Configure single sign-on (SSO) to use your company's identity provider (IdP) to authenticate users to Zilliant CPQ.
Enabling authentication through SSO simplifies and secures user access to CPQ when integrated into various CRM platforms like Salesforce, SAP SalesCloud, and Microsoft Dynamics.
When embedding CPQ into CRM solutions, SSO provides multiple advantages:
Seamless user experience
Enables user access to CPQ from their CRM without the need to sign in separately.
Improves productivity by eliminating the need for multiple login credentials.
Unified authentication and security
Ensures that only authorized users in the CRM can access CPQ, reducing the risk of unauthorized access.
Leverages existing authentication frameworks like OAuth 2.0, SAML, or OpenID Connect to enforce security policies.
Context-aware access and data integrity
By using CRM session credentials, SSO ensures that user roles and permissions remain consistent across platforms.
Prevents data silos by synchronizing sales quotes, pricing, and approval workflows across the integrated ecosystem.
Simplified IT management and compliance
Reduces administrative overhead by centralizing user access control in the CRM's IdP.
CPQ uses AWS Cognito 
to enable SSO. Amazon Cognito integrates with identity providers such as SAML, OpenID Connect, and OAuth 2.0. It enables users to authenticate using enterprise directories (such as Microsoft Entra ID), social logins, or custom authentication solutions.
The following sections provide general steps, examples, and resources to help you configure SSO:
General SSO integration (SAML 2.0)
Use the following general steps to set up SAML 2.0-based authentication for CPQ:
Submit a request to Zilliant Support to set up SSO integration.
Zilliant responds with the following SAML 2.0 configuration details to enable setup:
Entity ID—Unique identifier for CPQ as a service provider.
Reply URL—Endpoint in CPQ that receives SAML authentication responses (assertions) from the identify provider (IdP).
Sign in to your IdP solution, such as Microsoft Entra ID, Okta, or Salesforce.
Create a SAML application for CPQ.
Add the Entity ID and Reply URL provided by Zilliant to the new SAML application.
Configure attribute mapping in the IdP to ensure users are correctly authenticated and authorized.
Download the IdP metadata file and share it with Zilliant Support. The IdP metadata file contains:
SAML SSO URL
Certificate (X.509)
Issuer (IdP Entity ID)
Attribute mapping details
Zilliant responds with the CPQ Service Provider (SP) metadata file, which includes:
Entity ID
ACS URL
SAML certificate
Other required metadata
Upload the SP metadata file to your IdP solution. This establishes the trust relationship between your IdP and CPQ.
Initiate a test login from your IdP to CPQ to validate the SAML authentication flow. If you encounter issues, use debugging tools such as SAML Tracer, Okta system logs, Microsoft Entra sign-in logs, or Salesforce event logs to identify configuration issues.
After validation, SSO is activated and you can use your enterprise credentials to sign into CPQ through your IdP.
Configure attribute mapping
Before you continue
The common attribute used for authentication across all IdP solutions should match the usernames in CPQ.
Primary attribute
Recommended and most commonly used as the primary identifier:
email—User's email address.
Alternative attribute
If email is not used:
username—Unique user identifier that matches the usernames configured in CPQ.
Other attributes
Optional but recommended for additional user context:
firstName—User's first name.lastName—User's last name.
Attribute mapping examples
Expand to view examples for each IdP.
Okta
Primary—email
Alternative—username
Microsoft Entra ID (Azure AD)
Primary—userPrincipalName (frequently the user’s email address)
Alternative—sAMAccountName
Salesforce (SAML Connected App)
Primary—email
Alternative—FederationIdentifier
Example: SAML 2.0 configuration in Salesforce-connected apps for CPQ integration
This example highlights specific considerations for integrating Salesforce as the IdP with CPQ as the service provider.
When configuring Salesforce-connected apps for SAML 2.0 authentication, ensure the following critical details are correctly set.
Key configuration points
Start URL
This URL must be customized to CPQ URL + /quotelist. For example: https://your-cpq-instance.zilliant.com/quotelist
Salesforce does not automatically handle paths, so you must manually append /quotelist to the CPQ URL. This ensures users are directed to the correct application endpoint after authentication.
SAML service provider settings
Entity ID—Provided by Zilliant. Example:
urn:amazon:cognito:sp:your-region_your-instance-id.Assertion Consumer Service (ACS)—Provided by Zilliant. This is the endpoint where Salesforce sends authentication responses. Example:
https://your-cpq-instance.zilliant.com/saml2/idpresponse.Issuer—Autofilled. This is the unique identifier for your Salesforce organization. Example:
https://your-salesforce-org.salesforce.com.
Name ID format
This attribute is used for authentication. It must match the attribute used for user identification in CPQ. Typically:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
IdP certificate
Part of the metadata download. Upload the appropriate SAML certificate for your IdP. This certificate must match the one configured in Salesforce Connected Apps.
SAML login information
Auto-filled and part of the metadata download. Key endpoints in Salesforce:
IdP-Initiated Login URL—Used for direct IdP-initiated logins. Example:
https://your-salesforce-org.salesforce.com/idp/login?app=your-app-id.SP-Initiated POST Endpoint—Used when authentication is initiated by CPQ. Example:
https://your-salesforce-org.salesforce.com/idp/endpoint/HttpPost.SP-Initiated Redirect Endpoint—Example:
https://your-salesforce-org.salesforce.com/idp/endpoint/HttpRedirect.Metadata Discovery Endpoint—Example:
https://your-salesforce-org.salesforce.com/.well-known/samlidp/your-app-id.xml.
Custom Connected App Handler
If needed, configure a custom Apex plugin class for additional logic or advanced flows.
Example: Visual configuration
The following image demonstrates the configuration screen in Salesforce’s connected apps setup. It includes the Start URL, Entity ID, ACS URL, and Issuer fields. The emphasis is on ensuring that Start URL correctly directs users to the CPQ /quotelist endpoint.
.png?sv=2022-11-02&spr=https&st=2025-06-23T09%3A44%3A40Z&se=2025-06-23T09%3A58%3A40Z&sr=c&sp=r&sig=WzgRn4eQzewD2rGx4yLSv8%2FNLkv5aVK4f2F5QHEbHl0%3D)
Resources
The following technical and documentation resources may be helpful when setting up SSO.
.png?sv=2022-11-02&spr=https&st=2025-06-23T09%3A44%3A40Z&se=2025-06-23T09%3A58%3A40Z&sr=c&sp=r&sig=WzgRn4eQzewD2rGx4yLSv8%2FNLkv5aVK4f2F5QHEbHl0%3D){kind=small}
.png?sv=2022-11-02&spr=https&st=2025-06-23T09%3A44%3A40Z&se=2025-06-23T09%3A58%3A40Z&sr=c&sp=r&sig=WzgRn4eQzewD2rGx4yLSv8%2FNLkv5aVK4f2F5QHEbHl0%3D){kind=small}