Most small and mid-market companies have one of two identity stories: Google Workspace as their de-facto IdP, or shared passwords in a spreadsheet. Both have problems. Zoho Directory is a credible IdP that works for teams of 10 to 500, included in Zoho One and available standalone.
What Directory provides
SAML 2.0 SSO. SCIM provisioning to supported apps. MFA enforcement. Conditional access by IP, device, or risk. Org chart and group management. Audit log of every authentication. The feature set matches Okta’s Workforce Identity at a fraction of the cost.
Day-1 rollout
Provision users from your existing source (HR system, CSV, or Google sync). Set up domains. Configure MFA policy: TOTP minimum, push for the security-paranoid, FIDO2 for the security-paranoid-and-funded.
Connect your apps
Native SSO support exists for Zoho apps (one-click), and for the standard SaaS suite (Slack, GitHub, AWS, M365, etc.) via SAML wizards. For long-tail apps, manual SAML config takes 15-30 minutes per app. Document every config in a runbook so the next admin does not redo it.
SCIM provisioning kills password-sharing
The pattern that survives audits: Directory provisions the user into the app. Removes the user when they leave Directory. App never sees a password; user never sets one. For apps with SCIM (most major SaaS), this just works. For apps without SCIM, you fall back to manual offboarding, which means a checklist and an owner.
Conditional access policies
Build at least three:
Policy 1: Block sign-in from countries not in the work list
Policy 2: Require FIDO2 for admin accounts
Policy 3: Require MFA on every sign-in for finance and legal rolesTest each in audit mode before enforce mode. Lockouts on a Friday afternoon are how you find out the CFO is on a personal hotspot.
Group-based app access
Build groups by role: Sales, CS, Engineering, Finance. Assign apps to groups, not users. New hire joins the Sales group, gets CRM, Sheet, Cliq, Mail. Leaves the Sales group, loses all of it. No more per-user access reviews that take a week.
Offboarding playbook
Termination event in HR: HR system marks employee as Terminated. Directory sync (within 1 hour) disables the account. SCIM deprovisions from connected apps. Audit log captures every action. Compliance auditor smiles.
For apps without SCIM, append to the termination ticket: explicit deprovision steps for each. Track time-to-fully-offboarded as a metric; aim for under 4 hours.
Audit trail
Every sign-in attempt, success or fail, with IP, device, and location, lands in the audit log. Retention is configurable. For SOC 2, 12 months minimum. For GDPR DSARs, you can answer “show me everywhere this user signed in last year.”
Failure modes to plan for
Single IdP means single point of failure. If Directory has an outage, no one can sign into anything. Mitigations:
- Break-glass admin accounts (2 max) with emergency credentials in a sealed envelope
- Fallback to local app passwords for one or two critical apps (CRM, Mail)
- Document the break-glass process; rehearse once a year
Migration from another IdP
Coming off Google Workspace as IdP: keep Google for mail, point app SAML to Directory. SCIM provisioning may need to be reconfigured. Plan for two weekends of work.
Coming off Okta: SCIM connectors for major apps re-create cleanly. The cost savings often pay for the migration project in the first year.
Cost comparison
Okta Workforce Identity is roughly $6-15/user/month depending on tier. Directory standalone is roughly $1-3/user/month. For a 100-user company, that is $50-150k savings over 5 years. Reinvest some in a quarterly access review and you are still ahead.
What to do this week: enroll Directory, sync your top 20 users, and put SSO on three apps (start with Mail, CRM, and one finance tool). Build muscle before fleet migration.
