Quick start guide for single sign-on (SSO)

Single sign-on allows you to log in using your company credentials. Zoom single sign-on (SSO) is based on SAML 2.0. Zoom has developed integrations for Okta, Microsoft Entra ID, and Active Directory On-Prem (refer to the Managing the AD Sync Tool and Configuring Zoom SSO with ADFS articles). Zoom SSO also works with Identity Providers (IdP) such as Centrify, Microsoft Active Directory, Gluu, OneLogin, PingOne, Shibboleth, and many others. Zoom can map attributes to provision a user to a different group with feature controls.

Zoom acts as the Service Provider (SP), and offers automatic user provisioning. You do not need to register as a user in Zoom. Once Zoom receives a SAML response from the Identity Provider (IdP), Zoom checks if this user exists. If the user does not exist, Zoom creates a user account automatically with the received name ID.

Requirements for using SSO

• Business, Education, or Enterprise account
• Approved Vanity URL
• Approved Associated Domain
  Users will need to confirm to being provisioned on the account through an email automatically sent to them. Provisioning will take place without email confirmation for any users falling under an approved domain.

How to configure SSO

Note: If you don't already have an approved vanity URL, apply for your vanity URL (such as https://yourcompany.zoom.us) on your Account Profile page. You will need to wait for this to be approved before you can configure the SSO on the Zoom side.

1. Configure your IdP to send us the following:
   • Any unique identifier linked to nameID such as edupersonTargetedID, persistentID, or mail
   • (Optional) Accepted attributes are email (urn:oid:0.9.2342.19200300. 100.1.3), sn (urn:oid:2.5.4.4), and givenName (urn:oid:2.5.4.42).
2. Sign in to the Zoom web portal.
3. In the navigation menu, click Advanced then Single Sign-On.
4. Select the vanity URL you want to configure with an IdP.
   Note: If you have only one vanity URL, you will not see additional options. Learn about multiple vanity URLs.
5. Enter the following SSO information:
   • Sign-in page URL: <SingleSignOnService>
   • Sign-out page URL: <SingleLogoutService>
   • Identity Provider Certificate: <X509Certificate>
     Note: Remove the Begin Certificate and End Certificate portions before saving.
   • Service Provider (SP) Entity ID: Select the option without https
   • Issuer (IDP Entity ID): <ID of EntityDescriptor>
   • Binding: Choose http-post or http-redirect
   • Signature Hash Algorithm: Select which hash algorithm is used, either SHA-1 or SHA-256
   • Security:
     • Sign SAML request
     • Sign SAML logout request
     • Support encrypted assertions
     • Enforce automatic logout after user has been logging in for X days
     • Save SAML response logs on user sign-in
   • Provision User: Choose when to provision users in Zoom, either At Sign-In or Prior to Sign-In
6. Click Save Changes.

With configuration complete, you can get the SP metadata XML file from https://yourcompany.zoom.us/saml/metadata/sp and users can sign in with SSO.

How to enable or disable automatic SSO certificate rotation

Admins can enable or disable a setting to automatically manage the SSO certificate. Zoom will automatically change the certificate when a new one is available. Admins can also roll back to a previous certificate. This setting is enabled by default.

For updates on new SSO certificates, see our release notes for Web.

1. Sign in to the Zoom web portal.
2. In the navigation menu, click Advanced then Single Sign-On.
3. Click Edit in the top-right corner.
4. In the Service Provider (SP) Entity ID section, check or uncheck Automatically manage the certificate.
   Note: One of the three Security settings below must be enabled first before the option Automatically manage the certificate appears.

• Sign SAML request
• Sign SAML logout request
• Support encrypted assertions