How to Configure Zoom with Shibboleth

This post was most recently updated on July 23rd, 2022

Configuring Zoom with Shibboleth

Overview

Zoom can be integrated with Shibboleth so that you can use your organization’s Shibboleth credentials for signing in to your Zoom account using Single Sign-On (SSO), which is supported by the Zoom API. Using SAML attributes, you can assign users Zoom licenses, add-on plans, roles and groups, as well as the features available in each.

Prerequisites

  • Own a Zoom account or be an administrator.
  • Accounts that are approved for business use and have a Vanity URL.

Note:

In the absence of an approved Associated Domain, the user will be sent an email via the account they have created that will ask them to confirm that they want to register for the account. Provisioning will take place automatically for any users that fall under a domain that is approved without requiring any email confirmation.

Instructions

Configuring your SSO Information with Zoom

  1. Access the organization’s metadata and configure your SSO based on that information. Is usually located at https://IdP.DomainName/idp/shibboleth that can be accessed from any web browser.
  2. Navigate to the Single Sign-On page by logging in to your Zoom web portal.
  3. Fill in your SSO credentials from your metadata to make the page look like this:
    • Sign up page URL: you can choose one of two binding options as shown after the Location= after the URL: POST Binding or Redirect Binding
    • Sign-out page URL: This is optional. If you want to enter a Sign-out page URL, choose the corresponding POST or Redirect URL that appears in SingleLogoutService, after Location=.
    • Identity Provider Certificate: Whenever you need to use a X509 certificate, you should use the first one that appears in your metadata.
    • Service Provider (SP) Entity ID: Make sure you select the Service Provider (SP) Entity ID that includes https://, for instance, https://yourVanityURL.zoom.us
    • Issuer (IDP Entity ID): For the full Entity ID, you will need to enter it as mentioned in the IdP metadata, for example: https://IdP.yourorganization/idp/shibboleth
    • Binding: You have the option to choose either a POST or Redirect binding based on the URL of the sign in page.
    • Unless you have disabled Shibboleth’s support for encrypted assertions, be sure to check Support Encrypted Assertions.

    • Note: In order to use CAS with Shibboleth, it should be used with HTTP-Redirect to bind the authentication.

Configuring your Zoom Metadata in Shibboleth

  1. The Zoom metadata can be downloaded from this site: https://yourVanityURL.zoom.us/saml/metadata/sp
  2. Adding a metadata element to the relying-party.xml file, which specifies the Zoom metadata as trusted by Shibboleth, will configure the Zoom metadata as trusted.
    Example:
    <MetadataProvider id=”Zoom_SP_Metadata” xsi:type=”ResourceBackedMetadataProvider”
    xmlns=”urn:mace:shibboleth:2.0:metadata”>
    <MetadataResource xsi:type=”resource:FilesystemResource”
    file=”/var/shibboleth-idp/metadata/zoom_sp_metadata.xml” />
    </MetadataProvider>
  3. Your IdP should configure the SAML attribute of your email address at the very least.
    Attribute Common SAML Attribute Name
    Email Address* urn:oid:0.9.2342.19200300.100.1.3
    First Name urn:oid:2.5.4.42
    Last Name urn:oid:2.5.4.4

    The following SAML Attribute Name can be used for eduPersonPrincipalName if it is formatted as an email address: urn:oid:1.3.6.1.4.1.5923.1.1.1.6

    You can do this by adding a new element under the AttributeFilterPolicy section of the attribute-filter.xml file.
    Example:
    <AttributeFilterPolicy id=”releaseToZoom”>
    <PolicyRequirementRule xsi:type=”basic:AttributeRequesterString” value=”yourVanityURL.zoom.us” /> <AttributeRule attributeID=”email”>
    <PermitValueRule xsi:type=”basic:ANY”/> </AttributeRule>
    <AttributeRule attributeID=”givenName”> <PermitValueRule xsi:type=”basic:ANY”/></AttributeRule>
    <AttributeRule attributeID=”surname”>
    <PermitValueRule xsi:type=”basic:ANY”/> </AttributeRule>
    </AttributeFilterPolicy>

Testing your Configuration

SSO can be tested by logging into the Zoom client and selecting SSO under your Vanity URL or by logging into your vanity URL on the Zoom site.