Gettting Started with Single Sign-On (OIDC or SAML)

⚙️ Setup Guides
1

Having trouble consenting? See Below

By default, the application initially deploys with Microsoft Open ID Connect (OIDC).
Users will be prompted to Sign In with their Microsoft Credentials and grant consent.

image
image996×1086 124 KB

Administrators can provide consent for the entire organization, so future employees signing into ZPM won’t be prompted for consent:

image
image880×100 29.7 KB

Consent may require an Administrator

By default, Microsoft tenants permit users to provide consent for applications. However, in more secure environments, policies may be implemented that require administrative consent. In these instances, users attempting to access the application will require consent from a user with elevated privileges, such as a Global Administrator or Cloud App Administrator (depending on the policy).

image
image786×548 60.5 KB

Why OIDC?

  • OIDC is easy to set up. OIDC does not require additional configuration on your tenant. Once users have their permissions assigned, they can authenticate with their Microsoft Account via the “Sign In With Microsoft” button on the home page.

  • OIDC supports multi-tenant authentication. Administrators can grant access to users from outside your primary organization tenant.

:warning: Users from third-party tenants require direct role assignments.

Access via Security Group Membership is only available for users on the tenant that ZPM manages. If a user from a different tenant requires access to ZPM, they must be assigned directly as an admin or helpdesk user.

Why choose SAML SSO

  • SAML SSO can be customized. You can customize which Identity Provider to use, allowing you to configure your own vendor as your IdP.

How to enable SAML

Enable SAML by going to Settings > Security & Permissions > Single Sign On. When SAML SSO is enabled, SAML SSO will be prioritized. If SAML SSO is disabled, ZPM will use OIDC instead.

Additional steps are required for SAML SSO. To learn more, please refer to our Setting Up SAML SSO for ZPM with Azure IdP guide.

By disabling SAML, the application will revert back to using Microsoft IODC

Screenshot 2025-03-21 at 1.13.09 PM
Screenshot 2025-03-21 at 1.13.09 PM1342×553 81.2 KB

Configuring User Permissions

Users must also be assigned a permission in the application. Go to Settings > Security & Permissions > User & Group Permissions to associate different permissions with your users.

Screenshot 2025-03-21 at 2.20.37 PM
Screenshot 2025-03-21 at 2.20.37 PM3089×1992 213 KB

About Group-Based Assignment

  • Group-based role assignment only works when:
    • The user is signing in with a UPN that the ZIRO Platform is configured to manage.
    • If managing multiple tenants, SSO provider must be Microsoft (either OIDC or SAML with Entra). This allows the ZIRO Platform to determine which tenant to perform group lookups against based on the sign-in token.