Setting up Okta Authentication for E2EE

To help secure meetings against meeting disruptions or unauthorized activity, Okta Authentication for end-to-end encryption allows users to display their profile information straight from their Okta identity provider. Account owners and admins can enable this feature to allow users to identify themselves. Users can then enable this feature to verify their profile information before joining a meeting on behalf of their domain. When being identified in a meeting, a badge is assigned to the user and can be hovered over to see the information provided by Okta. This setting is useful to determine if a user's displayed information does not follow your meeting’s guidelines and if you must provide another layer of security to manage your participants.

Notes:

• Participants choose if they want to display their verified profile information in meetings.
• The meeting host cannot require users to display verified profile information.

Requirements for verified information from Okta

• Business, Education, or Enterprise account
• Account owner or admin privileges to change settings at the account levels
• Zoom desktop app
  • Windows: 5.13.10.
  • macOS: 5.13.10.
  • Linux: 5.13.10.
• Zoom mobile app
  • iOS: 5.13.10.
  • Android: 5.13.10.
• SSO configured with Okta
• Approved associated domain
• Zoom end-to-end encryption Okta Application
• End-to-End Encrypted meetings are enabled 
• Admin must submit a request to Zoom Support to enable Okta Authentication for end-to-end encryption

How to get started with Okta Authentication for end-to-end encryption

On behalf of your company, Okta can authenticate the company domain and email address provided.

Notes:

• By enabling this feature, users' identities will be retrieved from Okta instead of Zoom.
• This feature is not available at the Group level for this beta version at this time.

Set up the Zoom end-to-end encryption application in Okta

To get Okta Authentication for end-to-end encryption enabled in Zoom, you must first set up Zoom end-to-end encryption in Okta. You can follow the instructions below to get started.

Enable the Okta Authentication for Zoom end-to-end encryption feature for your organization.

1. Sign in to your Okta organization as a user with administrative privileges.
2. From the left navigation pane in the Admin Console, go to Settings, then Features.
3. Locate the Okta Authentication for Zoom end-to-end encryption feature and enable it.

Create a Zoom app integration

1. From the Admin Console, select Applications > Applications.
2. On the Applications page, click Browse App Catalog.
3. In the Search field, enter Zoom E2E.
4. Select the Zoom end-to-end encryption app from the dropdown box.
5. On the app page, click Add integration.
6. (Optional) Enter an Application label if you need to change the name.
7. Click Done.

Add users

1. On the Assignments page, click Assign and then select either Assign to People or Assign to Groups.
2. Enter the appropriate people or groups that you want to have Single Sign-On into the application, and then click Assign for each.
3. For any people that you add, verify the user-specific attributes, and then select Save and Go Back.
4. Click Done.

Select a domain for identity verification purposes

Notes:

• Make sure the Zoom end-to-end encryption application is set up in Okta prior to selecting a domain for identity verification.
• The domain selection must be completed before enabling this setting at the account and user level.

1. Sign in to the Zoom web portal.
2. In the navigation menu, click Account Management then Account Profile.
3. Click the Account Profile tab.
4. Under Associated Domains, click the down arrow under Select a domain for identity verification purposes to select the domain to be verified.
   Note: If you have only one domain, this domain can be used for identity verification purposes in a meeting by default.
5. Click Save.
6. Sign in to your domain provider and add a DNS TXT record for the domain or sub-domain name selected in the previous step.
   Note: DNS services have a different implementation based on your account provider and are not controlled by Zoom. Contact your IT admin if you need assistance.
7. Follow these steps from Okta to find your IDP domain.
8. Create a DNS TXT record with the following value: 

   v=zoomadn us.zoom.idp.commercial=<IDP domain>

   The final input should look like:

   v=zoomadn us.zoom.idp.commercial=yourdomain.okta.com

   Notes:
   • This DNS TXT record allows the account to delegate authentication to Okta.
   • This DNS TXT record should not be removed as long as the account will be using the feature.
9. Submit an enablement request to Zoom Support with the following information:
   • A request to enable Allow to use verified identity from Okta.
   • Your IDP domain.
     Note: Please allow up to five days for your request to complete.

Enable Okta Authentication for end-to-end encryption

Once a domain is selected for identity verification, follow these instructions to enable Okta Authentication for end-to-end encryption in the Zoom web portal for your entire account.

1. Sign in to the Zoom web portal.
2. In the navigation menu, click Account Management then Account Settings.
3. Click the Meeting tab.
4. Under Security, scroll down to find the Allow use of end-to-end encryption setting, make sure this is toggled  ON.
5. Click the Display Okta Authenticated for end-to-end encryption toggle  to enable it if it’s disabled.
   Notes:
   • If this setting is enabled, Display Authenticated by Okta will be displayed for users.
   • If this setting is disabled, Display Authenticated by Okta will not be displayed for users.

View a user’s Okta Authentication for end-to-end encryption

When you hover over the Okta Authentication for end-to-end encryption badge, you will see the following information:

• Email address: Okta attests to the user’s email address as it appears in Okta. This is optional and users can choose to display their email address
• Company domain: The organization that Okta is verifying information on behalf of. This is the ADN, and this represents the organization that the participant belongs to.