Skip to main content

Setup SSO with Okta using SAML in OneID

Zuora

Setup SSO with Okta using SAML in OneID

This article describes how to configure Okta to enable single sign-on with OneID. For more information about SSO in OneID, see Configure single sign-on for OneID.

Step 1: Add Zuora OneID application to Okta

To add Zuora OneID application to Okta, take the following steps:

  1. Log in to Okta as the user who has the application administration permission.
  2. Go to the Applications tab and click Create App Integration.
  3. Select SAML 2.0 as the sign-in method in the dialog and click Next.
  4. In the General Settings step, provide the following information:
    • Enter an app name.
    • Optional: add an app logo.
  5. Click Next.
  6. Configure the following SAML settings:
    • Single sign on URL: https://one.zuora.com/saml/SSO
    • Use this for Recipient URL and Destination URL: select this checkbox
    • Audience URI: https://one.zuora.com/saml/metadata
    • Default RelayState: leave this field blank
    • Name ID format: Unspecified
    • Application username: Email
    • Leave other fields at their default values
  7. Click Next.
  8. Click Finish.

For more information, see Create SAML app integrations.

Step 2: Obtain Okta SAML metadata URL

  1. Log in to Okta and go to the Applications tab.
  2. Click the application for Zuora OneID.
  3. Click the Sign On tab.
  4. In the SAML Signing Certificates section, select the Active certificate and click Actions/View IdP metadata.
  5. Submit the metadata URL to OneID.

Step 3: Assign the Zuora OneID application to Okta users

  1. Log in to Okta and go to the Applications tab.
  2. Click the application for Zuora OneID.
  3. Click the Assignments tab.
  4. Click Assign/Assign to People.
  5. Find the person you want to assign the Zuora OneID application and click Assign.
  6. Verify the User Name and click Save and Go Back.
  7. Repeat steps 5 and 6 for all users that need to be assigned the Zuora OneID application.

For more information, see Assign app integrations.

Step 4: Enable provisioning using SCIM API

  1. Create an OAuth 2.0 client for authorization code grant type in OneID.
  2. Log in to Okta and go to the Applications tab.
  3. Click the application for Zuora OneID.
  4. On the General tab, click Edit under App Settings, and then select Provisioning - SCIM. The Provisioning tab opens.
  5. Click the Integration menu under the Settings section.
  6. Complete the SCIM Connection settings:
    • SCIM connector base URL: https://one.zuora.com/scim/v2
    • Unique identifier field for users: userName
    • Supported provisioning actions: Select the Push New Users, Push Profile Updates, and Push Groups checkboxes depending on your requirements
    • Authentication Mode: OAuth 2
    • Access Token endpoint URI: https://one.zuora.com/oauth2/token
    • Authorization endpoint URI: https://one.zuora.com/oauth2/authorize
    • Client ID: the client ID you received in step 1
    • Client Secret: the client secret you received in step 1
  7. Click Save.
  8. Click Re-authenticate with <your app name> to authenticate with the Zuora OneID application and generate an authentication token for SCIM provisioning.
  9. After the Oauth authentication is successful, click To App.
  10. In the Provisioning to App section, select the Enable checkbox for the following options:
    • Create Users
    • Update User Attributes
    • Deactivate Users
  11. In the Attribute Mappings section, configure attribute mappings.
    Zuora OneID needs the following attributes:
    • Username
    • Given name
    • Family Name
    • Email
    • Primary email type
    • Preferred language
    • Locale Name

For more information, see Add SCIM provisioning to app integrations.