Configuring Single Sign-On (SSO) for Zoho Directory Users

Apart from Okta, Microsoft Entra ID, ADFS, and G-Suite, ManageEngine PAM360 also offers support for SSO using SAML 2.0 from the Zoho Directory, which facilitates integration with Federated Identity Management Solutions for Single Sign-on (SSO). PAM360 acts as the Service Provider (SP) and integrates with Zoho Directory as the Identity Provider (IdP) using SAML 2.0. The integration involves supplying details about SP to IdP and vice-versa.

Once you integrate PAM360 with the Zoho Directory, users have to log in to the Zoho Directory. Then, they can automatically log in to PAM360 from the respective GUI without having to provide the PAM360 credentials again.

At the end of this document, you will have the expertise on configuring SAML SSO in Zoho Directory for PAM360 application. Detailed below are the steps to configure SAML SSO for PAM360 application from the Zoho Directory.

1. Adding PAM360 as an Application in the Zoho Directory
2. Assigning the Zoho Directory Users to PAM360 Application
3. Configuring SAML SSO in PAM360

1. Adding PAM360 as an Application in the Zoho Directory

1. Log in to the Zoho Directory portal.
   
2. Navigate to Applications >> Add Application >> Create Custom App.
   
3. In the page that appears, enter the Display Name and Description, and click the SSO Mode.
4. In the page that changes,
   1. Select the Sign-In Type as SAML.
   2. Enter the Sign-in URL, Sign-out URL, Assertion Consumer Service URL, and Issuer details. You can get all these details from the PAM360 interface.
      
      

   Note: By default, the Assertion Consumer URL is the hostname of the server. To update this, follow the below steps:
   1. Navigate to Admin >> Settings >> Mail Server Settings.
   2. Under Access URL, update to the required URL and click Save.
   Now, the Assertion Consumer URL under Service Provider Details will be updated.

   Notes:
   1. Enter your PAM360 web interface URL under the Sign-in URL (e.g., https://<hostname-of-PAM360-server or IP address>:<port>/saml2 for Non-MSP or https://<hostname-of-PAM360-server or IP address>:<port>/saml2?ORGN_NAME=orgname for MSP) and the Single Logout Service URL (copied from PAM360) under the Sign-out URL.
   2. Provide the Assertion Consumer Service URL and the Entity ID (copied from PAM360) under the Issuer field.

5. Under the Credential Details, select the Name ID Format and the Application Username.

   Note: The PAM360 username for the Zoho Directory users should be the same as the format chosen in the Application Username. The format chosen here should be followed while creating or importing the users in PAM360 post Zoho directory configurations.

6. Post adding the Sign-out URL, head to <PAM360_Installation_Directory\PAM360\conf\system_properties.conf> and append the following system property saml.logout.redirect.slo=true at the end with the existing properties to configure SAML Single Logout.

   Note: SAML Single Logout is applicable from PAM360 build 5304 and above only.

7. Click Done in the SSO page to save the SSO details.
   
8. Now, click Create to create the PAM360 as an application in the Zoho Directory.

2. Assigning the Zoho Directory Users to PAM360 Application

You can add the users from the Zoho Directory to the PAM360 applications as follows:

1. Open your PAM360 application in the Zoho Directory and click the hamburger icon at the top-left pane.
   
2. Click the Assign Users button beside the Assign to users field.
3. On the page that appears, select the users individually, from a group or entirely based on your preferences.
   
4. Now, click Assign to complete the user assigning process.

You can also assign the users from the Users or Group tab in the Zoho Directory.

3. Configuring SAML SSO in PAM360

Follow the below steps to complete the SAML configuration process and enable the Zoho Directory SSO login for PAM360:

1. Navigate to the PAM360 application page in the Zoho Directory.
2. In the Single Sign-on section of the PAM360 application, from the Identity Provider Details, Download IDP Metadata file or copy the Issuer, Sign-in URL, and Sign-out URL values and download the certificate.
   
3. Return to the PAM360 interface and navigate to Admin >> Authentication >> SAML Single Sign-On.
4. Under Configure Identity Provider Details, you have to provide your IDP information via an XML file or manually.
5. If you opt to update your IDP information via an XML file, select Upload IdP metadata file and click Browse to select the downloaded IDP Metadata XML file.
   
6. If you opt to update your IDP information manually, enter the values copied from the Zoho Directory - Issuer, Idp Login URL (Sign-in URL copied from Zoho Directory), and Idp Logout URL (Sign-out URL copied from Zoho Directory).
   
7. Now, click Save to save the Zoho Directory SAML SSO settings in PAM360.
8. If you have added your Idp information using the IDP Metadata XML, refresh the current page in PAM360. Now, under Import IdP's Certificate, you will see the current certificate details such as Issuer, Subject, and Serial Number.
9. If you have added the Idp information manually, upload the downloaded certificate file using the Browse option and Save.
10. Now, click the Enable button in the Enable/Disable SAML Single Sign On section to enable the Zoho Directory SAML SSO login to PAM360.
11. Now, add the Zoho Directory users to PAM360.

    Note: You can export the users from the Zoho Directory using the available export option and import them into PAM360. While such import, ensure to select the username in the import field with the data you have selected in the Application Username filed while creating the PAM360 as the custom app.

To validate if the single sign-on works, go to the PAM360 application in the Zoho Directory and click Open App beside the Test SSO field.