Configuring Zoom With ADFS Follow

Overview

You can configure your account to login via Single Sign-On (SSO) with Active Directory Federation Services (ADFS). You can use SAML mapping to assign users licenses, groups, and roles based on their ADFS configuration. Read more about Single Sign-On.

This article covers:

Prerequsites

  • Business or Education Account with Zoom
  • ADFS Server Access
  • Zoom Admin or Owner Access

Configure on Zoom

  1. Find and download/view your ADFS XML metadata at https://[SERVER]/FederationMetadata/2007-06/FederationMetadata.xml
    *[SERVER]: your ADFS server (adfs.example.com)
  2. From the Zoom Admin page, click on Single Sign-on to View the SAML tab.
  3. Enter the following information into the SAML tab options:
    • Sign-in page URL:
      https://[SERVER]/adfs/ls/idpinitiatedsignon.aspx?logintoRP=[Vanity].zoom.us
    • Sign-out page URL:  https://[SERVER]/adfs/ls/?wa=wsignout1.
    • Identity provider certificate:    X509 Certificate from XML Metadata in step 1
      *Use the first X509 Certificate in the XML file:
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                       <X509Data>
                          <X509Certificate>
    • Service Provider (SP) Entity ID: Select the option without https.
    • Issuer:    http or https://[SERVER]/adfs/services/trust (entityID in metadata)
    • Binding:    HTTP-POST
    • Security
      • Sign SAML Request: Check this option if you are signing the SAML request in ADFS.
      • Support Encrypted Assertions: If you are using encrypted assertions in ADFS, check this option.
      • Enforce automatic logout after the user has been logged in for: Check this if you want the user to be logged out after a specified amount of time. 
        adaf1fa5-cebe-4e8b-9785-f15c9126e1fb.png

Configuring in ADFS

  1. Login to your ADFS server.
  2. Open ADFS 2.0 MMC
  3. Add a Relying Party Trust
    Select Import data about the relying party published online or on a local network
    Federation metadata address:   https://YOURVANITY.zoom.us/saml/metadata/sp 
  4. Add a display name ("Zoom") and finish the Wizard with default settings
  5. Change both Redirect and Post SAML Logout Endpoint (Right click the new Relying Party Trust > Properties > Endpoints Tab) URLs to: 
    https://SERVER/adfs/ls/?wa=wsignout1.0
     
    *Note: If you are unable to change the logout endpoints, open the Monitor tab and uncheck "Automatically update relying party" and Apply changes.
  6. Add two claim rules:
    • Type:    Send LDAP Attributes as Claims
    • Name:    Zoom - Send to Email
    • Mappings
      • E-Mail-Addresses > E-Mail Address
      • User-Principal-Name > UPN
      • Given-Name > urn:oid:2.5.4.42
      • Surname > urn:oid:2.5.4.4
    • Type:    Transform Incoming Claim
    • Name:    Zoom - Email to Name ID
    • Incoming claim type:    E-Mail Address
    • Outgoing claim type:    Name ID
    • Outgoing name ID format:    Email

Once Configured

Once you have completed the configuration steps, any user in your active directory should be able to login, based on the configuration you have set. To test, visit http://YOURVANITY.zoom.us and select Login. 

Troubleshooting Tips

Unable to log in using Google Chrome or Firefox

If you are unable to log in using Chrome or Firefox, and are seeing an 'Audit Failure' event with "Status: 0xc000035b" in the Event Viewer on the ADFS server, you will need to turn off Extended Protection. Chrome and Firefox do not support the Extended Protection of ADFS (IE does).

  1. Launch IIS Manager
  2. In the left panel, navigate to Sites > Default Web Site > ADFS > LS
  3. Double-click Authentication icon
  4. Right-click Windows Authentication
  5. Select Advanced Settings
  6. Turn OFF Extended Protection
Was this article helpful?
Have more questions? Submit a request
Powered by Zendesk