This document is designed for anyone who needs to configure a Zinc Account for user authentication through an existing SAML-based SSO server; for a conceptual overview of SSO, click here. Since end users will need to know how and when their access will change, we have provided suggested SSO Rollout Communications along with this guide.
1. An SSO server that can send SAML 2.0 certificates.
2. An endpoint URI that can be accessed from outside your corporate network.
3. An engineer who is familiar with configuring your SSO server
While planning and implementing Zinc SSO only takes less than 1 week, we recommend a 3 week lead time in communicating this change to your users.
- Use Zinc’s SSO connection information (below) to create a new service provider connection (a.k.a. relying party trust) in your SSO server. (1 hour)
- Ensure that your endpoint URI is accessible from outside your network.
- If possible, export the metadata file from your SSO server and provide it to yourZinc Customer Success Manager. Note: If you do not have the ability to provide an exported metadata file, then you can instead provide: • Entity ID• Endpoint URI• Public certificate
- Set up a meeting with your Zinc Customer Success Manager to test the configurations.(2 hours)
- After a successful test, work with your Zinc Customer Success Manager to design a communication plan for your company’s Zinc users. (1 week)
- Give Zinc approval to enable the tested SSO connection settings for your users.
Zinc’s SSO Connection Information
Use this connection information to set up a service provider (a.k.a. relying party trust) in your SSO server.
Your SAML IdP must be configured to pass the authenticating user’s email address as the subject’s Name ID.
Example SAML Assertion:
Should we get this working in a dev environment before setting it up in production?
No. Because no software is being installed, there is no need to create a separate dev configuration. After successfully testing the connection, SSO will be disabled for your domain(s) until you are ready to move to production.
Why does our endpoint URL need to be accessible from outside our network?
Because Zinc is a cloud-based solution. Although it is technically possible to set up a SAML-based SSO connection between a cloud-based solution and an internal SSO server, it is not advisable. This type of set up will prevent users from being able to accessZinc when they are outside your offices or not connected to the VPN.
How can new users sign up for Zinc after SSO has been enabled?
New users sign up using the same ow they would use to log in. They will authenticate with your SSO server, then they will be redirected into Zinc. Zinc will automatically create an account for them and prompt them to complete their profile information.
What exactly is the user experience after SSO is enabled?
Please refer to the Zinc SSO Rollout Guide for an explanation and screenshots. The Zinc Customer Success team can help you tailor your communication plan to meet the needs of your organization.