SSO certificate rotation in Zoom

In the recent version of Zoom, Single Sign-On (SSO) certificate support has been enhanced. This means account owners and administrators can have Zoom update the certificate automatically when a new certificate becomes available, instead of having to manually update it. As well as rolling back their SSO configuration, administrators can also revert to a previous certificate if that is what they would prefer.

Note: Zoom has decided to retire its single sign on (SSO) certificate, which expires on Wednesday, February 2, 2022, in order to be in compliance with standard industry practices. In order to prevent any interruptions in service and to ensure that SSO can continue to be used to log into Zoom, you will need to take the following actions before the certificate is rotated:

  • If you have a Zoom account that is using an identity provider (IDP) or configuration that is equipped with the ability to update metadata dynamically, then you will not need to take any action. Your IDP will automatically download the current Zoom certificate and rotate it into your account’s configuration as of Saturday, January 8, 2022. If you look at the Service Provider (SP) Certificate section of the Single Sign-On settings, you will see the following:
    • The SSL certificate of Zoom expires on January 4th, 2023, 12:00 UTC.
    • The option of automatically managing the certificate is checked.
    • If, in addition, you decide not to use a service provider certificate in your IDP implementation, the options listed below will not appear in your web portal; further action will not need to be taken.
  • With the following security options selected in the Zoom setup, action is required to enable Single Sign-on.
    • Sign SAML request
    • and sign SAML Logout request
    • as well as support encrypted assertions
  • If you choose to deactivate the automatic update or if your IDP does not support auto-rotation of certificates, you need to take action between January 8 and February 2, 2022. When you begin the process of rotating certificates in the Zoom Web Portal, the new certificate will be selected by default under the Single Sign-On settings. Zoom also allows you to change the certificate that Zoom uses for interacting with your IDP on the same page. The SSL certificate has been converted to a new one. Your users can continue to sign in to Zoom using SSO after the new certificate has been converted to a new one.

Prerequisites

  • Admin or owner privileges in Zoom
  • accounts with Business or Education Vanity URLs that have been approved

New SSO certificate management options

Service provider certificate

As part of your SAML requests, and when you are sending the SAML logout requests to your IDP, the service provider’s certificate is used to sign those requests. It is imperative that the certificates used by Zoom and for your IDP are the same as both utilize the signatures of SAML to verify the authentication/logout in the Zoom environment, as well as through your IDP. It is possible that your IDP will give an error if the certificate is not the same as the one you were issued, and you will not be able to log in.

It is possible to find the certificate in the Zoom SAML metadata located at https://yourvanityurl.zoom.us/saml/metadata/sp.

Automatically manage the certificate

Status Behaviors
On (Default) In the unlikely event that the latest certificate detected for the Zoom metadata is not currently selected as an SAML certificate, a second certificate will be set.

If your IDP is set to monitor the Zoom metadata URL and supports encrypted assertions, Zoom will attempt to automatically rotate (update) the certificate. This option must be turned on in the IDP configuration menu (option “Support encrypted assertions”).

Off There is only one certificate set in the SSO settings for the Zoom metadata. Zoom will not automatically switch to a new certificate when a new one is available.

ADFS certificate rotation

Changing the Zoom SAML metadata URL relying party certificate on your ADFS server may be necessary if Monitor relying parties are not enabled for the ADFS server.

Automatically update the certificate via metadata URL

You can enable the ADFS monitoring option by following these steps:

  1. Connect to your ADFS server by logging in.
  2. You can open the AD FS Management Console (MMC) by opening the Administrative Tools.
  3. Please click the Trust Relationships link on the left navigation menu, and then click the Relying Party Trusts link.
  4. To find the properties of the Relying Party Trust for Zoom, right-click on it and select Properties.
  5. You need to enter your Zoom SAML Metadata URL for the Monitoring tab (for example, https://yourvanityurl.zoom.us/saml/metadata/sp).
  6. Enable the Monitoring Relying Parties option.
  7. Then click the Apply button.

Manually update the certificate via metadata URL

Manually updating the certificate using the metadata URL can be done by following these steps:

  1. Sign in to the Zoom web portal by using your email address and password.
  2. Next, click on the Advanced tab and then select Single Sign-On.
  3. Click Edit and then select Zoom Certificate (Expires on 01/04/2023 UTC) from the list of certificate options in the Service Provider (SP) certificate section.
    Using this method, you will be able to update the Zoom certificate to the latest one (the one whose expiration date is farthest away).
  4. First, you will need to sign into your ADFS server.
  5. After opening Administration Tools, open the AD FS Management Console (MMC) which is located in Administrative Tools.
  6. Select Trust Relationships from the left navigation, then click Relying Party Trusts from the right navigation.
  7. Select RELYING PARTY TRUST – Zoom from the window that appears at bottom right, then click Properties.
  8. You need to enter the URL of your Zoom SAML Metadata (https://yourvanityurl.zoom.us/saml/metadata/sp).
  9. Then click the Test URL button.
  10. Once the URL has been validated, click Ok, and then click Apply.
  11. When you’re finished, click close.
  12. Select the Relying Party Trust for Zoom from the Right-Click menu, and then click on the Update from Federation Metadata button.
  13. Then click on the Update Identifiers button.
  14. The Encryption and Signature tabs on the Encryption and Certificate window should show the certificate’s Effective and Expiration dates in part 2 of the guide.
    Note: If you don’t have support for encrypted assertion enabled within SSO, then the Encryption tab may contain only one certificate, or even none. In addition, if your SSO does not include Sign SAML Request functionality or Sign SAML Logout functionality, this also goes for the Signature tab.

In order to confirm SSO is working properly, Zoom recommends that you do a couple of test logins after updating the certificate.

Troubleshooting errors in ADFS log

Signing certificate error MSIS3015

Exception raised by Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3015: The signing certificate of the claims provider trust ‘xxxxxxxx.zoom.us’ identified by thumbprint ‘175F66EE7911A55ECF3549280C85A0BB941CEC16’ is not valid.”

Encryption certificate error MSIS3014

The Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3014: The encryption certificate of the relying party trust ‘microsoft:identityserver:xxxxxxx.zoom.us’ identified by thumbprint ‘175F66EE7911A55ECF3549280C85A0BB941CEC16’ is not valid.”

Typically, if you receive either of these errors, then it indicates that either the certificate has been revoked, it has expired, or that the certificate chain does not automatically trust the certificate. To ensure the errors associated with the certificate have been resolved, we recommend rolling back to the previous certificate and re-testing. As soon as you have corrected the errors, you will need to re-update your certificate using the metadata URL.

Manually update the certificate by file

Download the certificate from Zoom

  1. Sign in to the Zoom web portal by entering your email address and password.
  2. Next, click on Single Sign-On under the Advanced drop down menu.
  3. Click Edit and select Zoom Certificate (Expires on 01/04/2023 UTC) from the Service Provider (SP) Certificate section on the user interface.
    The certificate will be updated to the most recent certificate (the one whose expiration date is the farthest in the future).
  4. You can open the details page of the certificate by clicking View.
  5. If you wish to download the file of the certificate, click Download.

Upload the certificate to ADFS

  1. Log on to your ADFS server using your AD credentials.
  2. You will need to open the AD FS Management Console (MMC) by selecting Administrative Tools in the menu bar.
  3. Click on Trust Relationships on the left navigation bar, then on Relying Party Trusts.
  4. To change the properties of the Relying Party Trust for Zoom, perform a right-click on it then select Properties.
  5. On the Encryption tab, click Browse and then select the Relying Party Trust for Zoom.
  6. The certificate will be opened once it has been downloaded.
  7. Once the certificate has been downloaded, click the Signature tab.
  8. If any certificates are listed, remove them.
  9. Once you have chosen the certificate, click Add.

In order to ensure the SSO is working, Zoom recommends performing a couple of test logins once the certificate has been updated.

When testing SSO logins, if SSO logins do not work correctly, roll back to the previous certificate, and then test logins again. Using the above process, re-upload the certificate if SSO login has been successful.

Shibboleth certificate rotation

Shibboleth V3

Note:

Make sure that the support encrypted assertion is enabled when you are using Shibboleth.

During this process, Shibboleth will monitor Zoom’s metadata if it uses the HTTPMetadataProvider, File-based HTTP Metadata Provider, or DynamicHTTP Metadata Provider MetadataProvider Type MetadataProvider. There is no way to automatically download and update the metadata file on the Shibboleth server if it does not use one of the listed MetadataProvider Types.

You may be able to update the Shibboleth metadata file without having to restart your web server (such as Apache Tomcat or another Java application) if Shibboleth uses the ResourceBackedMetadataProvider, LocalDynamicMetadataProvider, or FilesystemMetadataProvider MetadataProvider Type.

Manual update certificate via webserver restart

  1. Log into the Zoom web portal by entering your email address and password.
  2. Under the Advanced section of the menu, click Single Sign-On.
  3. Click Edit and select the Zoom Certificate (Expires on 01/04/2023 UTC) under the Service Provider (SP) Certificates section.
    By doing this you will be able to update Zoom’s certificate to the most recent version (the one with the longest expiration date).
  4. The new metadata can be downloaded from https://yourvanityurl.zoom.us/saml/metadata/sp.
  5. Update the existing metadata file on the Shibboleth server, so that it contains the new certificate file.
  6. If necessary, restart the web server.

Note: You will have to wait for Shibboleth to load the file if you don’t restart the web server, a process that can take at least 5 minutes, but can take up to 24 hours overall. You may be unable to log into your account using single sign-on during this time.

Graceful manual update of the certificate

  1. The new metadata can be downloaded from https://yourvanityurl.zoom.us/saml/metadata/sp.
  2. You need to update the existing metadata file on the Shibboleth server, so that the new certificate file will be loaded instead.
  3. Allow Zoom to automatically detect and update to the new certificate after 48 hours.
  4. Ensure that the certificate for Zoom SSO is automatically updated to the most recent one (2023) using your Zoom SSO configuration,
    • If successful: The metadata file should be downloaded again from the metadata URL and the server should be updated with the new metadata.
    • If unsuccessful: The new certificate should be detected by Zoom automatically after another day.