This post was most recently updated on July 23rd, 2022
In order to enable single sign-on (SSO) for your Google Workspace / Google Apps organization, you will need to set up a default user type, which will enable SAML mapping as well as provisioning via SSO and SAML mapping. You can also log in with your Google account, which does not require any further configuration on your part.
Prerequisites for managing Zoom with Google Workspace for SSO
- Your domain has been granted access to the Google Admin console
- for business or educational accounts that have been approved by Google
- as account owners or administrators of Zoom
When a domain is not approved, the user will need to submit a confirmation email to confirm they are authorized to use the account – the email will be sent automatically to the user. Any user who falls under an approved domain will have their accounts provisioned without an email confirmation.
How to configure SSO via SAML for Zoom
Set up Google as a SAML identity provider
- Become an administrator of the Google Admin console by logging in.
- Go to the Admin Console dashboard, then click the Apps tab, then Web and Mobile Apps.
- When you get to the Add App page, enter Zoom and click OK.
- From the Web SAML options, select Zoom.
- When this window opens, the Single Sign-On URL and the Entity ID URL fields will automatically populate, as will the Google IDP Information window.
- In step 4 of Configure SAML information from Google, copy the Google SSO URL, Entity ID, and the text between the “BEGIN CERTIFICATE” and the “END CERTIFICATE” tags to enter in the “Certificate” field.
- Please click the Continue button.
- This will open a new window where you will need to enter the following information:
- ACS URL: https://vanityurl.zoom.us/saml/SSO
- Entity ID: https://vanityurl.zoom.us
- Start URL: Leave blank
- and click the Continue button.
- It is also possible to use the following configuration for basic mapping, or configure attributes as needed:
- First name: userName
- Last name: userLast
- Primary email: userEmail
- Please click the Finish button.
- Make sure you follow the steps in the next section.
Set up Zoom as a SAML service provider
Configure SAML information from Google
- As an administrator, you should log into the Zoom web portal.
- Then, select the Advanced tab from the navigation menu and then click Single Sign-On.
- In order to configure SSO manually, you will need to click the SAML tab.
- Copy all of the information from Step 6 of Set up Google as a SAML identity provider and paste it into step 7 of Set up Google as a SAML identity provider:
- Service Provider (SP) Entity ID: Enter https://vanityurl.zoom.us or paste the Entity ID that you have.
- Sign-in Page URL: Enter the SSO URL that you have.
- Identity Provider Certificate: Copy and paste the certificate text into the address bar, and make sure only the text between the tags —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– is provided.
- For Binding: The default value can be left unchanged.
- For Security options, make sure that you do the following:
- Sign SAML request: Select the checkbox and clear it.
- Sign SAML Logout request: Make sure the checkbox is cleared.
- Support encrypted assertions: Make sure it is unchecked.
- Enforce automatic logout after user has been logged in for: Check this box and select the length of time the user should be logged in for.
- The SAML response logs are saved on the user’s sign-in.
- To save the logs, choose At Sign-In (Default) under Provision User.
- Click the Save Changes button to save the changes.
Complete SAML response mapping
Based on the Google maps, Zoom Users are configured based on the map attributes that are required. Click here to find out how to set up SAML mappings.
How to enable the Zoom app in Google
Google’s documentation for the Zoom cloud application will assist you in enabling the Zoom app in your Google Admin console.
How to troubleshoot common errors with setting up SAML mapping with Zoom and Google
Post (vanity URL) 404 (not found): Verify that the URL for the ACS has been set correctly. In this example, you should see something similar to: https://vanityurl.zoom.us/saml/SSO
Error 403: not_a_saml_app or app_not_configured_for_user: The synchronization of settings may have taken a little longer than expected. For future troubleshooting, ensure that there is an option that allows you to easily check SAML response logs as soon as your users sign in. This allows you to check logs easily whenever you need to check them.
App not configured: Verify that the Entity ID URL in Google and Zoom are the same.
Metadata for issuer https://accounts.google.com/o/saml2?idpid=(unique idpid) wasn’t found (-1): Make sure the issuer in the metadata matches the one in the metadata. The URL will be almost identical to that of the sign-in page, but there are a few subtle differences.
Other errors: Please make sure that the ACS URL is https://vanityurl.zoom.us/saml/SSO with the SSO portion capitalized.
Zoom Support can assist you with additional troubleshooting if needed.