|

Configuring Zoom with Shibboleth

ByCorporate Guider Home, Zoom

Overview

Zoom can be connected to Shibboleth so that you can login to Zoom by using your organization’s Shibboleth credentials. Based on their SAML attributes, you can assign Zoom licenses, add-on plans, roles and groups to users.

Prerequisites

  • Ownership or administrative privileges within Zoom
  • Education or Business accounts

If an Associated Domain is not approved, users will need to confirm their account provisioning through an email sent automatically. Users falling under an approved domain will be provisioned without requiring email confirmation.

Instructions

Configuring your SSO Information with Zoom

  1. You can view your organization’s metadata. Typically, it can be found at https://IdP.DomainName/idp/shibboleth.
  2. Navigate to the Single Sign-On page by logging into your Zoom web portal..
  3. Add your SSO information to the page using your metadata:
  • Sign-in page URL: You can choose between POST and Redirect Bindings after Location=
    Screen_Shot_2017-12-29_at_11.34.18_AM.png
  • Sign-out page URL: You may choose to do this. You can enter a Sign-out page URL by choosing the corresponding URL when you save SingleLogoutService. That is the URL that appears after Location=, after the post or redirect action.
    Screen_Shot_2017-12-29_at_11.39.25_AM.png
  • Identity Provider Certificate: Your metadata should contain the first X509 certificate you have.
    x509cert.png
  • Service Provider (SP) Entity ID: Entity ID for Service Providers (SPs) must include https://, such as https://yourVanityURL.zoom.us
  • Issuer (IDP Entity ID): If your IdP metadata includes the Entity ID, enter the full URL as https://IdP.yourorganization/idp/shibboleth
    IssuerEntityID.png
  • Binding: Depending on the URL of the sign-in page, select the POST or Redirect binding.
  • If you have disabled Shibboleth’s encryption, check Support Encrypted Assertions.
  • Save your changes.

Note: For Shibboleth bindings, use HTTP-Redirect when using CAS.

How to configure Zoom Metadata in Shibboleth
  1. Zoom metadata can be downloaded at https://yourVanityURL.zoom.us/saml/metadata/sp
  2. In relying-party.xml, add a metadata element that configures Zoom metadata as trusted.
    Example:
    Id=”Zoom_SP_Metadata” xsi:type=”ResourceBackedMetadataProvider”
    “&analyzeHeader”>”urn:mace:shibboleth:2.0:metadata”;
    xsi:type=”resource:FilesystemResource” *MetadataResource
    The file is located at /var/shibboleth-idp/metadata/zoom_sp_metadata.xml.
    Provider: */MetadataProvider.
  3. Make sure your IdP sends the email address SAML attribute.
    Attribute Common SAML Attribute Name
    Email Address* urn:oid:0.9.2342.19200300.100.1.3
    First Name urn:oid:2.5.4.42
    Last Name urn:oid:2.5.4.4

    The SAML attributes name for eduPersonPrincipalName can be urn:oid:1.3.6.1.4.1.5923.1.1.1.6 if eduPersonPrincipalName is formatted as an email address.

    This can be accomplished by adding an AttributeFilterPolicy element to attribute-filter.xml.
    Here’s an example:
    Id=”releaseToZoom” in AttributeFilterPolicy
    “yourVanityURL.zoom.us” /> *PolicyRequirementRule xsi:type=”basic:AttributeRequesterString” value=”email”/> *AttributeRule attributeID=”email”
    PermitValueRules xsi:type=”basic:ANY” */AttributesRules
    The AttributeRule can have an attributeID of “givenName” and the PermitValueRule can have an attributeType of “basic:ANY”.
    An attribute rule with attributeID=”surname”>
    A permit value rule of type “basic:ANY” </AttributeRule>
    </AttributeFilterPolicy>

Testing your Configuration

By logging in at https://yourVanityURL.zoom.us/ or choosing SSO in the Zoom client, you can test the SSO login.

ssologin.gif

Similar Posts