This page walks you through the steps to configure Zus SSO if your organization uses Azure Active Directory as your IDP.

📘

Before you begin

• As a requirement for configuring Zus SSO, customers must attest that multi-factor authentication is required for all users and included in their identity provider's authentication workflow when accessing the Zus domain.
• Only customer users with corresponding Zus auth accounts will be accepted for SSO login.

Configuring SSO

1. Go to the EntraID Home page.
2. From the Left side bar, go to Identity → Applications → App registrations. From here you can create a new App or use an existing one.
3. If deciding to choose an existing App, proceed to step 4
   1. Click New registration.
   2. Add a Name to your app (e.g. CustomerZusConnection).
   3. Choose the account type you want (Single Tenant or Multiple Tenant).
   4. Leave the remaining as is. We will change the Redirect URI later.
   5. Press register.
4. Once the app is created/selected, you will be redirected to the Overview page of the app. Now, to add a new Redirect URI to the app's web authentication, go to Authentication under Manage in the sidebar.
   1. If there are no redirect URI present, click Add a platform then select Web.
   2. There are Web Redirect URIs present, click Add URI
   3. Under Redirect URI enter:
      1. If setting up for Sandbox - Redirect URI: https://auth.sandbox.zusapi.com/login/callback
      2. If setting up for Production - Redirect URI: https://auth.zusapi.com/login/callback
      3. You can enter both into a single workspace to authorize both environments
   4. Click Configure.
   5. Click Save at the bottom of the screen.
5. To get Client ID:
   1. On the Overview page, under Essentials, the Application (client) ID will be available. This is the Client ID that will be required by Zus in order to complete the SSO integration.
6. To get Client Secret:
   1. From the sidebar, under Manage, select Certificates & secrets.
   2. Select New Client Secret.
   3. Enter a description and the expiration and then click Add.
      1. For this tutorial, we have used an expiration date of 365 days. Make sure to set a reminder for Zus or customer side to update the client secret after a year.e
   4. The Value (of the Secret) that was just created will be visible now. This will be the Client Secret that will be required by Zus to complete the SSO integration. Note: This will be the only time the Value will be visible, so it is a good idea to save it in a trusted secrets manager.
7. To get Microsoft Azure AD Domain:
   1. From the sidebar, under Manage, select Branding & properties.
   2. On this page, the value next to the Publisher domain is the Domain of this app. This will be the Domain that will be required by Zus to complete the SSO integration.
8. Share the Domain, Client ID and Client Secret with Zus via a secure channel.
9. Other steps that maybe necessary to make a successful connection:
   1. Make sure the customer has set up the users and groups and added the user they need to test with.
   2. The admin of the application needs to provide explicit permission to the user.