SSO (Single Sign-On) login allows your employees to access Zest using their usual professional credentials, without creating a specific password.
It is a key lever to improve user experience, enhance security, and facilitate platform adoption.
β Why enable SSO in Zest?
Setting up SSO provides several benefits:
- Simplified login for employees (fewer passwords to remember)
- Enhanced security, aligned with your internal IT policy
- Fewer support tickets related to forgotten passwords
- Better adoption of Zest thanks to seamless access
- Consistency with your IT ecosystem (Microsoft Entra ID, Google, Okta, etc.)
π€ User identification: employee ID or email address
Zest allows you to choose the data used to identify users via SSO:
- Email address
- Employee ID / internal identifier
π This choice depends on your organization and the data sent by your Identity Provider.
In all cases, Zest relies on a specific field: sso_login, which must match the value sent by the SSO (entityID).
βοΈ Configure SSO in Zest β Case 1: single entity (global SSO)
π Steps in Zest
- Go to the Back Office
- Navigate to Global settings
- Then Configuration
- On the βDefaultβ configuration (the first displayed at the top):
- click the three dots
- then click Edit
- Enable SSO login using the toggle
Once enabled, retrieve the following information:
- Metadata URL
- Assertion URL
- Relay State
SSO pour une entiteΜ global.mov
π Configuration on the Identity Provider side
Then configure SSO in your authentication tool (for example Microsoft Entra ID / Azure AD), using the information provided by Zest.
Once configuration is complete:
- export your Identity Provider metadata
π These elements must be shared with the Zest team for validation.
π Linking with Zest users
For Zest to match SSO with your users:
- add the sso_login field in your import files:
- manual import (CSV)
- SFTP
the value of this field must exactly match the entityID sent by the SSO
π§© Configure SSO in Zest β Case 2: entity-based SSO (multi-tenant)
This mode is recommended if you have:
- multiple legal entities
- subsidiaries
- or populations with different Identity Providers
π Steps in Zest
- Go to Back Office > Global settings > Configuration
- Click Add configuration
- Fill in:
- configuration name
- display name (visible in emails, exports, documents)
- target population (via Smart Org: department, location, etc.)
- Enable SSO login
- Retrieve:
- Metadata URL
- Assertion URL
- Relay State
π Configuration on the Identity Provider side
As with global SSO:
- configure your SSO tool using Zest information (for example Microsoft Entra)
- export metadata
- send them to Zest
β οΈ Here as well, the sso_login field is mandatory in your imports to match the entityID sent by the SSO.
π Linking with Zest users
For Zest to match SSO with your users:
- add the sso_login field in your import files:
- manual import (CSV)
- SFTP
π§ Best practices to keep in mind
- Always test SSO with a pilot user before full rollout
- Check the consistency of identification data (email, employee ID, entityID)
- Anticipate the impact on your user imports and Smart Org
- Inform HR and IT teams in advance for a smooth deployment