[SSO] Zuora SSO limitations for multi entity environments and multiple sandboxes
For Multi-entity environment, SSO enablement has two options. The first option is only enable SSO on the Global (parent) entity. In this case, only one metadata file is needed. The second option is enable SSO for several entities. In this case, each tenant needs a separate metadata file and the entityID in each metadata file must be different.
What if I want multiple sandboxes enabled with SSO? This request depends on your IDP (Identity provider). There are some IDPs that support same entity IDs across all configuration and some don't.
If you want to know more about entity IDs, please visit this article - https://knowledgecenter.zuora.com/Billing/Tenant_Management/A_Administrator_Settings/Configure_Singl...
For example, an IDP like Okta supports same entity IDs across configurations. This means that you can produce multiple SSO instances in Okta using the same entitiy ID such as apisandbox.zuora.com. However, there are some IDPs such as secureAuth that only supports unique entitiy IDs, therefore you can only have 1 sandbox and 1 production with SSO active.
If you found my answer helpful, please give me a kudo ↑
Help others find answers faster by accepting my post as a solution √
Re: [SSO] Zuora SSO limitations for multi entity environments and multiple sandboxes
Thank you for this post. Zuora recognizes that customers who have multiple Zuora environments (whether it is apisandbox or production) may face this issue. We are currently evaluating various solutions to support this, one of the solutions being support for subdomains. Subdomain is a solution that would specify a unique SAML entity for each SSO configuration, allowing the IdP to uniquely identify the entity. This solution, among others are being investigated and is on our product backlog.