OneID: Legacy Login Deprecation in August 2024 for Zuora Billing and Revenue (Demo)

By Lana Lee posted 02-08-2024 15:35


Last week, we announced that on August 1, 2024 we are deprecating legacy authentication methods for all Zuora applications and environments. To shed more light on this update, the Community hosted a Table Talk with Principal Product Manager, Bharath Marimuthu who shared why we are deprecating the legacy logins and was on-hand to answer questions.

Operational Overhead Of Tenant-Based Logins

Watch video to learn more 

To update our security and authorization, we are upgrading to an organization-based login to reduce the following challenges that come with tenant-based login: 

  • Complexity of User Management - Managing user accounts and access rights across multiple tenants can become complex and time-consuming. Administrators may face challenges in maintaining user accounts, permissions, and access controls for each tenant.
  • Resource Overhead - Implementing and maintaining separate SSO integrations or security policies for each tenant can result in additional resource overhead.
  • Credential Management - Users have to remember their credentials for each Zuora tenants and have to reset their password at regular intervals for security
  • IAM Integrations - Managing access permissions for a large number of users can be a frustrating task without the user management API. 

OneID Streamlines and Simplifies Tasks

Watch video to learn more

Conserve your time and energy by upgrading your security to Zuora OneID which allows

  • Unified Single Sign-On For Zuora Apps - Access any Zuora applications including Billing, Revenue and Zephr, just with your work email or federate ID.
  • User Groups / Profiles - Manage user accounts and access rights with the groups based on their affiliation with your organization rather than across multiple tenants.
  • Security - With fewer administrative boundaries easily implement consistent security policies and controls
  • Automate User Provisioning/Deprovisioning - Securely create, update, provide access to, and deactivate user profiles in Zuora directly from your IAM or any other external tool using the SCIM APIs.

Watch Demonstration

OneID Legacy Login Deprecation in August 2024 for Zuora Billing and Revenue

DEMO: OneID Legacy Login Deprecation in August 2024 for Zuora Billing and Revenue

Onboarding Journey To OneId

The following are the steps to onboard to OneID:

  1. Reach out to our Support team to get onboarded to OneID
  2. Activate your OneID account and Initial Org account Setup
    • SSO configuration, SCIM provisioning, Admin account creation 
  3. Setup user groups in OneID (User Profiles)
  4. UAT testing
    • Migrate your SBX users to OneID. 
  5. Go-live
    • Migrate all users to OneID 
    • Migrate all your users across Prod and other tenants to OneID

Zuora OneID for Revenue

  • Close Process Dashboard
  • Revenue Data Management
  • Manual Journal Entries 
  • AI based - In App Support 
  • In-App feedback 
  • Zuora Revenue Connectors
  • System Health & Telemetry for Revenue

What’s On the OneID Roadmap

OneID Roadmap
  • Enhanced Global Role & Permission Management
    Create, Copy/clone roles in OneID and configure permissions seamlessly for your global roles and use it across all of your Zuora applications.
  • OAuth Client Credentials for Billing and Revenue APIs
    Accessing Zuora APIs will be made more secure with the OAuth clients in OneID. Create client credentials for one or more of your Zuora applications. No more API user accounts and managing Zuora APIs with basic authentication.

Session Q&A

  1. Does this mean there is finally a user management API?
    • Yes, Zuora OneID supports user management APIs or SCIM APIs to manage your users and their Zuora tenant access. 
  2. Does it work with Active Directory/Azure?
    • Yes, Zuora OneID supports Single Sign-On integration with Azure AD. Please refer to this demo video for SSO configuration and the KC article for more information.
  3. So we have to reach out to get it switched on? I thought we were being contacted so you would not be inundated
    • The transition to Zuora OneID will occur gradually, with customer migrations organized into phases or waves. Your dedicated Customer Success Managers (CSMs) will be in touch shortly to discuss the upcoming migration. Should you wish to expedite your transition and be among the earlier adopters of OneID, we encourage you to proactively engage our support team. They will assist you in moving forward with the onboarding process.
  4. What would happen if we didn't have any resources to deal with this?
    • As part of the planned migration for your organization, all user accounts will be seamlessly transitioned to OneID automatically, requiring little to no effort on your part. Additionally, we provide a dedicated support team specifically for OneID onboarding, available to assist you throughout the transition period.
    • Throughout the transition to OneID, you will retain access to your accounts using your existing credentials and Single Sign-On (SSO) integration for a period of 90 days following the migration. This ensures that your current login details will remain functional during this initial phase, without immediate deprecation.
  5. We've been migrated to OneID, but our API usernames are not in OneID. Will we still have to manage regular users in OneID and API users in the original user management location within the Zuora tenant?
    • For API user accounts employing OAuth clients to access our Billing APIs, migration to OneID for administrative purposes is feasible. However, if these service accounts utilize Basic Auth, it's imperative to manage those API user accounts at the local tenant level to prevent any service interruptions.
  6. We have 3 different Zuora Production tenants (due to acquisitions) - can OneID support access to multiple Zuora Production tenants (and each of their related Sandbox tenants)?
    • Yes, OneID supports any number of tenants from various or same environments without any limitations. You can assign tenant access for your users from OneID.
  7. A bit in the weeds with this question - but will the user api list each of the users and the environments they have access to in a single call? This will be handy for our access review tooling.
    • The users API in OneID is built based on the SCIM standards, the users’ access information can be retrieved in a User Groups format, that defines the Zuora tenant access information for the user. In addition to the user APIs, you can retrieve the user access information in a csv format from the OneID UI. Please refer here for more information.
  8. Previously we used SSO for our Production/Sandbox tenants, since we have migrated to Zuora OneID, we have not deactivated those original SSO apps, there wouldn't be any concerns to have my IT team deactivate those SSO, correct?
    • Yes, there won’t be any impact if you deactivate the old Single Sign-On configurations that are used to access your individual Zuora tenants. 
  9. What happens if the local user has permissions which do not correspond to any existing User Group in OneID? Does it create the group?
    • When migrating a local user account to OneID, User Groups will not be automatically generated. Instead, the migration process will transfer the user's login credentials and tenant access to OneID. From there, users can directly access their tenant via OneID, retaining the roles and permissions originally defined at the tenant level. As an administrator, you have the option to assign the user to a new Group if adjustments to their access are desired for the tenant.
  10. Also, the demo showed the imported user as “OneID User” = “Admin”. Can we import users and have them not be an Organizational admin in OneID? Including current local tenant admins?
    • Certainly. Upon importing a local tenant user to OneID, the default role assigned in OneID will be set as Standard User for the imported user. Subsequently, you have the flexibility to adjust their OneID role to Organization Admin as per your requirements. Even with the Standard User role in OneID, the user retains the ability to function as a tenant admin at the tenant level.
  11. Could you go over the issues on OAuth users again, can they be transferred in like non OAuth users?
    • Yes, OAuth users can be migrated to OneID like other users. But the service accounts or API user accounts that have the Basic Auth couldn’t be migrated to OneID.
  12. Can we dual run? We have some users using OneID and others still using the current sign-on processes.
    • During the transition phase, you can have some users migrated to OneID and some users in the current sign-on process, but eventually before August, 2024 you must move all your users to OneID. Alternatively, by default when users are migrated to OneID, for 90 days they can access their tenant with both their local credentials and with their OneID login.
  13. Is it possible to change the OneId Username during the import?
    • The recommended approach is to create the user account first in OneID with the preferred user name and then import their account from the tenant. 
  14. How are the user role names generated? Can we amend the user role names?
    • Yes, as a best practice and as a precursor step to user import like mentioned here, you can import the user roles from your tenants to OneID with the preferred role names. 
  15. Will this UI be incorporated into the tenant platform UI? Or will the local tenant platform UIs be integrated into this UI? Or is it planned to keep them separate?
    • Both the UI will be kept separate at the moment, but you won’t be able to Add or update any user profiles at the local tenant level, after migrating your user accounts to OneID. When you try to edit the user profile, automatically you will be redirected to the OneID user details page.
  16. How does OneID compare/contrast to Unified Authentication that was rolled out in 2022?
    • Regarding OneID Vs Unified Auth, One ID is one stop place for User and Role management across all Tenants including integrating with existing IDP/SSO systems. It is a centralized service , rather managing users and roles inside each tenant and many more features.
  17. Is there any documentation for how user provisioning can be automated alongside Okta?
  18. The recent announcement implied it was as simple as turning on OneID, activating the user, then they login via Is it really that simple - will users automatically retain existing permissions across the different tenants?
    • Migrating to OneID is a 2 step process, import your user roles for your tenant and import all your users within that tenant to OneID. During this import process all the existing Roles, Permissions and Privileges will remain intact upon on-boarding to One ID
  19. Our company requires SSO through MS Azure, how does this impact what the users see when logging on?
    • OneID facilitates Azure AD Single Sign-On (SSO). When users sign in with Azure SSO into OneID, they will encounter all the Zuora tenants they have access to. Rather than configuring Azure SSO individually for each Zuora tenant, you now have the option to integrate Zuora with Azure SSO just once through OneID. This integration will automatically encompass all your tenants under a unified SSO configuration
  20. How do we know which wave we have been assigned? Important these changes do not coincide with period close, other projects for example
    • You can reach out to our support or your dedicated Zuora Customer Success Manager, when there are no period close activities planned or you can select a Sandbox for on-boarding that doesn't impact Period Close. But we encourage you to transition to One ID sooner than later.

Continue Your OneID Journey with Others

Exploring new Zuora features collaboratively with the guidance of a product manager is ideal which is why we’re starting OneID conversations in the Zuora Admins community group. There you can ask questions and get answers from like-minded users and Zuora experts who’ve “been there and done that” so that you won’t have to reinvent the wheel and also have discussions that are admin-specific. We hope to see you there!