Skip to main content

Configure Okta for SSO SAML


Configure Okta for SSO SAML

This article describes how to integrate the Okta identity provider with Zuora for single sign-on (SSO).

Before you start configuring Okta, see Configure Single Sign-On for Zuora for the general requirements and the provisioning process for enabling Zuora single sign-on.

Add Zuora Application to Okta

First, configure Okta to provide the sign-on information for the Zuora environment.

To add the Zuora application to Okta:

  1. Sign in to Okta. You must have the Applications Admin permission.
  2. Click Administration.
  3. On the Applications tab, click Add Application.
  4. Click Create New App.
  5. In the Create a New Application Integration window, select SAML 2.0. Click Create.
  6. In the General Settings step, enter the App name and App logo. Click Next.
  7. Enter the SAML settings.
    • Single sign on URL - The Assertion Consumer Service (ACS) endpoint(s) where the Zuora application receives the SAML assertion. 
      • If you are enabling SSO in the US Production environment, enter:
      • If you are enabling SSO in the US API Sandbox environment, enter:
      • If you are enabling SSO in the EU Production environment, enter:
      • If you are enabling SSO in the EU Sandbox environment, enter:
    • Audience URI - Enter the Entity ID of this Zuora application.
      • If you are enabling SSO in the US Zuora Production environment, enter:
      • If you are enabling SSO in the US Zuora API Sandbox environment, enter:
      • If you are enabling SSO in the EU Zuora Production environment, enter:
      • If you are enabling SSO in the EU Zuora API Sandbox environment, enter:
    • Default RelayState - Leave this field blank.
    • Name ID format - Set to EmailAddress.
    • Default username - Set to Email.
    • Leave all other fields at their default values.
  8. Click Next.
  9. Click Finish.

Obtain Okta IDP Metadata

As an SSO provisioning step, you need to provide the Okta identity provider metadata to Zuora. This metadata is specific to your Okta account.

To retrieve the identity provider metadata from Okta:

  1. Log into Okta, click Administration.
  2. Click the Applications tab.
  3. Click the application that you added for Zuora SSO.
  4. Click the Sign On tab.
  5. Click Identity Provider metadata to download the Okta metadata file.Okta_IDP_Metadata.png
  6. Provide the downloaded IDP metadata to Zuora.

If there is any change in your Okta settings that results in your metadata updates, you must re-submit the new metadata file to Zuora. Wait for a notification from Zuora before allowing your users to login to Zuora via SSO.

Add a Zuora SSO Test User To Okta

Add a test user to your company's Okta account in order to test SSO authentication against Zuora. You need to provide this test user's log-in information to Zuora for the Zuora SSO provisioning process.

To add a test user in Okta:

  1. From your Okta dashboard, click the People tab.
  2. Click Add Person

Assign Zuora Application to Users

Okta requires each SSO user to be assigned to the Zuora application you created in Add Zuora Application to Okta.

To assign the Zuora application to the test user:

  1. In Okta, on the People tab, click the user's full name.
  2. Click Assign Applications.
  3. Click the Zuora application to be assigned to this user.
  4. Verify the user name in the Username field. This username will be used as the Federated ID of the test user.
  5. Click Save.