Skip to main content

Get started with OneID

Zuora

Get started with OneID

  1. Last updated
  2. Save as PDF

This article briefs you on how to get started with Zuora OneID as organization admins or standard users.

For more information about the overview and basic concepts of OneID, see OneID overview.

Prerequisites

Before starting using OneID, the following prerequisites are required:

  • Zuora OneID is enabled for your organization.
    For more information about how to enable Zuora OneID, see Activate OneID for your organization.

  • You have logged in to OneID as an organization admin or a standard user.

The following key configurations are necessary to set up to begin using Zuora OneID.

1. Create an account in OneID

  1. Contact the support team and share Zuora tenant IDs to map them to your organization. 
  2. (Optional): Share preferred names for organization tenants.
  3. Activate the user account from the activation email sent to you. For more details on OneID activation, see Activate Oneid for your organization.

2. Set up Single Sign-On

  1. Contact your IT team to create a custom SAML app for Zuora OneID in your Identity Provider (IdP). Currently, Zuora OneID enables IdP-initiated SSO support. You must click and use the custom SAML app from your IdP to log in to Zuora. This is a one-time IdP integration for all of your Zuora tenants.
  2. Refer to configure IdP initiated Single Sign-On with Zuora if you are using Okta, Google or Azure as your IdP.
  3. After creating the custom SAML app for Zuora OneID in your IdP, copy the metadata URL and paste it into the OneID settings. Refer to Manage single sign-on configurations for more information.
  4. Map the federated ID of users for SSO to work.

3. Enable sandbox environments

  1. Navigate to the Tenants module to view all your Zuora environments. 
  2. Validate your sandbox environment in the Tenants module and perform steps 4-7 on your sandbox environment.

4. Setup user roles for Zuora tenants

  1. Navigate to the User Roles module in OneID and select a tenant before creating or importing the roles for that tenant.
  2. You can either create new user roles in OneID or you can migrate your existing roles that are defined in the tenant 
  3. Create or import the roles for all your available tenants before mapping them to the users. 
  4. Rename migrated roles in OneID according to department, designation, or user groups with the same access levels. For more information on user roles in OneID, see Manage User roles in OneID.
  5. A single role must be assigned to a user for any given tenant in OneID's unified set of user roles, which includes all modular roles for each billing application module.

5. Setup User Groups 

  1. Create user groups with tenants configured to resemble the security groups in your AD or the user profiles in your organization.
  2. Assign single or multiple tenants per group with a OneID role assigned to every tenant. 
  3. For more information, see Manage user and group provisioning in OneID.

6. Onboard users to OneID

OneID automatically sends activation emails to new users when they are added. For more information, see Add users to OneID. You can also add the User Groups to the users while creating their accounts in OneID.

OneID offers the possibility of moving all your users’ accounts across several tenants to OneID instead of creating a new account. The migration of user accounts won’t affect the current user logins in the tenants. User migration involves validating their work email, creating a new global OneID account for relocated local users, and sending activation emails. 

When a user account already exists in OneID, it links all migrated local user accounts to the global account. To migrate user accounts in OneID, Zuora requires data from this sheet. For more information, see Migrate existing user accounts from individual tenants to OneID.

Users can access their tenants using OneID login and local tenant-level credentials for up to 90 days when migrating to OneID. OneID login allows users to access their tenants without needing local credentials anymore. This default grace period can be tailored to your preference as well.

7. Assign user access to Zuora tenants

User Groups is the go-to solution to automate user provisioning or bulk user provisioning in Zuora. OneID allows for the formation of user groups that mimic your AD groups or security groups in your IdP. Additionally, you can automate the user provisioning in Zuora using SCIM or User Management APIs in OneID.

Enable tenants and assign roles to them before adding users to the Groups. To manage user access through groups, refer Manage user provisioning with User Groups.

Direct tenant assignment is recommended for user provisioning in OneID if you want to manage user access at all levels and avoid creating multiple user groups.

To manage user access at a user level, refer Manage user provisioning by directly assigning tenants to individual users.

8. Enable the production environment 

  1. Navigate to the Tenants module in the left navigation bar and confirm your production tenant.
  2. Perform steps 4-7 with your production tenant and users.

9. (Optional) Automate user provisioning with SCIM APIs

Automated provisioning enables users to be managed from your IdP or IAM tools. If a user leaves the organization, deactivating their account in your IdP will automatically deactivate their account in Zuora OneID, revoking all Zuora tenant access.

  1. Zuora OneID support System for Cross-domain Identity Management (SCIM) automates user provisioning and access management from your IdP and IAM tools.
  2. Please refer to SCIM APIs for user provisioning for the SCIM APIs supported in OneID.
  3. For accessing theSCIM APIs in OneID,
    1. Create OAuth clients in OneID refer managing client credentials in OneID
    2. For Okta create client credentials with authorization code grant type For more information refer here
    3. For more information  refer Manage Oauth 2.0 clients.
  4. For enabling SCIM provisioning with Okta please refer for configuring the Oauth Clients and please refer Contact the IT team to integrate the SCIM APIs with your IdP for automated user provisioning. For more information, refer enable provisioning for SCIM API enable provisioning for SCIM API for enabling SCIM provisioning in Okta.

You can also integrate other IAM tools, such as Sailpoint using the SCIM APIs for automated user provisioning.