SAML - Overview

What is SAML?

SAML stands for Security Assertion Markup Language. It is an XML based open standard protocol used for Single Sign On (SSO). SAML lets users gain access to multiple applications without the need for entering credentials everytime.

What is Single Sign-on?

Before understanding what Single Sign-On (SSO) is, we must go through how traditional authentication works.

1. A service will present the user with a login page where the user must submit a set of login credentials i.e., username and password. Some services might ask for more authentication information such as a one-time password.
   
2. The credentials submitted by the user are validated against the ones present in the database at the service.
   

Traditional authentication is quite intuitive; everything is managed within the service, providing a simple way for users to authenticate. However, if a user needs to access multiple applications with a different set of login credentials for each application, it quickly turns cumbersome for the user. The user must remember multiple credentials and comply with different password policies.

Single Sign-On is a feature which lets you access Zoho as well as third-party applications with one user credential. Users aren't required to remember an array of usernames and passwords for each application they need access to. Zoho uses SAML to achieve SSO with third-party applications.

How does it work?

IdP initiated flow

1. The user wants to access a Zoho service.
   
2. The user logs in to their Identity Provider (IdP )and chooses the Zoho application.
   
3. IdP will create a signed SAML assertion response, which is sent to the ACS (Assertion Consumer Service) URL endpoint at Zoho.
   
4. Zoho will validate the SAML assertion response. Upon successful validation, the user will be granted access to any Zoho services they are authorized for.
   

SP initated flow

1. The user wants to sign in to a Zoho service. 
   
2. Zoho generates an SAML authentication request and sends it to IdP via HTTP-Redirect binding.
   
3. IdP will authenticate the user and form a signed SAML assertion response, which is sent to the ACS URL endpoint at Zoho.
   
4. Zoho will validate the SAML assertion response. If the user is authorized to use the Zoho service, they will be granted access.
   

Check out how to configure SAML in Zoho Accounts and use various IdP's such as Google, Okta, OneLogin, Microsoft Entra ID, Auth0, ADFS to access Zoho applications using SAML

• Related Articles

• Configure SAML in Zoho Accounts

  Note: If you want to configure SAML for Zoho One/ Zoho Directory, you can refer to their respective help documents: Zoho One | Zoho Directory To create a SAML connection between Zoho and your identity provider (IdP), you will need to provide some ...

• Close your Zoho account/organization (for personal accounts and single-user organizations)

  Important: If yours is an organization with multiple users present, refer to this help article for instructions. This article is applicable only to personal accounts and single-user organization accounts. Things to know before Closing account: When ...

• SAML terminology

  General terminology Single Sign-On (SSO) Single Sign-On (SSO) is the process of signing in to multiple services using a single set of credentials (as opposed to having separate credentials for different services). Using SSO, you can sign in to your ...

• Sign in using SAML

  SAML is a protocol that allows you to configure single sign-on (SSO) for Zoho with your identity provider (IdP). Once SAML-based SSO is configured for an organization, all the organization users can directly sign in to Zoho using their IdP ...

• Accessing Zoho via Microsoft Entra ID using SAML

  By configuring SAML based SSO with Microsoft Entra ID, you can let your users sign in to Zoho using their Entra ID credentials. Required items from Microsoft Entra ID You will need the following items from Microsoft Entra ID to configure SAML in ...