Configuring Zoom SSO with ADFS
Prerequisites for SSO with ADFS
- via Zoom with an approved vanity URL
- to access ADFS
- Administrator or Owner access
A provisioning email will be automatically sent to users without an approved Associated Domain to ask them to confirm their provisioning. Users from approved domains will be provisioned without email confirmation.
How to configure SSO for ADFS in Zoom
- Download and view your ADFS XML metadata at https://[SERVER]/FederationMetadata/2007-06/FederationMetadata.xml
This is your ADFS server (adfs.example.com) - On Zoom’s admin page, click Single Sign-on to view the SAML tab.
- The options for the SAML tab are as follows:
- Sign-in page URL:
https://[SERVER]/adfs/ls/idpinitiatedsignon.aspx?logintoRP=[Vanity].zoom.us- *Note: if the SP Entity ID in Zoom is set to https://[vanity].zoom.us, the logintoRP section of the sign-in URL should match, as “…?logintoRP=https://[vanity].zoom.us”
- Sign-out page URL: https://[SERVER]/adfs/ls/?wa=wsignout1.0
- Identity provider certificate: X509 Certificate from XML Metadata in step 1
*Use the first X509 Certificate in the XML file:
<ds:Signature xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”>
<KeyInfo xmlns=”http://www.w3.org/2000/09/xmldsig#”>
<X509Data>
<X509Certificate> - Choose the option without https for Service Provider (SP) Entity Author: http or https://[SERVER]/adfs/services/trust (entityID in metadata)Type of binding:ng:http
- Security
- Sign the SAML request in ADFS by checking this option.
- Support encrypted assertions: Ensure this option is selected if you are using encrypted assertions in ADFS.
- Automatically log out the user after a specified amount of time: Check this if you want the user to be logged out after a specified amount of time.
- Sign-in page URL:
How to configure SSO for Zoom in ADF
- using ADFS.
- Launch ADFS 2.0 MMC from the Start menu.
- Click Trust Relying Parties.
Import information about the relying party published online or on a local network
Federated metadata address: https://YOURVANITY.zoom.us/saml/metadata/sp
- Finish the Wizard with default settings and provide a display name (“Zoom”)
- Add these two claim rules:
- Claim Type: LDAP Attributes
- Email: Zoom
- Attributes
- > E-Mail Addresses
- User-Principal-Names
- Id:2.5.4.42 > given-name
- lastname urn:oid:2.5.4.4
- Transforming Incoming Claims
- Claims: Zoom to Name ID
- E-mail address type of incoming claim
- Name ID type of outgoing claim
After you complete the configuration steps, any user in your active directory should be able to log in, based on the configuration you set. Visit http://YOURVANITY.zoom.us and click on Login.
Troubleshooting
Unable to log in using Google Chrome or Firefox
A ‘Audit Failure’ event with the status “Status: 0xc000035b” in the Event Viewer of the ADFS server means that you cannot log in using Chrome or Firefox. You will need to disable Extended Protection. IE supports Extended Protection, while Chrome and Firefox do not.
- Open IIS Manager.
- Select Sites > Default Web Site > ADFS > LS from the left panel
- and click the Authentication icon
- and select Windows Authenticationn
- Click on Advanced Settings
- Uncheck Extended Protection
How to generate and update the X509 certificate
The instructions on the Microsoft Support site on how to generate a new certificate in ADFS can be found in the Zoom portal if you are prompted to update your Identity Provider certificate. Using the newly generated certificate, edit the SSO configuration on the Zoom portal and replace the existing certificate.