Configure SSO

3 min read

SSO (Single Sign-On) login allows your employees to access Zest using their usual professional credentials, without creating a specific password.

It is a key lever to improve user experience, enhance security, and facilitate platform adoption.

βœ… Why enable SSO in Zest?

Setting up SSO provides several benefits:

  • Simplified login for employees (fewer passwords to remember)
  • Enhanced security, aligned with your internal IT policy
  • Fewer support tickets related to forgotten passwords
  • Better adoption of Zest thanks to seamless access
  • Consistency with your IT ecosystem (Microsoft Entra ID, Google, Okta, etc.)

πŸ‘€ User identification: employee ID or email address

Zest allows you to choose the data used to identify users via SSO:

  • Email address
  • Employee ID / internal identifier

πŸ‘‰ This choice depends on your organization and the data sent by your Identity Provider.

In all cases, Zest relies on a specific field: sso_login, which must match the value sent by the SSO (entityID).

βš™οΈ Configure SSO in Zest – Case 1: single entity (global SSO)

πŸ“ Steps in Zest

  1. Go to the Back Office
  1. Navigate to Global settings
  1. Then Configuration
  1. On the β€œDefault” configuration (the first displayed at the top):
    • click the three dots
    • then click Edit
  1. Enable SSO login using the toggle

Once enabled, retrieve the following information:

  • Metadata URL
  • Assertion URL
  • Relay State

SSO pour une entité global.mov

πŸ” Configuration on the Identity Provider side

Then configure SSO in your authentication tool (for example Microsoft Entra ID / Azure AD), using the information provided by Zest.

Once configuration is complete:

  • export your Identity Provider metadata

πŸ‘‰ These elements must be shared with the Zest team for validation.

πŸ”— Linking with Zest users

For Zest to match SSO with your users:

  • add the sso_login field in your import files:
    • manual import (CSV)
    • SFTP

the value of this field must exactly match the entityID sent by the SSO

🧩 Configure SSO in Zest – Case 2: entity-based SSO (multi-tenant)

This mode is recommended if you have:

  • multiple legal entities
  • subsidiaries
  • or populations with different Identity Providers

πŸ“ Steps in Zest

  1. Go to Back Office > Global settings > Configuration
  1. Click Add configuration
  1. Fill in:
    • configuration name
    • display name (visible in emails, exports, documents)
    • target population (via Smart Org: department, location, etc.)
  1. Enable SSO login
  1. Retrieve:
    • Metadata URL
    • Assertion URL
    • Relay State

SSO multi tenant.mov

πŸ” Configuration on the Identity Provider side

As with global SSO:

  • configure your SSO tool using Zest information (for example Microsoft Entra)
  • export metadata
  • send them to Zest

⚠️ Here as well, the sso_login field is mandatory in your imports to match the entityID sent by the SSO.

πŸ”— Linking with Zest users

For Zest to match SSO with your users:

  • add the sso_login field in your import files:
    • manual import (CSV)
    • SFTP
⚠️
the value of this field must exactly match the entityID sent by the SSO

🧠 Best practices to keep in mind

  • Always test SSO with a pilot user before full rollout
  • Check the consistency of identification data (email, employee ID, entityID)
  • Anticipate the impact on your user imports and Smart Org
  • Inform HR and IT teams in advance for a smooth deployment

Related articles

Was this page helpful?