If your organization users G Suite / Google Apps, you can set up Single Sign-On, which will allow you to set up a default user type for SSO and SAML mapping with provisioning. We also offer a Login with Google option, which requires no additional configuration.
This article covers:
- Super administrator privileges within Google Admin for your domain
- Vanity URL set up for your Zoom account (requires Business or Education acct)
- Admin or owner permissions in Zoom
SAML app configuration
- From the Admin console dashboard, go to Apps > SAML Apps. To see Apps on the dashboard, you might have to click More controls at the bottom.
- Click the plus (+) icon at the bottom right.
- Click Zoom.
- The Google IDP Information window opens and the Single Sign-On URL and the Entity ID URL fields automatically populate.
- Copy the Entity ID and the Single Sign-On URL field values and download the Certificate, as they will be used later in the setup.
- Click Next.
- In the Service Provider Details window, add an ACS URL, an Entity ID, and a start URL.
- Click Finish.
- Service Provider (SP) Entity ID: Select https://vanityurl.zoom.us or match the Entity ID set in G Suite (step 7 in the Within Google section).
- Sign-in page URL: This is the SSO URL from the Google idP information or it appears after <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect in the XML meta data.
- Identity provider certificate: Copy and paste the information from the x.509 certificate downloaded from Google, here.
- Issuer: This is the Entity ID from the Google idP information or it appears after entityID= in the XML meta data.
- Binding: can be left as default.
- Sign SAML request: Leave unchecked (unless checked in #11 from the Google section above).
- Support encrypted assertions: Leave unchecked.
- Security: Check if you want to force logout after a certain number of days.
- Default user type: Select what user type you want new users to be added as.
- (Optional) Email, Name, Etc. - Customize SAML Response Mapping: If you set up Custom Mapping in Google, you can map attributes to configure Zoom users based on the Google mapping.
Enable the Zoom app in Google
- From the Admin console in Google, go to Apps and then SAML apps. To see Apps on the Home page, you might have to click More controls at the bottom.
- Click Zoom.
- At the top right of the gray box, click Edit Service:
- To turn on or off service for everyone in your organization, click On for everyone or Off for everyone, and then click Save.
- To turn on or off service only for users in an organizational unit:
- On the left, select the organizational unit.
- Select On or Off.
- To keep the service turned on or off even when the service is turned on or off for the parent organizational unit, click Override.
- If the organization's status is already Overridden, choose an option:
- Inherit—Reverts to the same setting as its parent.
- Save—Saves your new setting (even if the parent setting changes).
- Ensure that your Zoom user account email IDs match those in your Google domain.
Post (vanity URL) 404 (not found): Confirm that ACS URL is set correctly. It should be like https://vanityurl.zoom.us/saml/SSO
App not configured: Confirm Entity ID URL in Google and Zoom match.
Metadata for issuer https://accounts.google.com/o/saml2?idpid=(unique idpid) wasn't found (-1): Confirm that the Issuer matches what it is in the metadata. It will look very similar to the Sign-in page URL, but there are slight differences.
Other errors: Confirm that the ACS URL is https://vanityurl.zoom.us/saml/SSO with the SSO portion capitalized