Get started with OneID
This article briefs you on how to get started with Zuora OneID as organization admins or standard users. For more information about the overview and basic concepts of OneID, see OneID overview.
Prerequisites
Before using OneID, ensure the following prerequisites are met:
- Zuora OneID must be enabled for your organization. For more information on enabling OneID, see Activate OneID for your organization.
- You must log in to OneID as an organization admin or a standard user.
- For Zuora Revenue users, ensure you are on version 37.016.6.0 or higher.
The following key configurations are necessary to set up Zuora OneID:
1. Create an Account in OneID
To create an account in OneID:
- Contact the support team and provide your Zuora tenant IDs to map them to your organization.
- Optionally, share your preferred names for organization tenants.
- Activate your user account using the activation email sent to you. For more details on account activation, refer to Activate OneID for your organization.
2. Set up Single Sign-On
- Contact your IT team to create a custom SAML app for Zuora OneID in your Identity Provider (IdP). Zuora OneID supports both IdP-initiated SSO and Service Provider-initiated SSO.
- With Zuora OneID, you can configure Single Sign-On for your entire organization instead of configuring SSO for every Zuora tenant or application.
- To configure Single Sign-On (SSO) with Zuora OneID, refer to the SSO for OneID documentation. This applies if you are using Okta, Google, JumplCloud, PingOne or Microsoft Entra ID as your Identity Provider (IdP).
- After creating the custom SAML app for Zuora OneID in your IdP, copy the metadata URL and paste it into the OneID settings. Refer to Manage single sign-on configurations for more information.
- Map the federated ID of users for SSO to work.
Setting up Single Sign-On (SSO) is not required to use Zuora OneID; you can still log in with a username and password. Additionally, you can configure multi-factor authentication (MFA) to enhance the security of your login.
3. Onboarding Steps
Before onboarding to OneID, choose your preferred user provisioning mode. The provisioning mode determines how tenant access is assigned to users in your organization. Zuora offers two provisioning modes: Direct Tenant Access and Group Provisioning Mode. For details and selection, refer to Manage user and group provisioning in OneID.
Once you've decided on your preferred provisioning mode, proceed with one of the following options:
3.1 Manage User Access from Zuora UI with Direct Tenant Access
To migrate your existing users to OneID:
- Begin the migration process from your sandbox tenants. For steps on migration, refer to Manage user and group provisioning in OneID. Note that this process applies only to Zuora Billing tenants.
- The user import will automatically create user accounts in OneID for users who do not already have an account. Additionally, it will copy the roles assigned to users in the local tenant and any defined federated IDs.
- After importing users, you can update their roles from the user details page.
- Perform the migration steps for your other sandbox and production tenants.
3.2 Manage User Access in Bulk from Zuora UI Using User Groups
To manage user access in bulk:
- Start the migration process from your sandbox tenants. For steps on migration, refer to Manage user and group provisioning in OneID, which applies only to Zuora Billing tenants.
- Navigate to the User Groups module and create the necessary user groups with the appropriate tenant access. For detailed steps, see the guide on creating and managing User Groups.
- Navigate to Security Policies and enable user groups for all users in your organization. This action will disable Direct Tenant Access, the default provisioning mode.
- In the User Groups details page, add users in the Users section. For more information, refer to Manage users in OneID.
You can manage some users using Group Provisioning Mode while allowing others to retain Direct Tenant Access. To do this, simply update the Direct Tenant Access toggle on the user details page for the specific user.
3.3 Automate User Provisioning through SCIM APIs
To automate user provisioning from Okta:
- Create a custom SAML app in Okta and update the SSO metadata URL in the OneID SSO settings. For assistance, refer to Setup SSO with Okta using SAML in OneID.
- Create OAuth clients in OneID to perform SCIM Integration within the custom SAML app in Okta. To manage client credentials, see the guide for Authorization Code Grant Type.
- Push user accounts from Okta; user accounts will be auto-created in OneID.
- To migrate existing users to OneID, initiate the migration process from your sandbox tenants by referring to the provided migration steps.
- Push user groups from Okta to create new user groups in OneID, associating them with the relevant users.
4. Manage User Groups and Tenant Access in OneID
- Once user groups are established in OneID, navigate to the Zuora UI to update tenant access for the user group. Enable the tenant toggle and assign the appropriate roles for each tenant.
- Avoid enabling production tenants in these user groups until you have completed the migration of users from your production tenant to OneID.
- After pushing users and user groups from Okta, refrain from updating any user profile settings through the Zuora OneID UI, as this could disrupt the synchronization between Zuora OneID and Okta.
- For further automation of your user provisioning process, refer to the complete list of available SCIM APIs in Zuora OneID.