Integrate Zuora

Zuora offers cloud-based software enabling companies to launch, manage and transform into a subscription business. (see https://zuora.com/). You can protect access to Zuora by integrating Zuora with Identity as a Service. Once integrated, users can use single sign-on to log in to their Zuora account through Identity as a Service.

Note: This integration was tested using Identity as a Service version 5.2x and Zuora Release June 2022. For other versions of Zuora, this integration guide may be used as an initial approach for integrating Zuora. In the event of other issues, contact support@entrust.com for assistance.

Step 1: Download the Zuora metadata file

Download the Zuora metadata file. You use this file when you Add Zuora to Identity as a Service.

1. Go to any of these locations, as appropriate, to download the metadata file:

● US Cloud 1 Production: https://na.zuora.com/apps/saml/metadata

● US Cloud 1 API Sandbox: https://sandbox.na.zuora.com/apps/saml/metadata

● US Cloud 2 Production: https://www.zuora.com/apps/saml/metadata

● US Cloud 2 API Sandbox: https://apisandbox.zuora.com/apps/saml/metadata

● Performance Test: https://pt1.zuora.com/apps/saml/metadata

● EU Production: https://eu.zuora.com/apps/saml/metadata

● EU Sandbox: https://sandbox.eu.zuora.com/apps/saml/metadata

● Central Sandbox US: https://test.zuora.com/apps/saml/metadata

● Central Sandbox EU: https://test.eu.zuora.com/apps/saml/metadata

2. Open a Web browser and paste the Zuora Metadata URL in the browser.

3. Copy the contents of the MetaData to a text editor, such as Notepad.

4. Save the metadata file as zuora_saml_metadata.xml. You need to upload this in Step 2: Add Zuora to Identity as a Service.

5. The metadata file downloads by default as an xml file named sp.xml. You need to upload the metadata file in Step 2: Add Zoom to Identity as a Service.

Copy the SAML Configuration from Identity as a Service

1. Log into your Identity as a Service administrator account.

2. Click > Security > Applications. The Applications Lists page appears.

3. Under SAML Cloud Integrations, click SAML Configuration. The SAML Configuration dialog box appears.

This dialog box contains information you need to configure your SAML application for Identity as a Service authentication.

4. Do one of the following:

● Leave this dialog box open to reference later in this procedure.

● Copy the Entity ID, Single Sign-on URL, and Single Logout URL to a text file and save it to reference later in this procedure.

Note: Depending on the integration you are performing, you may not need all three of these SAML configuration values.

Step 3: Add Zuora to Identity as a Service

Add Zoom as an application to Identity as a Service

1. Log into your Identity as a Service administrator account.

2. Click > Security > Applications. The Applications Lists page appears.

3. Click Add. The Select an Application Template page appears.

4. Do one of the following:

● Select SAML Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.

- or -

● In the Search bar, enter a search option to filter for the application you want to add to IDaaS.

5. Click Zuora. The Add Zuora page appears.

6. Enter an Application Name.

7. Enter an Application Description.

8. Optional. Add a custom application logo.

a. Click next to Application Logo. The Upload Logo dialog box appears.

b. Click to select an image file to upload.

c. Browse to select your file and click Open. The Upload Logo dialog box reappears showing your selected image.

d. If required, resize your image.

e. Click OK.

9. Select the Authentication Flow that appears to users during login.

10. Click Next. The General page appears.

11. Click to the Upload Metadata XML and browse to the location of the metadata file you downloaded in Step 1: Download the Zuora metadata file. The Metadata Configuration dialog box appears.

a. If required, click Merge with existing values to merge new values with existing values for Alternative Assertion Consumer Services URLs and SAML attribute names.

b. Click Save.

12. Click OK on the Metadata Configuration dialog box to complete the upload of the metadata.

13. Optional. Enter the SAML Username Parameter Name used to identity the user ID being requested for authentication. The user ID can then be passed as a parameter, for example, Username=jdoe. Alternately, if the SAML username is NameID, the SAML Request XML NameID element value is used to the identify the IDaaS userID.

14. Enter the SAML Session Timeout to the time when the SAML Assertion times out. The maximum is 720 minutes.

15. Enter the Max Authentication Age (seconds) to set the maximum amount of time that can elapse before a user is required to reauthenticate during a new login attempt. This applies for both SP-initiated and IDP-initiated login. Set this field to -1 to disable this feature.

16. From the SAML NameID Attribute drop-down list, select UserID.

17. From the SAML NameID Encoding Format drop-down list, select EMAIL

13. Select the SAML Signing Certificate from the drop-down list.

18. Deselect Enable Go Back Button if you do not want users to be able to go back to the Zuora login page to log in.

19. Select Show Default Assertion Consumer URL Service in the My Profile. When selected, the Default Assertion Consumer URL appears in a user's My Profile page in addition to relay states and Alternative Assertion Consumer URLs.

20. Optional. Add Alternative Assertion Consumer Service URLs, as follows:

a. Click Add.

b. Enter a Name.

c. Enter a URL Value.

d. Select Show in My Profile to display the Alternative Consumer Service URL in a user's My profile page.

e. Optional. Add an Application Logo.

f. Click Add.

g. Repeat these steps to add more Alternative Assertion Consumer Service URLs.

21. Click Submit.

Step 4: Add a resource rule

Step 5: Download the metadata from Identity as a Service

Download the Metadata file from Identity as a Service

1. In Identity as a Service, click > Security > Applications. The Applications List page appears.

2. Do one of the following:

● Click next to the application you are integrating with Identity as a Service.

–or–

● Click next to the application you are integrating with Identity as a Service and select SAML IDP Metadata.

The SAML Application Metadata dialog box appears.

3. Select the certificate to include in the SAML IDP Metadata file from the drop-down list.

4. If applicable, Select the domain to include in the SAML IDP Metadata file from the drop-down list.

5. Enter the Lifetime, in days, for the SAML IDP Metadata file. The value must be between 2 and 730.

6. Do one of the following, as required:

a. Copy the Public Endpoint to paste into your SAML application being used Identity Provider authentication.

b. Click Download.

Note: If you are using multiple domains, you must download each domain's metadata file separately because the values in the metadata file vary for each domain.

Step 6: Copy the SAML Configuration from Identity as a Service

Copy the SAML Configuration from Identity as a Service

1. Log into your Identity as a Service administrator account.

2. Click > Security > Applications. The Applications Lists page appears.

3. Under SAML Cloud Integrations, click SAML Configuration. The SAML Configuration dialog box appears.

This dialog box contains information you need to configure your SAML application for Identity as a Service authentication.

4. Do one of the following:

● Leave this dialog box open to reference later in this procedure.

● Copy the Entity ID, Single Sign-on URL, and Single Logout URL to a text file and save it to reference later in this procedure.

Note: Depending on the integration you are performing, you may not need all three of these SAML configuration values.

Step 5: Export the Signing Certificate from Identity as a Service

Export a SAML signing certificate

1. Log in to your Identity as a Service administrator account.

1. Click > Security > Applications. The Applications List page appears.

2. Under SAML Cloud Integrations, click SAML Signing Certificates. The SAML Signing Certificates page appears.

3. Click next to the certificate to export the certificate you want to import into your SAML service provider application. The Export Certificate dialog box appears.

a. If the certificate has been issued by a CA, do one of the following:

– Click Certificate to export the self-signed certificate.

– Click Root CA Certificate to export a certificate issued from a CA.

– Click Certificate Chain to export the SAML signing certificate and its CA certificates.

b. Click Export.

Step 6: Configure Zuora for Identity as a Service authentication

1. Log in to Zuora support.

2. Submit a request at Zuora Global Support to provide your Zuora contact with the provider metadata, you downloaded in Step 5: Download the metadata from Identity as a Service and the logout URL from Step 5: Copy the SAML Configuration from Identity as a Service.

3. Enable SSO for a Zuora User.

Note: Before you enable SSO for a user, that user must have a user account in Zuora. If this is a new user, first, create this user in Zuora as described in Manage Users.

To enable SSO for a Zuora user, complete the following steps:

a. Log into the Zuora application as a tenant administrator and navigate to Settings > Administration Settings > Manage Users.

b. In the user List, click the user for whom you want to enable SSO. The User Details page appears.

c. In the Basic Information section, select SSO SAML Enabled.

d. In the Federated ID field, enter the unique SSO federated ID of this user. The federated ID must be in an email format, for example, username@domain.com.

e. Click Save.

Notes:

Activation email: New Zuora users with SSO is enabled do not receive the activation email from Zuora. The user is automatically activated upon the first successful login to Zuora. If SSO needs to be disabled for this user, the tenant administrator needs to use the Resend Activation Email feature to convert this user to a local Zuora user.

Zuora session time out: When a user session times out in Zuora, the user is redirected to the Zuora login page. If SSO is enabled, the user needs to browse to the Zuora link on their Identity Provider login page to re-establish a Zuora session.

Disable SSO for Zuora User

To disable a user from signing on to Zuora by SSO, complete the following steps:

1. Log in to the Zuora application as a tenant administrator and navigate to Settings > Administration Settings > Manage Users.

2. In the user list, click the user for whom you want to disable SSO. The user details page opens.

3. In the Basic Information section, clear the SSO SAML Enabled field.

4. Click Save.