If your organization users G Suite / Google Apps, you can set up Single Sign-On, which will allow you to set up a default user type for SSO and SAML mapping with provisioning. We also offer a Login with Google option, which requires no additional configuration.
This article covers:
- Super administrator privileges within Google Admin for your domain
- Business or Education account with approved Vanity URL
- Admin or owner permissions in Zoom
Note: Without an approved Associated Domain, users will need to confirm to being provisioned on the account through an email automatically sent to them. Provisioning will take place without email confirmation for any users falling under an approved domain.
SAML app configuration
- From the Admin console dashboard, go to Apps > SAML Apps. To see Apps on the dashboard, you might have to click More controls at the bottom.
- Click the plus (+) icon at the bottom right.
- Click Zoom.
- The Google IDP Information window opens and the Single Sign-On URL and the Entity ID URL fields automatically populate.
- Copy the Entity ID and the Single Sign-On URL field values and download the Certificate, as they will be used later in the setup.
- Click Next.
- In the Service Provider Details window, add an ACS URL, an Entity ID, and a start URL.
- Click Finish.
- Service Provider (SP) Entity ID: Select https://vanityurl.zoom.us or match the Entity ID set in G Suite (step 7 in the Within Google section).
- Sign-in page URL: This is the SSO URL from the Google idP information or it appears after <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect in the XML meta data.
- Identity provider certificate: Copy and paste the information from the x.509 certificate downloaded from Google, here.
- Issuer: This is the Entity ID from the Google idP information or it appears after entityID= in the XML meta data.
- Binding: can be left as default.
- Sign SAML request: Leave unchecked (unless checked in #11 from the Google section above).
- Support encrypted assertions: Leave unchecked.
- Security: Check if you want to force logout after a certain number of days.
- Default user type: Select what user type you want new users to be added as.
- (Optional) Email, Name, Etc. - Customize SAML Response Mapping: If you set up Custom Mapping in Google, you can map attributes to configure Zoom users based on the Google mapping.
Enable the Zoom app in Google
- From the Admin console in Google, go to Apps and then SAML apps. To see Apps on the Home page, you might have to click More controls at the bottom.
- Click Zoom.
- At the top right of the gray box, click Edit Service:
- To turn on or off service for everyone in your organization, click On for everyone or Off for everyone, and then click Save.
- To turn on or off service only for users in an organizational unit:
- On the left, select the organizational unit.
- Select On or Off.
- To keep the service turned on or off even when the service is turned on or off for the parent organizational unit, click Override.
- If the organization's status is already Overridden, choose an option:
- Inherit—Reverts to the same setting as its parent.
- Save—Saves your new setting (even if the parent setting changes).
- Ensure that your Zoom user account email IDs match those in your Google domain.
Post (vanity URL) 404 (not found): Confirm that ACS URL is set correctly. It should be like https://vanityurl.zoom.us/saml/SSO
App not configured: Confirm Entity ID URL in Google and Zoom match.
Metadata for issuer https://accounts.google.com/o/saml2?idpid=(unique idpid) wasn't found (-1): Confirm that the Issuer matches what it is in the metadata. It will look very similar to the Sign-in page URL, but there are slight differences.
Other errors: Confirm that the ACS URL is https://vanityurl.zoom.us/saml/SSO with the SSO portion capitalized