Configuring Zoom with Shibboleth

Overview

You can connect Zoom with Shibboleth to use your organization's Shibboleth credentials to login to your Zoom account via Single Sign-On (SSO). You can assign users Zoom licenses, add-on plans, roles and groups based on their SAML attributes.

This article covers:

• Configuring your SSO Information with Zoom
• Configuring your Zoom Metadata in Shibboleth
• Testing your Configuration

Prerequisites

• Zoom owner or admin privileges
• Business or Education account with approved Vanity URL

Note: Without an approved Associated Domain, users will need to confirm to being provisioned on the account through an email automatically sent to them. Provisioning will take place without email confirmation for any users falling under an approved domain.

Instructions

Configuring your SSO Information with Zoom

1. Access the metadata for your organization. It can typically be found at https://IdP.DomainName/idp/shibboleth.
2. Login to your Zoom web portal and navigate to the Single Sign-On page. 
3. Configure the page with your SSO information from your metadata:
   • Sign-in page URL: Choose either the POST or Redirect Binding as it is listed after Location=
     
   • Sign-out page URL: This is optional. If you want to enter a Sign-out page URL, choose the corresponding POST or Redirect URL that appears in SingleLogoutService, after Location=.
     
   • Identity Provider Certificate: Use the first X509 certificate that appears in your metadata. 
     
   • Service Provider (SP) Entity ID: Choose the Service Provider (SP) Entity ID which includes https://, for example https://yourVanityURL.zoom.us
   • Issuer (IDP Entity ID): Enter the full Entity ID from your IdP metadata, such as https://IdP.yourorganization/idp/shibboleth
     
   • Binding: Choose the POST or Redirect binding that corresponds with the Sign-in page URL used. 
   • Check Support Encrypted Assertions, unless you have disabled these in Shibboleth. 
   • Click Save Changes.
     
     Note: When using CAS with Shibboleth, used HTTP-Redirect for the Binding. 

Configuring your Zoom Metadata in Shibboleth

1. Download your Zoom metadata from https://yourVanityURL.zoom.us/saml/metadata/sp
2. Configure the Zoom metadata as trusted in Shibboleth by adding a metadata element in the relying-party.xml file. 
   Example: 
   

   <MetadataProvider id="Zoom_SP_Metadata" xsi:type="ResourceBackedMetadataProvider"
   xmlns="urn:mace:shibboleth:2.0:metadata">
   <MetadataResource xsi:type="resource:FilesystemResource"
   file="/var/shibboleth-idp/metadata/zoom_sp_metadata.xml" />
   </MetadataProvider>

3. Configure your IdP to send at least the email address SAML attribute. 

   Attribute	Common SAML Attribute Name
   Email Address*	urn:oid:0.9.2342.19200300.100.1.3
   First Name	urn:oid:2.5.4.42
   Last Name	urn:oid:2.5.4.4

   *If eduPersonPrincipalName is formatted as email address you can use the following SAML Attribute Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
   
   To do this, you can add an AttributeFilterPolicy element to the attribute-filter.xml file.
   Example:
   

   <AttributeFilterPolicy id="releaseToZoom">
   <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="yourVanityURL.zoom.us" /> <AttributeRule attributeID="email">
   <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule>
   <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY"/></AttributeRule>
   <AttributeRule attributeID="surname">
   <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule>
   </AttributeFilterPolicy>

Testing your Configuration

You can test the SSO login by logging in at https://yourVanityURL.zoom.us/ or by logging into the Zoom client and choosing SSO.