This article describes configuration tasks you need to perform in Microsoft Windows Active Directory Federation Services (AD FS) 2.0 in order to enable single sign-on to Zuora.
This feature is in Controlled Release. Submit a request at Zuora Global Support to get this feature enabled for your tenant.
Before you start configuring AD FS, see Configure Single Sign-On for Zuora for the general requirements and the provisioning process for enabling Zuora single sign-on.
Add Zuora Service Provider to AD FS
To add Zuora as a trusted service provider to AD FS:
- Login to the AD FS Server.
- Launch the AD FS Management Console.
- On the left-hand tree view, under Trust Relationships, right-click Relying Party Trusts and select Add Relying Party Trust....
- In the Welcome to the Add Relying Party Trust Wizard, click Start.
- In Select Data Source, click Import data about the relying party from a file.
- In the Federation metadata file location field, enter the full path of the metadata file that Zuora provided. Click Next.
- In Specify Display Name, enter the name of the Zuora relying party in the Display name field and notes in the Notes field. Click Next.
- In Choose Issuance Authorization Rules, click Permit all users to access this relying party. Click Next.
- In Ready to Add Trust, review the information, and click Next.
- Click Close.
- On the left-hand tree view, under Trust Relationships, click Relying Party Trusts.
- In the Relying Party Trusts table, right-click the Zuora trust party name and select Properties.
- Click the Advanced tab.
- In the Secure hash algorithm field, click the arrow and select SHA-1. Zuora uses the SHA-1 algorithm to sign SAML requests and responses.
- Click Apply and OK.
- In the Relying Party Trusts table, right-click the Zuora trust party name and select Edit Claim Rules .... to add a rule to send the User Principal Name (UPN) as Name ID.
- In the claim rules editor, click the Issuance Transform Rules tab.
- Click Add Rule....
- Select Send LDAP Attributes as Claims as the claim rule template to use.
- In the Claim rule name field, enter Send UPN as Name ID.
- In the Attribute store field, click and select Active Directory.
- In the LDAP Attribute column, click the arrow and select User Principal Name.
- In the Outgoing Claim Type column, click the arrow and select Name ID.
- Click Finish to complete adding Zuora to AD FS as a trusted service provider.
Obtain SAML Federation Metadata from AD FS
To retrieve the AD FS federation metadata:
- In AD FS Management Console, browse to Service > Endpoints > Metadata > Type:Federation Metadata to find your federation metadata URL.
- Browse to the metadata URL found in #1.
- Export the metadata file. This file includes your SSO setting information such as the SSO server, protocols supported, and the public key.
If there is any change in your AD FS settings, you must re-generate the metadata file and submit the new metadata file to Zuora. Wait for a notification from Zuora before allowing your users to login to Zuora via SSO.