Skip to main content

Configure Okta for SSO SAML


Configure Okta for SSO SAML

This article describes how to integrate the Okta identity provider with Zuora for single sign-on (SSO). Before you start configuring Okta, see Configure Single Sign-On for Zuora for the general requirements and the provisioning process for enabling Zuora single sign-on.

The following procedure might not apply to the version of Okta that you are working with. For more information about the Okta UI, always refer to the Okta documentation.

Add Zuora application to Okta

First, configure Okta to provide the sign-on information for the Zuora environment. To add the Zuora application to Okta, complete the following steps:

  1. Log in to Okta as the user who has the application administration permission.
  2. Go to the Applications tab and click Add application > Create new app.
  3. In the dialog, select SAML 2.0 as the sign-on method and click Create.
  4. In the General Settings step, enter the application name and an optional application. Click Next.
  5. Enter the SAML settings.
    • Single sign-on URL : The Assertion Consumer Service (ACS) endpoints where the Zuora application receives the SAML assertion. The value to enter depends on the Zuora environment that you are enabling SSO in.
      • US Cloud 1 Production -
      • US Cloud 1 API Sandbox -
      • US Cloud 2 Production -
      • US Cloud 2 API Sandbox -
      • US Central Sandbox -
      • US Performance Test -
      • EU Cloud Production -
      • EU Cloud API Sandbox -
      • EU Central Sandbox -
    • Audience URI: Enter the Entity ID of this Zuora application. The value to enter depends on the Zuora environment that you are enabling SSO in.
      • US Cloud 1 Production -
      • US Cloud 1 API Sandbox -
      • US Cloud 2 Production -
      • US Cloud 2 API Sandbox -
      • US Performance Test -
      • US Central Sandbox -
      • EU Cloud Production -
      • EU Cloud API
      • EU Central Sandbox -
    • Default RelayState: Leave this field blank.
    • Name ID format: Set to EmailAddress.
    • Default username: Set to Email.
    • Leave all other fields at their default values.
  6. Click Next.
  7. Click Finish.

Obtain Okta IDP metadata

As an SSO provisioning step, you need to provide the Okta identity provider metadata to Zuora. This metadata is specific to your Okta account. Complete the following steps to retrieve the identity provider metadata from Okta:

  1. Log in to Okta and go to the Applications tab.
  2. Click the application that you added for Zuora SSO.
  3. Click the Sign On tab.
  4. Click Identity Provider metadata to download the Okta metadata file.
  5. Provide the downloaded IDP metadata to Zuora.

If there is any change in your Okta settings that results in your metadata updates, you must re-submit the new metadata file to Zuora. Wait for a notification from Zuora before allowing your users to log in to Zuora via SSO.

Add a Zuora SSO test user to Okta

Add a test user to your company's Okta account to test SSO authentication against Zuora. You need to provide this test user's log-in information to Zuora for the Zuora SSO provisioning process. Complete the following steps to add a test user in Okta:

  1. From your Okta dashboard, click the People tab.
  2. Click Add Person

Assign Zuora application to users

Okta requires each SSO user to be assigned to the Zuora application you created in Add Zuora Application to Okta. Complete the following steps to assign the Zuora application to the test user:

  1. In Okta, on the People tab, click the user's full name.
  2. Click Assign Applications.
  3. Click the Zuora application to be assigned to this user.
  4. Verify the user name in the Username field. This username will be used as the federated ID of the test user.
  5. Click Save.