Setup SSO with Okta using SAML in OneID
This article describes how to configure Okta to enable single sign-on with OneID. For more information about SSO in OneID, see Configure single sign-on for OneID.
Procedure
Step 1: Add Zuora OneID application to Okta
To add Zuora OneID application to Okta, take the following steps:
- Log in to Okta as the user who has the application administration permission.
- Go to the Applications tab and click Create App Integration.
- Select SAML 2.0 as the sign-in method in the dialog and click Next.
- In the General Settings step, provide the following information:
- Enter an app name.
- Optional: add an app logo.
- Click Next.
- Configure the following SAML settings:
- Single sign on URL:
https://one.zuora.com/saml/SSO - Use this for Recipient URL and Destination URL: select this checkbox
- Audience URI:
https://one.zuora.com/saml/metadata - Default RelayState: leave this field blank
- Name ID format:
Unspecified - Application username:
Email - Leave other fields at their default values
- Single sign on URL:
- Click Next.
- Click Finish.
For more information, see Create SAML app integrations.
Step 2: Obtain Okta SAML metadata URL
- Log in to Okta and go to the Applications tab.
- Click the application for Zuora OneID.
- Click the Sign On tab.
- In the SAML Signing Certificates section, select the Active certificate and click Actions/View IdP metadata.
- Submit the metadata URL to OneID.
Step 3: Assign the Zuora OneID application to Okta users
- Log in to Okta and go to the Applications tab.
- Click the application for Zuora OneID.
- Click the Assignments tab.
- Click Assign/Assign to People.
- Find the person you want to assign the Zuora OneID application and click Assign.
- Verify the User Name and click Save and Go Back.
- Repeat steps 5 and 6 for all users that need to be assigned the Zuora OneID application.
For more information, see Assign app integrations.
Step 4: Enable provisioning using SCIM API
- Create an OAuth 2.0 client for authorization code grant type in OneID.
- Log in to Okta and go to the Applications tab.
- Click the application for Zuora OneID.
- On the General tab, click Edit under App Settings, and then select Provisioning - SCIM. The Provisioning tab opens.
- Click the Integration menu under the Settings section.
- Complete the SCIM Connection settings:
- SCIM connector base URL:
https://one.zuora.com/scim/v2 - Unique identifier field for users:
userName - Supported provisioning actions: Select the Push New Users, Push Profile Updates, and Push Groups checkboxes depending on your requirements
- Authentication Mode:
OAuth 2 - Access Token endpoint URI:
https://one.zuora.com/oauth2/token - Authorization endpoint URI:
https://one.zuora.com/oauth2/authorize - Client ID: the client ID you received in step 1
- Client Secret: the client secret you received in step 1
- SCIM connector base URL:
- Click Save.
- Click Re-authenticate with <your app name> to authenticate with the Zuora OneID application and generate an authentication token for SCIM provisioning.
- After the Oauth authentication is successful, click To App.
- In the Provisioning to App section, select the Enable checkbox for the following options:
- Create Users
- Update User Attributes
- Deactivate Users
- In the Attribute Mappings section, configure attribute mappings.
Zuora OneID needs the following attributes:- Username
- Given name
- Family Name
- Primary email type
- Preferred language
- Locale Name
For more information, see Add SCIM provisioning to app integrations.