Note: As our world comes together to slow the spread of COVID-19 pandemic, the Zoom Support Center has continued to operate 24x7 globally to support you. Please see the updated Support Guidelines during these unprecedented times.



Configuring Zoom with Shibboleth Follow

Overview

You can connect Zoom with Shibboleth to use your organization's Shibboleth credentials to login to your Zoom account via Single Sign-On (SSO). You can assign users Zoom licenses, add-on plans, roles and groups based on their SAML attributes.

This article covers:

Prerequisites

  • Zoom owner or admin privileges
  • Business or Education account with approved Vanity URL

Instructions

Configuring your SSO Information with Zoom

  1. Access the metadata for your organization. It can typically be found at https://IdP.DomainName/idp/shibboleth.
  2. Login to your Zoom web portal and navigate to the Single Sign-On page. 
  3. Configure the page with your SSO information from your metadata:
    • Sign-in page URL: Choose either the POST or Redirect Binding as it is listed after Location=
      Screen_Shot_2017-12-29_at_11.34.18_AM.png
    • Sign-out page URL: This is optional. If you want to enter a Sign-out page URL, choose the corresponding POST or Redirect URL that appears in SingleLogoutService, after Location=.
      Screen_Shot_2017-12-29_at_11.39.25_AM.png
    • Identity Provider Certificate: Use the first X509 certificate that appears in your metadata. 
      x509cert.png
    • Service Provider (SP) Entity ID: Choose the Service Provider (SP) Entity ID which includes https://, for example https://yourVanityURL.zoom.us
    • Issuer (IDP Entity ID): Enter the full Entity ID from your IdP metadata, such as https://IdP.yourorganization/idp/shibboleth
      IssuerEntityID.png
    • Binding: Choose the POST or Redirect binding that corresponds with the Sign-in page URL used. 
    • Check Support Encrypted Assertions, unless you have disabled these in Shibboleth. 
    • Click Save Changes.
      ZoomSSOpage.png
      Note: When using CAS with Shibboleth, used HTTP-Redirect for the Binding. 

Configuring your Zoom Metadata in Shibboleth

  1. Download your Zoom metadata from https://yourVanityURL.zoom.us/saml/metadata/sp
  2. Configure the Zoom metadata as trusted in Shibboleth by adding a metadata element in the relying-party.xml file. 
    Example: 

    <MetadataProvider id="Zoom_SP_Metadata" xsi:type="ResourceBackedMetadataProvider"
    xmlns="urn:mace:shibboleth:2.0:metadata">
    <MetadataResource xsi:type="resource:FilesystemResource"
    file="/var/shibboleth-idp/metadata/zoom_sp_metadata.xml" />
    </MetadataProvider>

  3. Configure your IdP to send at least the email address SAML attribute. 

    Attribute Common SAML Attribute Name
    Email Address*

    urn:oid:0.9.2342.19200300.100.1.3

    First Name urn:oid:2.5.4.42
    Last Name urn:oid:2.5.4.4
    *If eduPersonPrincipalName is formatted as email address you can use the following SAML Attribute Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6

    To do this, you can add an AttributeFilterPolicy element to the attribute-filter.xml file.
    Example:

    <AttributeFilterPolicy id="releaseToZoom">
    <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="yourVanityURL.zoom.us" /> <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule>
    <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY"/></AttributeRule>
    <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="basic:ANY"/> </AttributeRule>
    </AttributeFilterPolicy>

Testing your Configuration

You can test the SSO login by logging in at https://yourVanityURL.zoom.us/ or by logging into the Zoom client and choosing SSO. 

ssologin.gif