Zoom can be connected to Shibboleth so that you can login to Zoom by using your organization’s Shibboleth credentials. Based on their SAML attributes, you can assign Zoom licenses, add-on plans, roles and groups to users.
- Ownership or administrative privileges within Zoom
- Education or Business accounts
If an Associated Domain is not approved, users will need to confirm their account provisioning through an email sent automatically. Users falling under an approved domain will be provisioned without requiring email confirmation.
- You can view your organization’s metadata. Typically, it can be found at https://IdP.DomainName/idp/shibboleth.
- Navigate to the Single Sign-On page by logging into your Zoom web portal..
- Add your SSO information to the page using your metadata:
- Sign-in page URL: You can choose between POST and Redirect Bindings after Location=
- Sign-out page URL: You may choose to do this. You can enter a Sign-out page URL by choosing the corresponding URL when you save SingleLogoutService. That is the URL that appears after Location=, after the post or redirect action.
- Identity Provider Certificate: Your metadata should contain the first X509 certificate you have.
- Service Provider (SP) Entity ID: Entity ID for Service Providers (SPs) must include https://, such as https://yourVanityURL.zoom.us
- Issuer (IDP Entity ID): If your IdP metadata includes the Entity ID, enter the full URL as https://IdP.yourorganization/idp/shibboleth
- Binding: Depending on the URL of the sign-in page, select the POST or Redirect binding.
- If you have disabled Shibboleth’s encryption, check Support Encrypted Assertions.
- Save your changes.
Note: For Shibboleth bindings, use HTTP-Redirect when using CAS.
- Zoom metadata can be downloaded at https://yourVanityURL.zoom.us/saml/metadata/sp
- In relying-party.xml, add a metadata element that configures Zoom metadata as trusted.
The file is located at /var/shibboleth-idp/metadata/zoom_sp_metadata.xml.
- Make sure your IdP sends the email address SAML attribute.
Attribute Common SAML Attribute Name Email Address* urn:oid:0.9.2342.19200300.100.1.3 First Name urn:oid:126.96.36.199 Last Name urn:oid:188.8.131.52
The SAML attributes name for eduPersonPrincipalName can be urn:oid:184.108.40.206.4.1.59220.127.116.11.6 if eduPersonPrincipalName is formatted as an email address.
This can be accomplished by adding an AttributeFilterPolicy element to attribute-filter.xml.
Here’s an example:
Id=”releaseToZoom” in AttributeFilterPolicy
“yourVanityURL.zoom.us” /> *PolicyRequirementRule xsi:type=”basic:AttributeRequesterString” value=”email”/> *AttributeRule attributeID=”email”
PermitValueRules xsi:type=”basic:ANY” */AttributesRules
The AttributeRule can have an attributeID of “givenName” and the PermitValueRule can have an attributeType of “basic:ANY”.
An attribute rule with attributeID=”surname”>
A permit value rule of type “basic:ANY” </AttributeRule>
By logging in at https://yourVanityURL.zoom.us/ or choosing SSO in the Zoom client, you can test the SSO login.