Setting up basic SAML mapping
Basic SAML Mapping allows you to designate a default License Type when users sign in to Zoom via SSO. You can also map specific SAML attributes being passed by your Identity Provider such as email address, first name, last name, pronouns, phone number, and department in Zoom. This allows you to pass this information automatically from your identity provider. Email address will be mapped only to Zoom at first login, unless you begin mapping an Employee Unique ID. By default, first name and last name are also only mapped at first login, but you can choose if you want them to be updated at each SSO login. All other fields map each time a user logs in.
You can also use advanced SAML mapping to assign users add-ons, roles, or to groups based on the attributes being passed.
Prerequisites for setting up basic SAML mapping
- Owner or admin in Zoom
- SSO configured
How to set up basic SAML mapping
The SAML attributes and the corresponding values will need to be configured in your Identity Provider (IdP). Once you have configured them in your IdP, you can set up basic SAML mapping in Zoom.
- Sign in to the Zoom web portal.
- In the navigation panel, click Advanced then Single Sign-On.
- Click the SAML Response Mapping tab.
You will see the following attributes in the SAML Basic Information Mapping section:
- Default License Type: Click Edit next to change the default user type. If you choose None, no Zoom account will be created for users by default and they will be denied access to Zoom. You will need to use advanced SAML mapping to assign some users Zoom access, while prohibiting others. You can also use advanced SAML mapping to assign different user types based on the attributes being passed.
For all other fields, click Map to SAML Attribute and enter the SAML attribute as it is being passed by your identity provider:
- Email Address: The email address that is associated with the user's Zoom profile.
Notes:
- If the email is not mapped, the nameID value will be used as the user's Zoom profile.
- If the email address and nameID sent by the IdP are different, the email value will override the nameID value for the user's Zoom identifier.
- First Name
- Last Name
- Display Name: Used for nicknames or preferred names, rather than their official name.
- Pronouns:
- If enabled at the account level, users' pronouns are added to their profiles, which is visible to their Zoom contacts as part of their profile card in the Zoom desktop client and mobile app. Users will be able to choose if they want to share their pronouns in meetings and webinars. This feature requires version 5.7.0 or higher.
- Check Do not allow users to update this field from their Profile: Use your IdP to provide the pronouns of your users and prevent them from changing that item.
- Phone number: The phone number attached to the user's profile. Users can add up to 3 external phone numbers through profile customization. If you have Zoom Phone, this is not the user's Zoom Phone number. If you want to phone numbers with labels, click Add Numbers with Labels.
- Company
- Job Title
- Location
- Profile Picture
- Personal Link Name: The alias used for the user's personal meeting URL. For example, https://mycompany.zoom.us/my/grant.
- Department
- Manager
- Cost Center
- Zoom Phone Ext Number: The extension number for Zoom Phone users. Some extension numbers are reserved.
- Zoom Phone Number: The direct phone number for Zoom Phone users. Users must have a Zoom Phone calling plan in order to have direct phone numbers. Calling plans can be specified in the Advanced SAML Mapping section.
Note: Users must have a calling plan assigned before you can assign a direct phone number. - Employee Unique ID: A unique ID that is unique to the user, other than their nameID and/or email value. The following account flow takes place when using Employee Unique ID:
- When the user signs in, Zoom checks for a matching Zoom user profile.
- If a match is found, the user is signed in and their entire profile values are updated in accordance with SAML mapping, including their Employee Unique ID.
- If a match is not found, Zoom checks for a user with a matching Employee Unique ID. If a matching Employee Unique ID is found, the Zoom user profile address including their email address are updated.
- If there's no matching Zoom user profile or Employee Unique ID, a new user account is created.
Notes:
- The Employee Unique ID is used by Zoom's systems to allow for automatic update of a user's Zoom profile address. To update the user's profile address automatically, the email domain must be in the associated domain list.
- The Employee Unique ID is a static value that is different from the user's nameID or email value. Common examples include using an employee number or ObjectID.
- If the email address and nameID values are different, and the email value has been mapped, the nameID value can be used (see above Email Address note).
After entering a value, you can edit it by clicking Edit or remove it by clicking Clear.