Knowledge Center

Knowledge Center > Admin > Administrator Settings > Configure Single Sign-On for Zuora > Configure Active Directory Federation Services for SSO SAML

Configure Active Directory Federation Services for SSO SAML

This article describes configuration tasks you need to perform in Microsoft Windows Active Directory Federation Services (AD FS) 2.0 in order to enable single sign-on to Zuora.

This feature is in Controlled ReleaseSubmit a request at Zuora Global Support to get this feature enabled for your tenant.

Before you start configuring AD FS, see Configure Single Sign-On for Zuora for the general requirements and the provisioning process for enabling Zuora single sign-on.

Add Zuora Service Provider to AD FS

To add Zuora as a trusted service provider to AD FS:

  1. Login to the AD FS Server.
  2. Launch the AD FS Management Console.
  3. On the left-hand tree view, under Trust Relationships, right-click Relying Party Trusts and select Add Relying Party Trust....
  4. In the Welcome to the Add Relying Party Trust Wizard, click Start.
  5. In Select Data Source, click Import data about the relying party from a file.
  6. In the Federation metadata file location field, enter the full path of the metadata file that Zuora provided. Click Next.
  7. In Specify Display Name, enter the name of the Zuora relying party in the Display name field and notes in the Notes field. Click Next.
  8. In Choose Issuance Authorization Rules, click Permit all users to access this relying party. Click Next.
  9. In Ready to Add Trust, review the information, and click Next.
  10. Click Close.
  11. On the left-hand tree view, under Trust Relationships, click Relying Party Trusts.
  12. In the Relying Party Trusts table, right-click the Zuora trust party name and select Properties.
  13. Click the Advanced tab.
  14. In the Secure hash algorithm field, click the arrow and select SHA-1. Zuora uses the SHA-1 algorithm to sign SAML requests and responses.
    SHA_1.png
  15. Click Apply and OK.
  16. In the Relying Party Trusts table, right-click the Zuora trust party name and select Edit Claim Rules .... to add a rule to send the User Principal Name (UPN) as Name ID.
  17. In the claim rules editor, click the Issuance Transform Rules tab.
  18. Click Add Rule....
  19. Select Send LDAP Attributes as Claims as the claim rule template to use.
  20. In the Claim rule name field, enter Send UPN as Name ID.
  21. In the Attribute store field, click and select Active Directory.
  22. In the LDAP Attribute column, click the arrow and select User Principal Name.
  23. In the Outgoing Claim Type column, click the arrow and select Name IDEdit_Rule.png
  24. Click Finish to complete adding Zuora to AD FS as a trusted service provider. 

Obtain SAML Federation Metadata from AD FS

To retrieve the AD FS federation metadata

  1. In AD FS Management Console, browse to Service > Endpoints > Metadata > Type:Federation Metadata to find your federation metadata URL. 
  2. Browse to the metadata URL found in #1.
  3. Export the metadata file. This file includes your SSO setting information such as the SSO server, protocols supported, and the public key.

If there is any change in your AD FS settings, you must re-generate the metadata file and submit the new metadata file to Zuora. Wait for a notification from Zuora before allowing your users to login to Zuora via SSO.

Last modified
13:20, 3 Apr 2015

Tags

Classifications

(not set)