If your organization users G Suite / Google Apps, you can set up Single Sign-On, which will allow you to set up a default user type for SSO and SAML mapping with provisioning. We also offer a Login with Google option, which requires no additional configuration.
- Super administrator privileges within Google Admin for your domain
- Vanity URL set up for your Zoom account (requires Business or Education acct)
- Admin or owner permissions in Zoom
- From the Admin console dashboard, go to Apps > SAML Apps. To see Apps on the dashboard, you might have to click More controls at the bottom.
- Select the Add a service/App to your domain link or click the plus (+) icon in the bottom corner.
- Click Setup my own custom SAML App.
- The Google IDP Information window opens and the Single Sign-On URL and the Entity ID URL fields automatically populate.
- There are two ways to collect the service provider Setup information:
- You can copy the Entity ID and the Single Sign-On URL field values and download the X.509 Certificate, paste them into the appropriate service provider Setup fields, and then click Next
- You can download the IDP metadata, upload it into the appropriate service provider Setup fields, and then come back to the admin console and click Next.
- In the Basic Application Information window, add an application name and description.
- In the Service Provider Details window, add an ACS URL, an Entity ID, and a start URL.
- Leave Signed Response unchecked.
- Click Next.
- (Optional) Attribute Mapping
- Click Add new mapping and enter a new name for the attribute you want to map.
- In the drop-down list, select the Category and User attributes to map the attribute from the G Suite profile.
- Click Finish.
- Service Provider (SP) Entity ID: Select https://vanityurl.zoom.us or match the Entity ID set in G Suite (step 7 in the Within Google section).
- Sign-in page URL: This is the SSO URL from the Google idP information or it appears after <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect in the XML meta data.
- Identity provider certificate: You can download this from the Google idP information or it appears between <ds:X509Certificate> and </ds:X509Certificate> in the XML data.
- Issuer: This is the Entity ID from the Google idP information or it appears after entityID= in the XML meta data.
- Binding: can be left as default.
- Sign SAML request: Leave unchecked (unless checked in #11 from the Google section above).
- Support encrypted assertions: Leave unchecked.
- Security: Check if you want to force logout after a certain number of days.
- Default user type: Select what user type you want new users to be added as.
- (Optional) Email, Name, Etc. - Customize SAML Response Mapping: If you set up Custom Mapping (#13 from Google section above), you can map attributes to configure Zoom users based on the Google mapping.
Post (vanity URL) 404 (not found): Confirm that ACS URL is set correctly. It should be like https://vanityurl.zoom.us/saml/SSO
App not configured: Confirm Entity ID URL in Google and Zoom match.
Metadata for issuer https://accounts.google.com/o/saml2?idpid=(unique idpid) wasn't found (-1): Confirm that the Issuer matches what it is in the metadata. It will look very similar to the Sign-in page URL, but there are slight differences.
Other errors: Confirm that the ACS URL is https://vanityurl.zoom.us/saml/SSO with the SSO portion capitalized