Integrate with Zoho
Support level: Community
What is Zoho?
Zoho provides a suite of cloud applications for business operations, including email, collaboration, CRM, finance, HR, and analytics tools.
Preparation
The following placeholders are used in this guide:
authentik.companyis the FQDN of the authentik installation.accounts.zoho.comis the Zoho Accounts URL for your organization's data center.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
Use the Zoho Accounts URL that matches your organization's data center:
- United States:
https://accounts.zoho.com - Australia:
https://accounts.zoho.com.au - Europe:
https://accounts.zoho.eu - India:
https://accounts.zoho.in - China:
https://accounts.zoho.com.cn - Japan:
https://accounts.zoho.jp - Canada:
https://accounts.zohocloud.ca - Saudi Arabia:
https://accounts.zoho.sa
Download Zoho metadata file
- Log in to Zoho Accounts as an administrator at the Zoho Accounts URL for your data center.
- Navigate to Organization > SAML Authentication.
- Click Download Metadata. You will require this Zoho metadata file in the next section.
authentik configuration
To support the integration of Zoho with authentik, you need to create an application/provider pair in authentik.
Create an application and provider
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- Choose a Provider type: select SAML Provider from Metadata as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization and invalidation flows to use for this provider, and the following required configuration:
- Metadata: select the Zoho metadata file that you downloaded in the previous section.
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
- Click Submit to save the new application and provider.
- Navigate to Applications > Providers and click the Edit icon of the Zoho provider.
- Configure the following settings:
- Under Advanced protocol settings:
- Select an available Signing Certificate.
- Set NameID Property Mapping to
authentik default SAML Mapping: Email.
- Under Advanced protocol settings:
- Click Update.
Download authentik metadata file
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Providers and click on the name of the provider that you created for Zoho.
- Under Related objects > Metadata, click on Download. You will require this authentik metadata file in the next section.
Zoho configuration
- Log in to Zoho Accounts as an administrator using your Zoho Accounts URL.
- Navigate to Organization > SAML Authentication, and under SAML Authentication select Set up Now.
- Click Upload Metadata and upload your authentik metadata file.
- In Zoho Service, select the Zoho service that users should open after IdP-initiated sign-in from authentik.
- Click Submit.
If you do not enable Zoho's Just-in-Time provisioning, users must already exist in your Zoho organization before they can sign in with authentik.
If you enable Just-in-Time provisioning, Zoho validates the SAML response and the user's domain before adding the user. Domain verification and user-field mapping in Zoho are outside the scope of this guide.
Configuration verification
To confirm that authentik is properly configured with Zoho, open the Zoho integration from the authentik Application Dashboard. You should be redirected to Zoho and signed in to the Zoho service you selected during the Zoho configuration.
You can also test the SP-initiated flow by opening the Zoho sign-in page for your data center, entering the email address of an account that exists in both Zoho and authentik, and selecting the SAML sign-in option when prompted. You should be redirected to authentik to authenticate, then back to Zoho.