Skip to main content

Configure Active Directory Federation Services for SSO SAML


Configure Active Directory Federation Services for SSO SAML

This article describes configuration tasks you have to perform in Microsoft Windows Active Directory Federation Services (AD FS) 2.0 to enable single sign-on to Zuora. Before you start configuring AD FS, see Configure Single Sign-On for Zuora for the general requirements and the provisioning process for enabling Zuora single sign-on.

Add Zuora service provider to AD FS

Complete the following steps to add Zuora as a trusted service provider to AD FS:

  1. Log in to the AD FS Server.
  2. Launch the AD FS Management Console.
  3. On the left-hand tree view, under Trust Relationships, right-click Relying Party Trusts and select Add Relying Party Trust....
  4. In the Welcome to the Add Relying Party Trust Wizard, click Start.
  5. In Select Data Source, click Import data about the relying party from a file.
  6. In the Federation metadata file location field, enter the full path of the metadata file that Zuora provided. Click Next.
  7. In Specify Display Name, enter the name of the Zuora relying party in the Display name field and notes in the Notes field. Click Next.
  8. In Choose Issuance Authorization Rules, click Permit all users to access this relying party. Click Next.
  9. In Ready to Add Trust, review the information, and click Next.
  10. Click Close.
  11. On the left-hand tree view, under Trust Relationships, click Relying Party Trusts.
  12. In the Relying Party Trusts table, right-click the Zuora trust party name and select Properties.
  13. Click the Advanced tab.
  14. In the Secure hash algorithm field, click the arrow and select SHA-1. Zuora uses the SHA-1 algorithm to sign SAML requests and responses.
  15. Click Apply and OK.
  16. In the Relying Party Trusts table, right-click the Zuora trust party name and select Edit Claim Rules .... to add a rule to send the User Principal Name (UPN) as Name ID.
  17. In the claim rules editor, click the Issuance Transform Rules tab.
  18. Click Add Rule....
  19. Select Send LDAP Attributes as Claims as the claim rule template to use.
  20. In the Claim rule name field, enter Send UPN as Name ID.
  21. In the Attribute store field, click and select Active Directory.
  22. In the LDAP Attribute column, click the arrow and select User Principal Name.
  23. In the Outgoing Claim Type column, click the arrow and select Name ID
  24. Click Finish to complete adding Zuora to AD FS as a trusted service provider. 

Obtain SAML Federation Metadata from AD FS

Complete the following steps to retrieve the AD FS federation metadata: 

  1. In AD FS Management Console, go to Service > Endpoints > Metadata > Type:Federation Metadata to find your federation metadata URL. 
  2. Browse to the metadata URL found in Step1.
  3. Export the metadata file. This file includes your SSO setting information such as the SSO server, protocols supported, and the public key.

If there is any change in your AD FS settings, you must re-generate the metadata file and submit the new metadata file to Zuora. Wait for a notification from Zuora before allowing your users to log in to Zuora via SSO.