Zoom SSO certificate rotation
Zoom has added Single Sign-On (SSO) certificate support, which allows account owners and administrators to have Zoom automatically update the certificate when a new one becomes available, rather than manually updating it. A previous certificate can also be used to roll back the SSO configuration.
Zoom will retire its single sign-on (SSO) certificate ahead of its expiration on Wednesday, February 2, 2022, in accordance with standard industry practices. To continue using SSO and avoid service disruptions, you may need to take the following action before rotating the certificate:
- The Zoom certificate is automatically downloaded and rotated into your account’s configuration starting Saturday, January 8, 2022, for accounts with an identity provider (IDP) or configuration that supports dynamic metadata refresh. In your Single Sign-On settings, you should see the following in the Service Provider (SP) Certificate section:
- ZipZoom Certificate (Expires on 01/04/2023 UTC)
- The automatic management option is selected
- A service provider certificate will not be required for your IDP implementation, so these options will not appear in your web portal, and no further action is required.
- In Zoom setup, you must take action to enable Single Sign-on.
- Request a SAML token.
- Logout using SAML.
- Assertion encryption is supported
- In the case of your IDP not supporting automatic certificate rotation or if you choose to disable the automatic update, action must be taken between January 8 and February 2, 2022. In the Zoom Web Portal, select the new certificate in the Single Sign-On settings to begin the certificate rotation process. Zoom also allows you to modify which certificate is used for interacting with your IDP from that page. Your users and you will be able to log into Zoom using SSO with no interruption once the new certificate is rotated.
Prerequisites
- Zoom owner or admin privileges
- Business or Education account with approved Vanity URL
New SSO certificate management options
Service provider certificate
When sending SAML requests and SAML logout requests to your IDP, the certificates of your service provider are used to sign them. It is imperative that the certificates in Zoom and your IDP match since your IDP employs these certificates to verify the signature of SAML/logout requests. Your IDP might give an error when the certificate is different, and not allow a user to log in.
Zoom SAML metadata containing this certificate can be found at https://yourvanityurl.zoom.us/saml/metadata/sp.
Automatically manage the certificate
Status | Behaviors |
On (Default) | Two certificates will be set for the Zoom metadata if the latest certificate detected is not currently selected for SAML requests. Zoom will try to auto-rotate (update) the certificate if your IDP is set to monitor the Zoom metadata URL and supports encrypted assertion (the option “Support encrypted assertion” must be turned on). |
Off | Only one certificate for the Zoom metadata is set in the SSO settings. Zoom will not auto-rotate to a new certificate. |
ADFS certificate rotation
For Zoom SAML metadata URLs, you will need to update the certificate manually if your ADFS server does not have Monitor relying party enabled.
Automatically update the certificate via metadata URL
To enable the monitoring option on your ADFS server:
- Log in.
- Open the AD FS Management Console (MMC) in Administrative Tools.
- Choose Trust Relationships from the left navigation, then click Relying Party Trusts.
- You can click Properties after right-clicking the Relying Party Trust for Zoom.
- Enter the Zoom SAML Metadata URL (https://yourvanityurl.zoom.us/saml/metadata/sp) on the Monitoring tab.
- Make sure Monitoring is enabled.
- Hit OK.
Manually update the certificate via metadata URL
Follow these steps:
- Log in to Zoom’s web portal.
- Select Single Sign-On under Advanced.
- Click Edit and then select Zoom Certificate (Expires on 01/04/2023 UTC) under the Service Provider (SP) Certificate section.
Zoom’s certificate will be updated to the latest certificate (the certificate with the most recent expiration date). - Log into your ADFS server.
- Open the AD FS Management Console (MMC) by clicking Administrative Tools.
- To access Relying Party Trusts, click Trust Relationships on the left navigation bar.
- Click Properties after right-clicking the Relying Party Trust for Zoom.
- You can locate your Zoom SAML Metadata URL at (https://yourvanityurl.zoom.us/saml/metadata/sp).
- To test the URL, click Test.
- Then click OK, followed by Apply.
- Click OK again.
- Click Update from Federation Metadata on the Relying Party Trust for Zoom.
- Click Update under Identifiers.
- On the Encryption and Signature tabs, verify the Effective and Expiration dates are for the new certificate.
Note: if your SSO does not support encrypted assertions, you will only see one certificate under the Encryption tab. The same is true for the Signature tab if you have not enabled Sign SAML Request or Sign SAML Logout Request in your SSO.
In order to verify that SSO is working correctly, Zoom recommends performing a few test logins after the certificate has been updated.
Troubleshooting errors in ADFS log
MSIS3015 error
There is a problem with the signature of the claims provider trust for ‘zzzzzzzz.zoom.us’ identified by thumbprint ‘175F66EE7911A55ECF3549280C85A0BB941CEC16’.”
Error MSIS3014 while encrypting
It failed revocation validation due to the reliance party trust ‘microsoft:identityserver:xxxxxxx.zoom.us’ whose thumbprint is 175F66EE7911A55ECF3549280C85A0BB941CEC16.”
The certificate’s revocation, its expiration, or its chain of trust might cause either of these errors. Ensure that the errors have been resolved by rolling back your certificate to the previous one. Following the correction of the errors, re-update the certificate via the metadata URL.
Manually update the certificate by file
via the Zoom website.
- Sign in to your Zoom account.
- Click Single Sign-On in the navigation menu.
- Select Zoom Certificate (Expires on 01/04/2023 UTC) under the Service Provider (SP) Certificate section.
The certificate will be updated to the latest certificate (the certificate with the most recent expiration date). - Select View to view the certificate details.
- To download, click Download.
Upload the certificate to ADFS
- by logging into your ADFS server.
- Launch the AD FS Management Console by selecting Administrative Tools > AD FS Management Console (MMC).
- Select Trust Relationships on the left navigation, then click Relying Party Trusts.
- Navigate to Properties by right-clicking on Relying Party Trust for Zoom.
- Choose Encryption from the menu, then click Browse.
- Browse to the certificate file you downloaded.
- Choose Signature from the drop-down menu.
- Delete all certificates that are currently listed.
- Select the most recent certificate.
Zoom recommends that you should perform a few test logins once the certificate has been updated to ensure SSO has been set up properly.
In order to test SSO logins, roll back to the previous certificate and test the logins. Re-upload the certificate using the above steps if SSO login was successful.
Shibboleth certificate rotation
Shibboleth V3
Note: When using the Shibboleth, please ensure the support encrypted assertion is enabled.
Shibboleth will monitor Zoom’s metadata if it is using HTTPMetadataProvider, FileBackedHTTPMetadataProvider, or DynamicHTTPMetadataProvider MetadataProvider Type. You will need to manually download and update the metadata file on the Shibboleth server if it does not use one of the listed MetadataProvider Types.
You may be able to update the Shibboleth metadata file without restarting your web server (such as Apache Tomcat or another Java Application) if you use the ResourceBackedMetadataProvider, LocalDynamicMetadataProvider, or FilesystemMetadataProvider MetadataProvider Type.
You can read more about Shibboleth configuration on the Shibboleth wiki.
Manual update certificate via webserver restart
- restart
- restart.
- Select Single Sign-On in the navigation menu.
- Click Edit and select Zoom Certificate (Expires on 01/04/2023 UTC) in the Service Provider (SP) Certificate section.
Zoom’s certificate will be updated to the latest certificate (the one with the longest expiration date). - Visit https://yourvanityurl.zoom.us/saml/metadata/sp to download the updated metadata.
- Add the new certificate file to the existing metadata file on the Shibboleth server.
- Start the web server again.
In case you do not restart the webserver, you will have to wait for Shibboleth to load the file, which can take a minimum of 5 minutes but a maximum of 24 hours. SSO may not be available to users during this period.
Graceful manual update of the certificate
- You can download the new metadata at https://yourvanityurl.zoom.us/saml/metadata/sp.
- On the Shibboleth server, update the existing metadata file with the new certificate file.
- Zoom will automatically detect and update to the new certificate after 48 hours.
- Verify if your Zoom SSO configuration automatically updates your certificate to the latest one (2023),
- Upon successful download, update the metadata file on the server by downloading it again from the metadata URL.
- In the event that the new certificate is not detected: Wait another day for Zoom to auto-detect it.