At Zoom, we are hard at work to provide you with the best 24x7 global support experience during this pandemic. As part of this ongoing commitment, please review our updated Support Guidelines.

Authentication Profiles for meetings and webinars Follow

Overview

Authentication profiles allow hosts to restrict meeting participants and webinar attendees to logged-in users only and even further restrict it to Zoom users whose email address uses a certain domain. This can be useful if you want to restrict your participant list to verified users, or users from a certain organization. 

Authentication profiles do not apply to invited webinar panelists, who will have a unique join link and can be from outside of the specified domain(s). 

Note: If a participant does not have a Zoom account, they will not be able to join the meeting or webinar if this setting is enabled. 

If a participant tries to join the meeting or webinar and is not logged into Zoom, or logging in with the wrong specified email domain, they will receive one of the following messages:

  • if they are not logged into Zoom:
  • If they are logged in with the wrong email domain:

Authentication profiles initially need to be configured at the account level. Authentication profiles can only be added at the account level. Once you have configured authentication profiles, you can disable it at the account level and enable it at the group or user level, if you do not want to apply it for all members of your account.

This article covers:

Prerequisites

  • Pro, Business, Education, or Enterprise Account
  • Zoom Desktop Client:
    • Windows: 5.0.0 (23168.0427) or higher
    • macOS: 5.0.0 (23161.0427) or higher
  • Zoom Mobile Client:
    • Android: 5.0.0 (23161.0427) or higher
    • iOS: 5.0.0 (23161.0427) or higher
  • Zoom Web Client

Enabling authentication profiles 

Authentication profiles initially need to be enabled for all members of your account while you configure the profiles. Once the profiles are configured, you can disable at the account level if you do not want this to apply for all members of your account. 

Account

  1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
  2. In the navigation panel, click Account Management then Account Settings.
  3. Under the Security section, verify that Only authenticated users can join meetings is enabled.
  4. If the setting is disabled, click the toggle to enable it. If a verification dialog displays, click Turn On to verify the change.
  5. (Optional) If you want to make this setting mandatory for all users in your account, click the lock icon, and then click Lock to confirm the setting.

Disabling Authentication Profiles at the account level

If you do not want authentication profiles to apply for all members of your account, you can now disable this feature at the account level and follow the steps below to enable it at the group or user level.

  1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
  2. In the navigation panel, click Account Management then Account Settings.
  3. Under the Security section, click the toggle to disable Only authenticated users can join meetings.

Group

To enable Only authenticated users can join meetings for a group of users

  1. Sign in to the Zoom web portal as an admin with the privilege to edit groups.
  2. In the navigation panel, click User Management then Group Management.
  3. Click the applicable group name from the list, then click the Settings tab.
  4. Under the Security section, verify that Only authenticated users can join meetings is enabled.
  5. If the setting is disabled, click the toggle to enable it. If a verification dialog displays, click Turn On to verify the change.
    Note: If the option is grayed out, it has been locked at the account level and needs to be changed at that level.
  6. (Optional) If you want to make this setting mandatory for all users in the group, click the lock icon, and then click Lock to confirm the setting.

User

To enable only authenticated users can join meetings for your own use:

  1. Sign in to the Zoom web portal.
  2. In the navigation panel, click Settings.
  3. Under the Security section, verify that Only authenticated users can join meetings is enabled.
  4. If the setting is disabled, click the toggle to enable it. If a verification dialog displays, click Turn On to verify the change.
    Note: If the option is grayed out, it has been locked at either the group or account level. You need to contact your Zoom admin.

Creating an authentication profile (admins)

  1. Enable authentication profile at the account or group level.
  2. Click Add Configuration.
  3. Type a name for meeting authentication option to help users identify it.
  4. For Select an authentication method, choose one of the following options:
    • Signed-in users in my account: Allows any sign-in user in the account to join the meeting or webinar.
    • Sign in to Zoom: Allows any users to join the meeting or webinar, as long as they are signed into their Zoom account.
    • Sign in to Zoom with specified domains: Allows you to specify the rule so that Zoom users, whose email address contains a certain domain, can join the meeting or webinar. You can either add multiple domains, using a comma in between and/or use a wildcard for listing domains. You can also upload a CSV file with the domains.
    • Sign in to Single Sign On (SSO): Allows you to specify a rule so that users need to authenticate through a 3rd-party authentication service.
  5. Click Save.
  6. You can add more Authentication options to choose from, by clicking Add Configuration.

Allowing authentication exceptions (admins)

If authentication profiles is enabled, admins can allow authentication exceptions to allow guests to join meetings. For example, if a school authenticates meeting participants against their school IDP, they can create an exception to allow a guest lecturer to join the meeting.

This feature can be enabled at account or group level. Users can view the setting but not change it.

  1. Enable authentication profile at the account or group level.
  2. Make sure that Allow authentication exception is checked.
  3. Select an option to determine if users who only join by telephone will be allowed to join meeting if waiting room is disabled.
    Hosts will be able to specify authentication exceptions when scheduling a meeting

Configuring authentication profiles using external authentication (admins)

Important: For authentication profiles using Single Sign-On, this must be a separate integration that is not associated with a Zoom SSO integration already. For example:

To configure the profile using external authentication through Single Sign-on:

  1. Create a new SAML app within your SSO service provider.
  2. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
  3. In the navigation panel, click Account Management then Account Settings.
  4. Under the Security section, verify that Only authenticated users can join meetings is enabled.
  5. If the setting is disabled, click the toggle to enable it. If a verification dialog displays, click Turn On to verify the change.
  6. (Optional) If you want to make this setting mandatory for all users in your account, click the lock icon, and then click Lock to confirm the setting.
  7. Click Add configuration.
  8. Under Select an authentication method, select Sign in to external Single Sign On (SSO).
  9. Fill out the following information:
    • Sign-in page URL: Sign-in URL provided by the SSO provider
    • Identity provider certificate: X.509 certificate provided by the SSO provider
    • Issuer (IDP Entity ID):  Provided by the SSO provider
    • SAML attribute mapping for email address (optional): If you are using a different SAML value for email addresses then the standard value name, enter it here. 
    • Binding: Select either HTTP-POST or HTTP-Redirect.
  10. Click Save.
  11. Under Meeting Authentication Options, click SP metadata XML to download the SP metadata.
  12. Upload the metadata into your SAML app, or open the metadata XML file and copy the following URLs and paste them into the required fields of your SAML app:

    • entityID attribute in the md:EntityDescriptor tag
    • Location attribute in the md:AssertionConsumerService tag

The following table lists where you should paste the entityID and Location URLs.

SSO provider Field to paste entityID Field to paste Location
G Suite Entity ID ACS URL
Clever ENTITY ID ASSERTION CONSUMER SERVICE URL

Note: Some Single Sign-On providers, like Okta, require the SP metadata to be generated before retrieving the sign-in URL, IDP certificate, and Entity ID. If you are provider requires the SP metadata first, you will need to fill out the fields with dummy data initially, then download the metadata. After that, edit the profile. and replace the dummy data with the real SSO configuration. 

Requiring authentication to join a meeting or webinar (users)

  1. Sign in to the Zoom web portal.
  2. Schedule a meeting or webinar
  3. Under Meeting Options or Webinar Options, click Required authentication to join.
  4. If there are multiple Authentication Profiles configured, you can choose the authentication profile from the drop-down menu.

Adding authentication exceptions (users)

If authentication exceptions is enabled by the admin, you can specify external email address that can join the meeting.

  1. Sign in to the Zoom web portal.
  2. Schedule a meeting
  3. Under Security, make sure Required authentication to join is enabled. See the previous section for more details.
  4. Next to Authentication Exception, click Add.
  5. Enter the guest participant's name and email address.
  6. Click Add Participant to add more exceptions.
  7. Click Save.