Configuring Zoom with Shibboleth Follow

Overview

You can connect Zoom with Shibboleth to use your organization's Shibboleth credentials to login to your Zoom account via Single Sign-On (SSO). You can assign users Zoom licenses, add-on plans, roles and groups based on their SAML attributes.

This article covers:

Prerequisites

  • Zoom owner or admin privileges
  • Business or Education account with approved Vanity URL

Instructions

Configuring your SSO Information with Zoom

  1. Access the metadata for your organization. It can typically be found at https://IdP.DomainName/idp/shibboleth.
  2. Login to your Zoom web portal and navigate to the Single Sign-On page. 
  3. Configure the page with your SSO information from your metadata:
    • Sign-in page URL: Choose either the POST or Redirect Binding as it is listed after Location=
      Screen_Shot_2017-12-29_at_11.34.18_AM.png
    • Sign-out page URL: This is optional. If you want to enter a Sign-out page URL, choose the corresponding POST or Redirect URL that appears in SingleLogoutService, after Location=.
      Screen_Shot_2017-12-29_at_11.39.25_AM.png
    • Identity Provider Certificate: Use the first X509 certificate that appears in your metadata. 
      x509cert.png
    • Service Provider (SP) Entity ID: Choose the Service Provider (SP) Entity ID which includes https://, for example https://yourVanityURL.zoom.us
    • Issuer (IDP Entity ID): Enter the full Entity ID from your IdP metadata, such as https://IdP.yourorganization/idp/shibboleth
      IssuerEntityID.png
    • Binding: Choose the POST or Redirect binding that corresponds with the Sign-in page URL used. 
    • Check Support Encrypted Assertions, unless you have disabled these in Shibboleth. 
    • Click Save Changes.
      ZoomSSOpage.png

Configuring your Zoom Metadata in Shibboleth

  1. Download your Zoom metadata from https://yourVanityURL.zoom.us/saml/metadata/sp
  2. Configure the Zoom metadata as trusted in Shibboleth by adding a metadata element in the relying-party.xml file. 
    Example: 

    <MetadataProvider id="Zoom_SP_Metadata" xsi:type="ResourceBackedMetadataProvider"
    xmlns="urn:mace:shibboleth:2.0:metadata">
    <MetadataResource xsi:type="resource:FilesystemResource"
    file="/var/shibboleth-idp/metadata/zoom_sp_metadata.xml" />
    </MetadataProvider>

  3. Configure your IdP to send at least the email address SAML attribute. 

    Attribute Common SAML Attribute Name
    Email Address*

    urn:oid:0.9.2342.19200300.100.1.3

    First Name urn:oid:2.5.4.42
    Last Name urn:oid:2.5.4.4
    *If eduPersonPrincipalName is formatted as email address you can use the following SAML Attribute Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6

    To do this, you can add an AttributeFilterPolicy element to the attribute-filter.xml file.
    Example:

    <AttributeFilterPolicy id="releaseToZoom">
    <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="yourVanityURL.zoom.us" /> <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule>
    <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY"/></AttributeRule>
    <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule>
    </AttributeFilterPolicy>

Testing your Configuration

You can test the SSO login by logging in at https://yourVanityURL.zoom.us/ or by logging into the Zoom client and choosing SSO. 

ssologin.gif

Was this article helpful?
Have more questions? Submit a request
Powered by Zendesk