Help Center
Overview
You can connect Zoom with Shibboleth to use your organization's Shibboleth credentials to login to your Zoom account via Single Sign-On (SSO). You can assign users Zoom licenses, add-on plans, roles and groups based on their SAML attributes.
This article covers:
- Configuring your SSO Information with Zoom
- Configuring your Zoom Metadata in Shibboleth
- Testing your Configuration
Prerequisites
- Zoom owner or admin privileges
- Business or Education account with approved Vanity URL
Instructions
Configuring your SSO Information with Zoom
- Access the metadata for your organization. It can typically be found at https://IdP.DomainName/idp/shibboleth.
- Login to your Zoom web portal and navigate to the Single Sign-On page.
- Configure the page with your SSO information from your metadata:
- Sign-in page URL: Choose either the POST or Redirect Binding as it is listed after Location=
- Sign-out page URL: This is optional. If you want to enter a Sign-out page URL, choose the corresponding POST or Redirect URL that appears in SingleLogoutService, after Location=.
- Identity Provider Certificate: Use the first X509 certificate that appears in your metadata.
- Service Provider (SP) Entity ID: Choose the Service Provider (SP) Entity ID which includes https://, for example https://yourVanityURL.zoom.us
- Issuer (IDP Entity ID): Enter the full Entity ID from your IdP metadata, such as https://IdP.yourorganization/idp/shibboleth
- Binding: Choose the POST or Redirect binding that corresponds with the Sign-in page URL used.
- Check Support Encrypted Assertions, unless you have disabled these in Shibboleth.
- Click Save Changes.
- Sign-in page URL: Choose either the POST or Redirect Binding as it is listed after Location=
Configuring your Zoom Metadata in Shibboleth
- Download your Zoom metadata from https://yourVanityURL.zoom.us/saml/metadata/sp
- Configure the Zoom metadata as trusted in Shibboleth by adding a metadata element in the relying-party.xml file.
Example:
<MetadataProvider id="Zoom_SP_Metadata" xsi:type="ResourceBackedMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataResource xsi:type="resource:FilesystemResource"
file="/var/shibboleth-idp/metadata/zoom_sp_metadata.xml" />
</MetadataProvider> -
Configure your IdP to send at least the email address SAML attribute.
*If eduPersonPrincipalName is formatted as email address you can use the following SAML Attribute Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6Attribute Common SAML Attribute Name Email Address* urn:oid:0.9.2342.19200300.100.1.3
First Name urn:oid:2.5.4.42 Last Name urn:oid:2.5.4.4
To do this, you can add an AttributeFilterPolicy element to the attribute-filter.xml file.
Example:
<AttributeFilterPolicy id="releaseToZoom">
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="yourVanityURL.zoom.us" /> <AttributeRule attributeID="email">
<PermitValueRule xsi:type="basic:ANY"/> </AttributeRule>
<AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY"/></AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="basic:ANY"/> </AttributeRule>
</AttributeFilterPolicy>
You can test the SSO login by logging in at https://yourVanityURL.zoom.us/ or by logging into the Zoom client and choosing SSO.
