Configuring authentication settings and profiles in zoom app
Authentication profiles allow meeting hosts to restrict the number of attendees and participants in meetings to only those who have signed in and even further restrict the number of attendees to only those users whose e-mail address matches a certain domain. As a result, you can restrict the list of participants in your organization to users who are verified or who belong to a certain organization. In addition, you are able to restrict access to meetings and webinars to users within a specified domain.
Notes:
-
The authentication exception email you sent to a participant for an edited occurrence in a recurring meeting series must be resent to that participant if you are using authentication exceptions in a recurring meeting series, and you happen to edit one of the occurrences in the series. There is a hyperlink for this edited occurrence that is specific to that edited occurrence only. Therefore, it will not apply to any other sessions or content in that series.
-
Authentication profiles can also be applied to webinar panelists who were invited to participate in the webinars.
Prerequisites for configuring authentication profiles
-
Accounts can be purchased in four different categories: Pro, Business, Education, and Enterprise
-
Using Zoom’s desktop client, you can:
-
Windows: Version 5.0.0 or higher (23168.0427) is required
-
macOS: A version of 5.0.0 (23161.0427) or greater is required
-
-
App for Zoom on mobile devices:
-
Android: A version of 5.0.0 or higher (23161.0427) is required
-
iOS: A version of 5.0.0 or higher (23161.0427) is required
-
-
Web client for Zoom
-
Editing account settings requires the permission of the account owner or admin
How to enable or disable authentication profiles
It is necessary to configure authentication profiles at the account level before they can be used. In case you do not want to apply authentication profiles to all members of your account, you can disable the authentication profiles at the account level and enable the profiles at the group or user level once you have defined them.
Notes:
-
When hosts schedule a meeting or a webinar, the authentication settings will be set by default when they schedule the meeting or webinar, and they can disable them at any time if they choose to. In order to prevent hosts from disabling these authentication settings when they are not required, these settings can be locked to enable them by default.
-
Activating this setting will prevent the participant who does not have a Zoom account from joining the meeting or webinar if they do not have a Zoom account.
Account
You can disable or enable Only authenticated users will be able to join meetings for all users in the account by following the steps below:
-
As an admin, you will be able to edit account settings when you sign in to the Zoom web portal as an administrator.
-
To make changes to your account settings, click the Account Management link in the navigation menu.
-
Go to the Meetings tab and click on it.
-
It can be enabled or disabled by clicking the toggles under Security:
-
Only authenticated panelists can join webinars: To participate in the webinar, panelists will need to sign in with the Zoom account that was associated with the email address from which they were invited. A pop-up notification will appear informing participants who fail to do so, that they will be required to sign in to the account associated with the email address they were invited with if they fail to do so.
-
Only authenticated meeting participants and webinar attendees can join meetings and webinars: There are several authentication methods that can be used to authenticate attendees to a meeting or webinar before they can join the meeting.
-
-
You can verify the changes you’ve made by clicking Enable or Disable in the verification dialog that appears.
-
(This setting is optional. If you wish to make this setting mandatory for all users in your account, then click the lock icon . Once you have confirmed the setting, click Lock to confirm that you wish to make it mandatory.
Groups
It is possible to enable or disable For a group of users, the meeting can only be joined by authenticated users:
-
Then you will need to sign in as an admin with the right to edit the groups within the Zoom web portal.
-
Click on User Management then Groups from the navigation menu on the left of the page.
-
From the list of groups, select the one that applies to you.
-
Go to the Meetings tab and click on it.
-
It can be enabled or disabled by clicking the toggles under Security:
-
Only authenticated panelists can join webinars: In order to participate in the webinar, panelists will need to sign in to their Zoom accounts associated with the email addresses that were used to invite them. Panelists that fail to do so will see a pop-up notification informing them that they need to sign in to the account associated with the invited email address.
-
Only authenticated meeting participants and webinar attendees can join meetings and webinars: There are several authentication methods that can be used to authenticate attendees to a meeting or webinar before they can join the meeting.
-
-
The change can be verified by clicking Enable or Disable in the confirmation dialog that appears.
Note: There are several reasons as to why an option may be grayed out in account settings. A greyed out option indicates that it has been locked at the account level and needs to be altered there. -
It is important to understand that once you click the lock icon, it will become a lock icon, and from there you will have the option to choose to lock all of the members of the group.
How to create an authentication profile
-
As an admin, you will be able to edit account settings when you sign in to the Zoom web portal as an administrator.
-
Click on Account Management then Account Settings in the navigation menu at the top of the page.
-
Ensure this option is enabled under the Security section of the settings and then click Add Configuration. Only authenticated meeting participants and webinar attendees will be able to participate in meetings and webinars.
-
Choose one of the following authentication methods under Select an authentication method:
-
Sign in to Zoom: Allows any user to join the meeting or webinar, as long as they are signed into their Zoom account.
-
Signed-in users in my account: Allows any signed-in user in the account to join the meeting or webinar.
-
Sign in to Zoom with specified domains: Allows you to specify the rule so that Zoom users, whose email addresses contain a certain domain, can join the meeting or webinar. You can either add multiple domains, using a comma in between and/or use a wildcard for listing domains. You can also upload a CSV file with the domains.
Note: You can’t add any domains that are on your domain block list. -
Signed in to account associated with invited email: Allows you to require meeting and webinar registrants to join the meeting or webinar signed-in to the account that matches the email they registered with. If they are authenticated with a different account or not authenticated at all, they will be directed to sign-in or switch accounts.
-
Sign in to external Single Sign-On (SSO): The ability to specify a rule for users to be required to authenticate through a third-party authentication system is provided.
-
-
To help users identify the meeting authentication option more easily, you can give it a name.
-
Then click the Save button.
-
(Further authentication options can be added by clicking Add Configuration and repeating steps 4-6 as necessary.
How to allow authentication exceptions
A meeting administrator can approve authentication exceptions in order to allow guests to join meetings even though authentication profiles have been enabled. It might be possible for a school, for instance, to create an exception so that if meeting participants have to be authenticated against their school IDPs, then a guest lecturer can be allowed to participate in meetings.
Notes:
-
Participants matching the blocked domain can bypass the restriction of a meeting or webinar if the meeting or webinar host adds them as an authentication exception in order to allow them to join the meeting or webinar regardless of whether an admin has blocked them.
-
The authentication exception email sent to the participant for the edited occurrence must also be sent again if authentication exceptions are used with a recurring meeting series and you edit any of the occurrences within the series over time. This link only applies to the edited occurrence of the series and will not work for the other occurrences in the series that have not been edited.
In order to enable this feature, you will need to go to the account level or the group level. This setting can be viewed by users, but cannot be changed by them.
-
At the group or account level, ensure that authentication profiles are enabled.
-
If you want to allow authentication exceptions under Security, you need to check the box next to it.
-
There is an option to allow users who are only able to join meetings by telephone to still be able to attend if there is no waiting room in the meeting room.
A host can specify authentication exceptions or other requirements for the meeting when they schedule it.
How to configure authentication profiles using external authentication
Important: Authentication profiles with Single Sign-On must be integrated separately from Zoom’s SSO integration if they are to be used in the Zoom SSO interface. For example:
-
Okta: The Zoom app can be customized instead of using a pre-built Zoom app.
-
Azure: An application for creating galleries can be created by clicking here.
-
G Suite: The best way to avoid this problem is to create your own Zoom app instead of using a pre-built one.
As a result of Single Sign-on, a profile can be configured to use external authentication by following these steps:
-
Within your SSO service provider, you will need to create a new SAML app.
-
As an administrator, you have the privilege to edit account settings when your Zoom account is logged in as an admin.
-
At the account level, it is possible to enable authentication profiles.
-
Then click the Add Configuration button.
-
Choose the Sign in with external single sign-on (SSO) option under Select an authentication method.
-
Here is the information you need to enter:
-
There should be a name given to the authentication option for meetings.
-
Sign-in page URL: The SSO provider will provide the sign-in URL to the user
-
Identity provider certificate: The SSO provider will provide you with a X.509 certificate
-
Issuer (IDP Entity ID): An SSO provider will provide you with this information
-
Binding: It is possible to select either HTTP-POST or HTTP-Redirect
-
SAML attribute mappings (optional): Enter the SAML value you are using for the email address if it differs from the standard value name in the value field.
-
-
Then click the Save button.
-
The SP metadata can be downloaded from the Meeting Authentication Options page by clicking SP metadata XML.
-
I would suggest either uploading the metadata to your SAML app, or opening the metadata XML file and copying and pasting the following URLs directly into the fields in your SAML app.
-
EntityID attribute in the MD:EntityDescriptor tag
-
Location attribute in the MD:AssertionConsumerService tag
-
The following table lists where you should paste the entityID and Location URLs.
Note: Before retrieving the sign-in URL, IDP certificate, and Entity ID, some Single Sign-On providers, such as Okta, require you to generate SP metadata. In the case that your provider requires SP metadata in order to be used, you may have to fill in the fields with fake data initially and then download the metadata. Next, open the profile in Adobe Reader, edit the data in the fake field, and replace it with the real SSO configuration in the profile.