Your Active Directory Federation Services (ADFS) account can be configured to allow you to log in via Single Sign-On (SSO). Based on ADFS configuration, SAML mapping can assign software licenses, groups, and roles to users. See Single Sign-On for more details.
Contents
- 1 Prerequisites for SSO with ADFS
- 2 How to configure SSO for ADFS in Zoom
- 3 How to configure SSO for Zoom in ADF
- 4 Troubleshooting
- 4.1 Unable to log in using Google Chrome or Firefox
- 4.2 How to generate and update the X509 certificate
- 4.3 Frequently Asked Questions
- 4.4 How do I set up SSO Zoom?
- 4.5 What is the SSO button for Zoom?
- 4.6 What are the prerequisites to deploy SSO Zoom?
- 4.7 How do I enable SSO in zoom?
- 4.8 How do I configure SSO Zoom?
Prerequisites for SSO with ADFS
- A Zoom account with a Vanity URL that is approved by a business or educational institution
- That has ADFS access
- To the Zoom Admin or Owner account
When there is no approved Associated Domain, users will be asked to confirm receiving an email automatically sent to them confirming that they are provisioning on the account. Any user falling under a domain that has been approved for provisioning will not need to provide an email confirmation.
How to configure SSO for ADFS in Zoom
- The ADFS Metadata Source files are available at https://[SERVER]/FederationMetadata/2007-06/FederationMetadata.xml and you can download or view the files there.
(adfs.example.com) * [SERVER]: where you would like to place your ADFS server - Using the zoom admin page, the SAML tab is accessible by clicking on Single Sign-On from the menu bar.
- Click on the SAML tab and enter these details:
- Sign-in page URL:
https://[SERVER]/adfs/ls/idpinitiatedsignon.aspx?logintoRP=[Vanity].zoom.us- *Note: if the SP Entity ID in Zoom is set to https://[vanity].zoom.us, the logintoRP section of the sign-in URL should match, as “…?logintoRP=https://[vanity].zoom.us”
- Sign-out page URL:
- https://[SERVER]/adfs/ls/?wa=wsignout1.0
- Identity provider certificate:
- X509 Certificate from XML Metadata in step 1
*Use the first X509 Certificate in the XML file:
<ds:Signature xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>
<KeyInfo xmlns=”http://www.w3.org/2000/09/xmldsig#”>
<X509Data>
<X509Certificate> - Service Provider (SP) Entity ID: Choose the option without https.
- Issuer: http or https://[SERVER]/adfs/services/trust (entityID in metadata)
- Binding: HTTP-POST
- Security
- Sign SAML Request: In case you want to sign SAML requests in ADFS, you should check this option.
- Support Encrypted Assertions: The option should be checked if you want to use encrypted assertions in ADFS.
- Enforce automatic logout after the user has been logged in for: If you want to force the user to log out after a certain amount of time, check this option.
- Sign-in page URL:
How to configure SSO for Zoom in ADF
- Login to your ADFS server.
- Open ADFS 2.0 MMC
- Add a Relying Party Trust
Use the Import feature to import relying party data published on the internet or on a local network
I would like to request the metadata address for the Federation:https://YOURVANITY.zoom.us/saml/metadata/sp
- Add a display name (“Zoom”) and finish the Wizard with default settings
- Add two claim rules:
- Type: Send LDAP Attributes as Claims
- Name: Zoom – Send to Email
- Mappings
- E-Mail-Addresses > E-Mail Address
- User-Principal-Name > UPN
- Given-Name > urn:oid:2.5.4.42
- Surname > urn:oid:2.5.4.4
-
- Type: Transform Incoming Claim
- Name: Zoom – Email to Name ID
- Incoming claim type: E-Mail Address
- Outgoing claim type: Name ID
- Outgoing name ID format: Email
You should be able to log in any active directory user on your computer after completing these steps. Try logging in at http://YOURVANITY.zoom.us to test it.
Troubleshooting
Unable to log in using Google Chrome or Firefox
You will need to turn off Extended Protection if you are having trouble logging into the ADFS server using Chrome or Firefox and are seeing the error message ‘Audit Failure’ with a status of “0xc000035b” in the Event Viewer. In Chrome and Firefox, the ADFS Extended Protection feature is not supported (IE supports this feature).
- IIS Manager should be launched once IIS has been installed
- Navigate to Sites > Default Web Site > ADFS > LS in the left panel
- Panel Click on the Authentication icon twice.
- Select Windows Authentication from the right-click menu.
- Select the Advanced Settings option.
- The Extended Protection option will be turned off.
How to generate and update the X509 certificate
For instructions on how to generate a new certificate in ADFS if your Identity Provider certificate needs to be updated in Zoom portal, visit Microsoft Support site. Replace the existing certificate with the newly generated one after you have received your new certificate and edited the SSO configuration in the Zoom portal.
Read it also –
| Administrator Set Zoom With Adfs |
| How To Enable Tls 1 2 On Adfs Windows Server 2012 R2 |
Frequently Asked Questions
How do I set up SSO Zoom?
App Zoom
-
SSO can be tapped.
-
Enter the domain name of your company. Get your company’s domain from your Zoom admin. Enter your email address if you don’t know your company domain.
-
Click Continue. When you click Continue, you will be redirected to your single sign-on provider.
Using single sign-on (SSO), users can log in to Zoom using their company credentials.
What are the prerequisites to deploy SSO Zoom?
ADFS SSO prerequisites
-
With an approved vanity URL, you can have a business or education account with Zoom.
-
Access to the ADFS server.
-
Access to Zoom as an owner or administrator.
How do I enable SSO in zoom?
The process of enabling or disabling automatic rotation of SSO certificates
-
Zoom’s web portal can be accessed by signing in.
-
Go to the Advanced section of the navigation menu and click Single Sign-On.
-
To edit, click the Edit button in the upper-right corner.
-
Automatically manage certificates can be checked or unchecked in the Service Provider (SP) Entity ID section.
How do I configure SSO Zoom?
App Zoom
-
SSO can be tapped.
-
Enter the domain name of your company. If you need a domain for your company, contact your Zoom administrator. You can enter your email address if you do not know your company domain.
-
Click Continue. When you click Continue, you will be redirected to your single sign-on provider.
Related Articles