Configure single sign-on for OneID
This article describes the overview of single sign-on (SSO) with OneID, and how to configure your identity providers (IdPs) and OneID to enable SSO.
Overview of SSO SAML with OneID
Single sign-on, or SSO, is a solution that allows a user to access multiple applications using one set of credentials. With SSO, users can log in to IdPs and gain access to any registered service providers (SPs).
- Identity provider: An identity provider, or IdP, is an entity that stores and manages user identities. The IdP establishes a secure relationship with each SP.
- Service provider: A service provider, or SP, is an entity that provides services to other organizations.
OneID supports the SSO solution using federated authentication via Security Assertion Markup Language (SAML) 2.0 protocol, which provides a secure, XML-based solution for exchanging information between an IdP and SPs.
OneID supports SSO integration with Google, JumpCloud, Microsoft Entra ID, and Okta using the SAML 2.0 protocol. It also integrates with most other Identity Providers via SAML 2.0.
A typical process of accessing OneID with SSO SAML is as follows:
- Log in to an IdP, such as Okta, with your IdP user credentials.
- Select OneID (SP) through the IdP.
The IdP redirects you to the OneID portal with verified user information, and OneID provides you with corresponding user abilities.
Take the following steps to enable SSO SAML for OneID:
Configure IdPs for SSO SAML with OneID
The high-level steps to configure IdPs are as follows:
- Add OneID to your IdP.
- Obtain SAML metadata of your IdP.
- Submit IdP’s SAML metadata URL to OneID.
Note that you should perform this operation in OneID and not in your IdP. - Assign OneID to IdP users.
The actual configuration procedure varies depending on the IdP you use. For more information about configuring Okta SSO, see Configure Okta for SSO SAML with OneID.
Configure OneID for SSO SAML
Enable SSO SAML for OneID users
In the SSO SAML solution, a user in your IdP should map to a user in OneID. When logging in to OneID via SSO SAML, your IdP redirects you to the OneID portal, and keeps you logged in as the corresponding OneID user. You need not to enter your credentials in OneID again.
To enable SSO SAML for a OneID user and link it to an IdP user, Add a user to OneID or Edit a user in OneID as usual with the following information:
- Federated ID: Specify the SSO federated ID of the user. The value must be in an email format, typically the user email of the corresponding IdP user.
- SSO Saml Enabled: Switch this toggle to the on position to enable SSO SAML.
Submit IdP’s SAML metadata URL to OneID
IdPs and SPs use SAML metadata to exchange interaction information. The metadata is in XML format and secured.
To enable SSO SAML for your IdP in OneID, you must submit your IdP’s SAML metadata URL to OneID. For more information about how to submit the URL to OneID, see Manage SSO SAML metadata URL.
Enable SSO for large user groups
This section details the procedure for enabling Single Sign-On (SSO) for a significant number of users in your organization. This method is particularly advantageous when your company has integrated with OneID, as it allows you to enable SSO for a large number of users efficiently, without the need for manual updates to each user’s settings.
As a OneID administrator, follow these steps to enable Single Sign-On (SSO) for all users with a specific email domain:
- Log in to the Zuora OneID application as an administrator.
- Navigate to your user profile on the right and select Settings > Manage SSO Settings.
- Click Edit and enter the desired email domain in the Single Sign-On Domain field. For instance, for Zuora the email domain that needs to be provided will be zuora.com
- Click Enable SSO for all Users and then click Save.
Now, all users with the email domain specified in the Single Sign-On Domain will have SSO enabled. The federated ID will be automatically copied from the user's work email.