Steps to Set up SSO for your custom application
Using Security Assertion Markup Language (SAML), let your customers login to Zoho Subscriptions Portal with your application’s credential.
Contact Zoho Subscriptions with the following URLs.
- SSO Login URL
- SSO Logout URL
- SSO Password Reset URL
- X.509 Certificate
- Encryption algorithm
We will enable SSO for your account and share the following URLs,
- ACS URL
- RelayState
When Zoho Subscriptions’ portal is accessed, Zoho Subscriptions will make a GET call to the Login URL.
For easier understanding, let us assume
Login URL as www.zylker.com/saml/login
Logout URL as www.zylker.com/saml/logout
ACS URL as www.accounts.zohoportal.com/accounts/csamlresponse/10807
/*
* @method GET
* @queryParams `SAMLRequest`, `RelayState`
*/
GET: www.zylker.com/saml/login?SAMLRequest={SAMLRequest}&RelayState={RelayState}
------------------------------SAMLPLE SAMLRequest (BASE64)--------------------------------------
fVJNT+MwFLwj8R8i3/PV0NBaTVGgQlRidyMa9sAFObZLLRw7+DldYLX/HSdNYMVq8XE8M2/e6C3Onmvp7bkBoVWG4iBCHldUM6EeMnRbXvozdLY8PloAqWWD89bu1A1/ajnY4yPPPSdXgLvfDLVGYU1AAFak5oAtxZv82zWeBBEmANxYNwR91jVfCxujraZaDrr1KkP3NE2mVVIxQmbbk2o6mSfprEoZqXgUsymbx9NknkzSQfJz3M7ZjS4ALV8rsERZh0fxzI8jP56UUYpPEhxHwelpejeQiyHBuVCHWr6KWx1IgK/KsvCLH5vyw2UvGDffnSRDd3qn37MUrhyxd+iWSOADvHIVC0Vsn3xnbQM4DF9f5CM3AdV12FUXSv0gxkbzseELraCtudlwsxeU395cfxgQSnWrLASvLkCjjSWydxvxkHa+hkPjTHj4+0C5F+wPWh7GdK+/BtyXaJadU+exCP9GHesTv8Hd6utVoaWgL14upf51YTixbnFrWo68S21qYv/fbxzEPSKYv+2pmNdEyJwxFxhQ2N1p+O+hLt8A
------------------------------------------------------------------------------------------------
---------------------------------RelayState (BASE64)----------------------------------------
yygpKSi20tcvLk0qTi7KLCjJzM8r1qvKz8jXS87P1S/ILypJzNGvhtDxeYm5qbX6mXkpqRXx8Z6OvvHxUUCVwch6AQ==
--------------------------------------------------------------------------------------------
Decode and validate the request. Authenticate and authorize the user for Zoho Subscriptions’ portal.
Once authorized, make a POST request to the ACS URL with SAMLResponse and RelayState in FormData.
/*
* @method POST
* @FormData `SAMLResponse` and `RealyState`
*/
POST: https://accounts.zohoportal.com/accounts/csamlresponse/10807
------------------------------SAMLPLE SAMLResponse (BASE64)-------------------------------------
1VjbctpIEH3fqv0HlfLoErohIVSBLIZgy+ZiI+w4vGyNRiOQLWlkzQgEqfz7jsTFXG0nu1XZvBgz3dPdp09P9wwfP2VhwE1RQnwc1Xi5JPEciiB2/Whc4++GbcHgP9X//OMjAWEQmwNEYhwRxLFdETGLxRqfJpGJAfGJGYEQEZNC0250O6ZSksw4wRRDHPBbW17fAQhBCWXh8JzVqvED6Hgy0IBe1qCCHAMiDZUdp6p5kmcYZQ+o1aoEVQfy3P0ahpLDsAhJkRURCiLKliTZEGRJkJWhpJtl1ZTLI55rIUL9CNBi14TSmJiiCCDEaURJaYEnOMYJBUEJ4nCzLsIcRLJKhShLhlRh7qJ1coa4xv8NdVVzVMcFwPDKjqZUVd1wdBc4SJJdza3KmlpVFZ1nueU4rkivWUSc1NdxLObBE0oK17lY9AuxGCIKXEDBR3F704uZ2LQpoClZLu2vNrGLuHsQpOh1FkihbdophIgQnhNXHsRDF8vgG2vaVkRnZJlRBmQ2m5VmagknY1GRJFl86HZsOEEh4De6/tvKgl9wCdEB0axKYi+raIYDgAQFQ5I9wQBVRdA8Awme7EmKhmRXBca7qmI3cf+eldySy1Lpj1mlpcn68LinEiSJUlVkOi7xxx9eotkyg1wr8vC2ZCVsgghHPgSBvyiKuovoBLtcIxjjxKeT8GSWZSn3KKAMClAuRx82hB/4LiC80+4OkoQAgUyAfNz0AHkoYZ0HcXcDq8Z/eC+he6ZW1oYJiIiHk5AcyvdVfgwFiqYowDFyBbJOxiGgn/HyHg6KA/gGvNxryx+zxvYzJB0naMds0TzqD/f3VqU7sHuud9ZzR+eLoTWzrQbu30q1IsZt5T26xW2+d+pbPFngO+W3tGopblR1+v0phS1Cwja4qNDp5P6692RYHTTxMjvN4sQYWTEcn4NZ2u5cG5NL2b66uoeNKrQvMkN1Fo2z2Z2xuHxMrrJs3L5a6F/Op5nt9ODIkaZGr/eUDfX5Y9+1tdZMXjSlsXHbBcllq92dUpCALGhCy/3qjWi3HKpPzmAwHenSuetY4Kwf3dtKpXerw6xfzeQxaxLhVauMZx0VPpTtJz0K7Yk98Z4XesuZVzsX7gQPe8/DceUmjtBVazEaV5XLyOq2H27OhpP54qJhxfqD9OXzYxz0vt5WRk/+ote3zjuZM7we6S7G4ZnXe0zVm9gWe8+4+xDfeV1a/nwftEm5OVP7iqYEl7LjgSektMoyqdx+uZsPFh37c9p3vOevxm2ttmFhK9d7TFyj+YkO9KBJ1Rbrg8crKJc28zHhsSZFUf0biihKuDlOEw6+rHMQs/WIfi9C2d90pJqOeS0E+4HuYtvr9HbqPCJId4wUgh4bj1aLa7MTB+jpuSmX5GLFdwWvUDXZ2PKDhusm+Qytx4AmPvTBXy8zZDUulg4OHa8iauLI83OD+XhdHuvXpzcMTQeBBCX7/fGk2Tx7XA/TftRPGh4j5WA46ssr0wBBP/ZRPj1/yYVptzmt8ncE0BblR8ldZoLtcP1cneTgzxHjDR0gl5bI35GdQwYbqevnbY5hzcnfieyYXv0bWP33fRX4RnII+zXjK5UXgHvIGymdRPk1DoWMTK74+sq9SGUJsFkVM0sn8qBuX6xXqlbkooyRK5UN1fV0SXBybUlWdUEvGxVB11BV91xD0WDlaPJYUM28F2T0RNZeFJoBezmwsVJ/9XEBTZjrseUb9jHDiXvDXiisMJBbTNW8fDfZPWL8GAlHgtyWbZK8zwBlpDkpRYcKhzpc3iJqPJsgDkr6Hl98f6shFYiZhXx13ZIcpgePt4WNs6Lnc+xWbtJ5zLxm7N3GRNH4+Onb7Hs7/jv2SCjlf/KQfmsQbT8htPcLUWzGScnBcxCgfRyHg/uHgWKPjdzflqYb9kpkLSgMUwqcgM3X3xVIUW/FVeKX19rh1eW/rLcCaAf82nP1b9lKcPB/j31fsDeA1uL1Lzr573/i7g+A9X8A
------------------------------------------------------------------------------------------------
SAMLRequest (Decoded)
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c635b3bdaa8f4b529368b6dabe01d5d91539326" Version="2.0" IssueInstant="2018-10-12T06:43:10.776Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="Zoho" IsPassive="false" Destination="https://zylker.com/saml/login" AssertionConsumerServiceURL="https://accounts.zohoportal.com/accounts/csamlresponse/{portal_id}">
<saml:Issuer>zoho.com</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
</samlp:AuthnRequest>
SAMLResponse (Decoded)
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="Rcbf1a5a645c2eb8ce5e4bb95f0f884fa3990c3bc" Version="2.0" IssueInstant="2018-10-12T06:43:14Z" Destination="https://accounts.zohoportal.com/accounts/csamlresponse/10807" InResponseTo="_c635b3bdaa8f4b529368b6dabe01d5d91539326">
<saml:Issuer>https://zylker.com/saml/issuer/metadata</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx758baa0c-801f-8a92-5f8e-f1f025e1d3a8" IssueInstant="2018-10-12T06:43:14Z">
<saml:Issuer>https://zylker.com/saml/issuer/metadata</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#pfx758baa0c-801f-8a92-5f8e-f1f025e1d3a8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>XVVI7MRSNdf+NdZBzTIwSIAoOQ0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>I2dn9bOOvtcDssmFaG7tvhVKNk8ILehfxSuxpr8ZIpcgBawuFLK8hH1SJJVcA9cSGx83bzA+wU8zHjrJxxgFJz6WBvxSbNcZb0v8NNkxT6yjOdS5Dw1zC0g8QMarHDFMvtaraxlCcIdYfZtM4m3kbRRvZ60BdbIa+OnVS27NQ6cxO9x1g/memJD4owL3cX4Sk6nmShShfqz6Dby9LGdhoTNqTg7PpneJDzZg92HnIMFXP+ThyzGAIp6X0WEjplNYQ7ZkizNOIBLxbTKZ6doom+fNju3PpS/NqoMXpUfMt4EVlFs4Cw3O252lH1bfake2D41s7QWUyRzLSEuObfqY8Q==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>{enter your certificate content}</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">patricia@zylker.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2018-10-12T06:46:14Z" Recipient="https://accounts.zohoportal.com/accounts/csamlresponse/10807" InResponseTo="_c635b3bdaa8f4b529368b6dabe01d5d91539326" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2018-10-12T06:40:14Z" NotOnOrAfter="2018-10-12T06:46:14Z">
<saml:AudienceRestriction>
<saml:Audience>{audience}</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2018-10-12T06:43:13Z" SessionNotOnOrAfter="2018-10-13T06:43:14Z" SessionIndex="_0483df60-b018-0136-6487-65e96fd825c7">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="memberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string" />
</saml:Attribute>
<saml:Attribute Name="User.Username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string" />
</saml:Attribute>
<saml:Attribute Name="User.FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">patricia.boyale</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="office" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string" />
</saml:Attribute>
<saml:Attribute Name="PersonImmutableID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string" />
</saml:Attribute>
<saml:Attribute Name="User.email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">patricia@zylker.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="User.LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string" />
</saml:Attribute>
<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string" />
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>