra ID details in Zoho
- Go to Step 3: SAML Signing Certificate, and download Certificate (Base 64).
- Go to Step 4: Set up {application name}, and copy the Login URL and Logout URL.
- Return to the SAML Authentication page in accounts.zoho.com.
- Configure SAML in your Zoho account using the downloaded certificate and copied URLs from Microsoft Entra ID.
- Paste the Login URL in the Sign-in URL field.
- Paste the Logout URL in the Sign-out URL field.
- Upload the Certificate in the X.509 Certificate field. Make sure the certificate is in one of these formats: based-64 coded .cer, .crt, .cert, or .pem file.
- Click Configure.
Assign users to the app in Microsoft Entra ID
Your users in Microsoft Entra ID can use this newly configured Zoho app to sign in to Zoho. However, before that, you need to assign your users to this app. You can follow the instructions in the following article to assign your users to the app.
Test the SAML configuration
You can test if the configuration is working properly using the following steps as a user in Microsoft Entra ID.
SP-initiated flow:
- Go to your Zoho sign-in page.
- Enter your email address, then click Next. You will be redirected to Microsoft Entra ID for authentication.
- If you are not signed in already, enter your Microsoft Entra ID credentials to sign in. You will now be redirected back to Zoho and will be signed in.
IdP-initiated flow:
- Go to myapplications.microsoft.com.
- Click on the Zoho app you have configured. You will be redirected to Zoho and will be signed in.
Enable single logout (SLO)
Microsoft Entra ID supports both IdP-initiated and SP-initiated single log-out. If you enable single logout, when your users sign out from Zoho, they will be automatically signed out from Microsoft Entra ID and vice-versa.
Steps to enable single log-out:
- Sign in to Microsoft Entra admin center as an admin.
- Go to the configured application's page.
- Click Single sign-on in the left menu.
- Go to Step 4: Set up {app name}, then copy the Logout URL.
- Go to SAML Authentication at accounts.zoho.com, then click Edit.
- Enter the copied URL in the Sign-out URL field.
- Scroll down and enable Single logout
- Click Submit. You may need to re-enter the X.509 certificate before this.
- Click Download in the top-right corner, then click Metadata.
- Open the downloaded file using a browser or a text editor, then copy the Single Logout URL present under the tag <md: SingleLogoutService>.
- Return to the Microsoft Entra admin center.
- Click Edit next to Step 1: Basic Configuration.
- Enter the copied Single logout URL in the Logout URL field, then click Save.
Related Articles
Configure SAML in Zoho Accounts
Note: If you want to configure SAML for Zoho One/ Zoho Directory, you can refer to their respective help documents: Zoho One | Zoho Directory To create a SAML connection between Zoho and your identity provider (IdP), you will need to provide some ...SAML - Overview
What is SAML? SAML stands for Security Assertion Markup Language. It is an XML based open standard protocol used for Single Sign On (SSO). SAML lets users gain access to multiple applications without the need for entering credentials everytime. What ...SAML terminology
General terminology Single Sign-On (SSO) Single Sign-On (SSO) is the process of signing in to multiple services using a single set of credentials (as opposed to having separate credentials for different services). Using SSO, you can sign in to your ...Sign in using SAML
SAML is a protocol that allows you to configure single sign-on (SSO) for Zoho with your identity provider (IdP). Once SAML-based SSO is configured for an organization, all the organization users can directly sign in to Zoho using their IdP ...Sign in using passkey
What is a passkey Passkey is based on the FIDO multi-device credentials technology and essentially aims to replace traditional passwords altogether. At Zoho, we've also implemented this technology and offer you the option to secure your account using ...