With authentication profiles, meeting hosts can restrict meeting attendees and webinar attendees to only those who are registered in Zoom and even further restrict all Zoom users whose email addresses match the specified domain. For example, if you want to restrict the user list to users who are verified to your organization or to users from a specific organization, then you can use this option. Furthermore, you can limit the ability of users in specified domains to attend meetings and to participate in webinars.
- Participants who do not have a Zoom account will not be able to participate if this setting is turned on, so participants without an account will not be able to take part in a meeting or webinar.
- You must resend the authentication exception email to the participant who edited one of the meetings in a recurring meeting series if you used authentication exceptions for that series and you edited one of those meetings. In regards to the above edited instance, the link is specific to that event and will not be applicable to any other session in the series.
- The invited webinar panelists can also be provided with authenticator profiles.
Setting up authentication profiles requires certain prerequisites
- Pro, Business, Education, or Enterprise account
- Zoom For desktop client:
- Windows: 5.0.0 (23168.0427) or higher
- macOS: 5.0.0 (23161.0427) or higher
- Zoom For mobile app:
- Android: 5.0.0 (23161.0427) or higher
- iOS: 5.0.0 (23161.0427) or higher
- Zoom For web client
- you will need account owner or admin privileges in order to make changes to your account information
You can enable authentication profiles by either enabling them or disabling them.
Accounts must be configured with individual authentication profiles in order for them to work. The authentication profiles can be disabled at the account level if you do not want to apply them to all members of the account of the account. You can enable them at the group or user level if you choose not to apply them to all members of the account.
When the authentication settings are enabled, but not locked, the host is automatically given the authentication choice when scheduling a meeting/webinar, but they can turn it off later if they choose. These authentication settings should be locked so that they are enabled by default and cannot be disabled by hosts.
The following steps need to be taken if you wish to restrict members in your account to only authenticated users:
- If you are an admin with the privilege of editing account settings, you can sign in to the Zoom web portal.
- Navigate to Account Management from the navigation menu and then Account Settings from the drop-down menu.
- Click on the Meetings tab.
- Toggle the switch under Security as follows to enable it:
- Participants must be authenticated in order to join webinars in the first place. To sign in, they will need to click on the Zoom account associated with the email address associated with the invitation to attend the webinar. Those users who do not sign in to the account associated with the invited email address will receive a pop-up message informing them that they must sign in to their account associated with the invited email address.
- Only authenticated meeting participants and webinar attendees can join meetings and webinars: Participants in meetings and webinars will have to submit their credentials through one of the authentication methods before they can join a session.
- To verify that the change has been made, click Enable or Disable on the verification dialog box if it appears.
- You can select a lock icon to make this setting mandatory for all users in your account, click on it to confirm the setting, and then click Lock to complete your declaration.
After August 21, 2021, the Group Management page has been renamed to Groups. This is a requirement if you have just created a Zoom account after that date and the New Admin Experience is enabled.
Only authenticated users can join a meeting for a group of users if the following option is enabled or deactivated:
- You will need to sign in as an administrator with the privileges to edit groups to access the Zoom web portal.
- You can do this by clicking User Management in the main menu bar followed by Group Management.
- Then, click on the group name that corresponds to your account.
- Now, click on the tab called Meetings.
- You will then see a few toggles under Security that can enable it or disable it:
- Participants will only be permitted to join webinars if they are authenticated: Panelists will be required to sign in to their Zoom accounts using the email address used to invite them to the webinar. The panelists who fail to sign in to the account associated with the invited email address will see a popup notification stating they must do so in order to participate in the session.
- Only authenticated meeting participants and webinar attendees can join meetings and webinars: Webinar attendees and meeting participants will have to authenticate using one of the authentication methods before joining a webinar or meeting.
- Verify that the change has been implemented by clicking Enable or Disable in the verification dialog.
- Unless the option you want to change is grayed out, this means that it was locked at the account level, so it needs to be changed there.
- Click the lock icon to make the setting mandatory for all members of the group, and then confirm it by clicking Lock after you finish clicking the lock icon.
The process of creating an authentication profile
- As an administrator, you will have the privilege to edit your account settings on the Zoom web portal.
- Click the Account Management button on the top right corner, and then click Account Settings.
- Under the security section, make sure only authenticated meeting attendees and webinar attendees will be able to join meetings and webinars. Thereafter, click on Add Configuration to proceed.
- Choose one of the following authentication methods under Select an authentication method:
- Sign in to Zoom: Signing in to a Zoom account allows you to participate in a Zoom meeting or webinar, provided you are signed in to your Zoom account.
- Signed-in users in my account: You can invite anyone who is logged into your account to join the meeting or webinar.
- Sign in to Zoom with specified domains:
- There is a Zoom rule that will allow users with email addresses that contain a particular domain to join a meeting or webinar, based on the rule that you specify. The two main options for adding domains are either to use a comma in between them or to use a wildcard to list domains. The other option is to upload a CSV file that contains the list of domain names.
- There are some domains that you cannot add to your domain list because they are blocked.
- Signed in to account associated with invited email:
- Registrants for meetings and webinars have the option of being required to sign-in to the same account that they used when they registered for the meeting or webinar. A user who is authenticated using a different account, or if not authenticated at all, will be directed to sign in or change accounts if they are authenticated using another account.
- Sign in to external Single Sign-On (SSO):
- Provides you with the option of specifying a rule where users are forced to use a 3rd party authentication service in order to sign up.
- The meeting authentication option can be given a name so that it can be identified by the participants.
- Then click Save.
- In order to add more authentication methods, you can (optionally) click Add Configuration and repeat steps 4-6.
How to allow authentication exceptions
Admins can enable authentication profiles so that guests who are not members of your team will be able to join meetings without having to authenticate. It will be possible, for instance, for a school to create an exception to allow a guest lecturer to join a meeting even if all participants must be authenticated against their school IDP.
- In the event that an admin has blocked a particular domain from joining any meetings or webinars, any participants matching the blocked domain can still join the meeting or webinar you are hosting if the host adds them as one of the exceptions to the actual authentication rule.
- The process of resenting the authentication exception email to a participant for a newly edited occurrence of a recurring meeting series will be required in the case of using authentication exceptions to protect recurring meetings series. During this session, the link will be unique to this edited occurrence and will not be relevant when it comes to other sessions.
You can enable this feature either at the level of the account or the level of the group. This setting can be viewed by users, but cannot be changed by users.
- Accounts or groups can be enabled with an authentication profile.
- The authentication profile can be set up under Security by clicking on Allow authentication exception under Security.
- If waiting rooms are disabled, you can choose whether users who join the meeting by telephone will be able to join the meeting if they only join by phone.
As the host, you will be able to specify authentication exceptions when arranging a meeting.
What is the procedure for configuring external authentication profiles for use with authentication profiles
This is a separate integration from Zoom SSO which must not be associated with a Zoom SSO integration already. But for authentication profiles using Single Sign-On, this must be a separate integration. Here are some examples:
- Make your own Zoom app rather than using the prebuilt app that comes with Zoom.
- You can create your own Gallery app.
- G Suite:
- You may want to create your own app instead of using the one that comes with Zoom.
For configuring the profile to use external authentication through SSO, follow these steps:
- In your SSO service provider, you will need to create a new SAML app.
- Ensure that you are logged in as an administrator so that you have the privilege to edit the Zoom account settings.
- Select the option to enable authentication profiles for your account at the account level.
- You will be prompted to add configurations.
- You will need to select Sign in to external Single Sign-On (SSO) as an authentication method under Select an authentication method.
- The information you need to enter is:
- You will need to give the meeting authentication option a name.
- Sign-in page URL:
- Your SSO provider will provide you with the sign-in URL.
- Identity provider certificate:
- The SSO provider will provide you with a X.509 certificate.
- Issuer (IDP Entity ID):
- You will receive the certificate from the SSO provider.
- Choose either HTTP-POST or HTTP-Redirect as the binding.
- SAML attribute mappings (optional):
- You will need to enter an alternative SAML value for email addresses if you are using one other than the standard value.
- Click the Save button.
- The SP metadata can be downloaded from the Meeting Authentication Options section by clicking on SP metadata XML.
- Copy and paste the following URLs into the required fields in your SAML app, or upload the metadata into your SAML app using the metadata XML file:
- In the md:EntityDescriptor tag, add the following attribute to the entity ID attribute:
- In the MDAssertionConsumerService tag, there is an attribute called location
Please find below a table that outlines where the entityID and the location URL can be pasted.
|SSO provider||Field to paste entityID||Field to paste Location|
|G Suite||Entity ID||ACS URL|
|Clever||ENTITY ID||ASSERTION CONSUMER SERVICE URL|
If your provider requires the SP metadata first, then you will have to fill out the fields with fake data initially, then download the metadata. Okta for instance, requires the SP metadata to be generated before retrieving the sign-in URL, IDP certificate, and Entity ID. Replacing the fake data in the profile with the real SSO configuration is the next step.