Configuring Zoom With ADFS Follow

Overview

You can configure your account to login via Single Sign-On (SSO) with Active Directory Federation Services (ADFS). You can use SAML mapping to assign users licenses, groups, and roles based on their ADFS configuration. Read more about Single Sign-On.

This article covers:

Prerequsites

  • Business or Education Account with Zoom with approved Vanity URL
  • ADFS Server Access
  • Zoom Admin or Owner Access

Configure on Zoom

  1. Find and download/view your ADFS XML metadata at https://[SERVER]/FederationMetadata/2007-06/FederationMetadata.xml
    *[SERVER]: your ADFS server (adfs.example.com)
  2. From the Zoom Admin page, click on Single Sign-on to View the SAML tab.
  3. Enter the following information into the SAML tab options:
    • Sign-in page URL:
      https://[SERVER]/adfs/ls/idpinitiatedsignon.aspx?logintoRP=[Vanity].zoom.us
      • *Note: if the SP Entity ID in Zoom is set to https://[vanity].zoom.us, the logintoRP section of the sign-in URL should match, as "...?logintoRP=https://[vanity].zoom.us"
    • Sign-out page URL:  https://[SERVER]/adfs/ls/?wa=wsignout1.0
    • Identity provider certificate:    X509 Certificate from XML Metadata in step 1
      *Use the first X509 Certificate in the XML file:
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                       <X509Data>
                          <X509Certificate>
    • Service Provider (SP) Entity ID: Select the option without https.
    • Issuer:    http or https://[SERVER]/adfs/services/trust (entityID in metadata)
    • Binding:    HTTP-POST
    • Security
      • Sign SAML Request: Check this option if you are signing the SAML request in ADFS.
      • Support Encrypted Assertions: If you are using encrypted assertions in ADFS, check this option.
      • Enforce automatic logout after the user has been logged in for: Check this if you want the user to be logged out after a specified amount of time. 
        adaf1fa5-cebe-4e8b-9785-f15c9126e1fb.png

Configuring in ADFS

  1. Login to your ADFS server.
  2. Open ADFS 2.0 MMC
  3. Add a Relying Party Trust
    Select Import data about the relying party published online or on a local network
    Federation metadata address:   https://YOURVANITY.zoom.us/saml/metadata/sp 
  4. Add a display name ("Zoom") and finish the Wizard with default settings
  5. Add two claim rules:
    • Type:    Send LDAP Attributes as Claims
    • Name:    Zoom - Send to Email
    • Mappings
      • E-Mail-Addresses > E-Mail Address
      • User-Principal-Name > UPN
      • Given-Name > urn:oid:2.5.4.42
      • Surname > urn:oid:2.5.4.4
    • Type:    Transform Incoming Claim
    • Name:    Zoom - Email to Name ID
    • Incoming claim type:    E-Mail Address
    • Outgoing claim type:    Name ID
    • Outgoing name ID format:    Email

Once Configured

Once you have completed the configuration steps, any user in your active directory should be able to login, based on the configuration you have set. To test, visit http://YOURVANITY.zoom.us and select Login. 

Troubleshooting Tips

Unable to log in using Google Chrome or Firefox

If you are unable to log in using Chrome or Firefox, and are seeing an 'Audit Failure' event with "Status: 0xc000035b" in the Event Viewer on the ADFS server, you will need to turn off Extended Protection. Chrome and Firefox do not support the Extended Protection of ADFS (IE does).

  1. Launch IIS Manager
  2. In the left panel, navigate to Sites > Default Web Site > ADFS > LS
  3. Double-click Authentication icon
  4. Right-click Windows Authentication
  5. Select Advanced Settings
  6. Turn OFF Extended Protection
Was this article helpful?
Have more questions? Submit a request