Administrator- Set Zoom with ADFS

This post was most recently updated on July 28th, 2022

Active Directory Federation Services (ADFS) allows you to set up your account to log in with single sign-on (SSO). You can use SAML mapping to assign user licenses, groups, and roles based on ADFS settings. For more information on single sign-on, please click here .



    • Zoom’s Business or Education account with an approved vanity URL
    • ADFS server access
  • Zoom Administrator or Owner Access

Settings in Zoom

  1.  Https: // [SERVER] /FederationMetadata/2007-06/FederationMetadata.Xml in ADFS XML metadata search to the Download / Views
    * [SERVER]: ADFS server (
  2. On the Zoom Admin page, click Single Sign On to display the SAML tab.
  3. Enter the following information in the SAML tab options:
    • Sign SAML Request  ]: Check this option to sign a SAML request in ADFS.
    • Support Encrypted Assertions ]: Check this option to use encrypted assertions with ADFS.
    • Enforce automatic logout after the user has been logged in for ]: Check this if you want to log out automatically after the specified period of time.
      • Sign-in page URL ]: https: // [SERVER] /adfs/ls/idpinitiatedsignon.aspx?logintoRP=[Vanity]
      • Sign-out page URL ] :   https: // [SERVER] /adfs/ls/?wa=wsignout1.0
      • Identity provider certificate ] : Use the    first X509 certificate of X509 certificate
        * XML file from XML metadata in step 1 :
        <ds: Signature xmlns: ds = “ 09 / xmldsig # “>
        <KeyInfo xmlns =” ​​ “>
      • Service Provider (SP) Entity ID  ]: Select an option without https.
      • Issuer ]: http or https: // [SERVER] / adfs / services / trust (entityID of metadata)
      • Binding ]: HTTP-POST
      • Security

Settings in ADFS

  1. Log in to the ADFS server.
  2. Open the ADFS 2.0 MMC .
  3. Add Relying Party Trust .
    Select important data about Relying Party (RP) published online or on a local network.
    Federation metadata address: https: // YOURVANITY / saml / metadata / sp

  1. Add a display name (“Zoom “) and exit the wizard with default settings.
  2. Modify the redirect and post SAML logout endpoint (right click on the newrelying party trust> Properties> Endpoints tab) URL as follows:
    https: // SERVER /adfs/ls/?wa=wsignout1.0
    Note: If you can not change the log out end-point[ Monitor Open the tab “ Automatically update relying party to cancel the check”,
    to apply the changes.
  3. 2 Add the two claim rules (request convention).
    itemconcents inputtedType
    Send LDAP Attributes as Claims
    ( Send LDAP Attributes as Claims )Name Zoom-Send to EmailMappingsE-Mail-Addresses> E-Mail AddressUser-Principal-Name> UPNGiven-Name> urn: oid:> urn: oid: Incoming Claim Transform
    (accepted request conversion)Name Zoom – Email To Name ID
    (name ID from the e-mail)Incoming claim type 
    (incoming request type)-Mail Address E
    (mail address)Outgoing claim type 
    (outgoing request type)ID Name
    (name ID)Outgoing name ID format 
    (outgoing name ID format)Email

When setting is over

Based on what you have configured, any user in Active Directory should be able to log in.

To test , select [ Login ] at

http: / / YOURVANITY .

Troubleshooting tips

Inability to login:

  • I can not log in using Google Chrome
  • I can not log in using Firefox
  • “Audit Failure” event of “Status: 0xc000035b” is displayed in the event viewer of the ADFS server


Extended protection needs to be turned off.

Chrome and Firefox do not support ADFS extended protection (IE supports it).

  1. Start IIS Manager .
  2. In the left panel, navigate to Sites > Default Web Site > ADFS > LS .
  3. Double-click the [ Authentication ] icon .
  4. Windows Authentication the] right-click and then.
  5. Select [ Advanced Settings ].
  6. Turn off [ Extended Protection ] .



Related article
[Administrator] SSO (single sign-on) settings
Cooperation with security groups on AD
[Administrator] SAML mapping (basic and advanced)
[Administrator] Set Okta with Zoom
[Administrator] Set Zoom with OneLogin