Setting up advanced SAML mapping

Account owners and admins can use advanced SAML mapping to designate Zoom licenses, add-ons, user roles, user groups, or IM groups based on a value being passed using SAML. This allows you to have certain users, for example university faculty, to receive a license during sign-in, while other users, such as university students, will be Basic (non-licensed) users after sign-in. You can also deny users access to your Zoom account using advanced SAML mapping.

Requirements for configuring advanced SAML mapping

• Account owner or admin privileges
• SSO configured

How to set up advanced SAML mapping

The SAML attributes and the corresponding values must be configured in your identity provider (IdP). Once you have configured them in your IdP, you can set up advanced SAML mapping in Zoom.

Note: For effective mapping, please review the Information to consider for advanced SAML mapping article.

1. Sign in to the Zoom web portal as an account owner or admin.
2. In the navigation menu, click Advanced then Single Sign-On.
3. Click SAML Response Mapping.
4. Scroll down to the SAML Advanced Information Mapping section.
5. Click Add next to the item that you want to designate based on SAML value.
   Note: For more detailed information on advanced SMAL mapping, refer to this article. 
   • License Type: Specify if this user should receive a Basic, Licensed, On-Prem (for accounts using On-Premise), or None, which will deny the user access to your Zoom account.
   • Add-on Plan: Specify if this user should receive an add-on plan, such as a Webinar, Large Meeting, or Concurrent Meeting license. They will also need to be Licensed assigned to them to use an add-on plan.
     Note: We currently only support assigning or removing add-on plans. Changing add-ons, from Webinar 500 to Webinar 1000 for example, is not supported and must be done manually by an admin on the Users page. 
   • Sign in to Sub Account (only available for the parent account): Specify if this sub-account user can sign in the target sub-account using the parent account’s vanity URL. 
   • User Role: Specify if this user should be an admin, member, or a customized role (set up in Role Management). 
   • User Group: Specify if this user is added to a group. Groups can limit features and permissions.
   • User Group Admin: Specify if this user is a group admin for the selected group.
   • Channel: Assign specific IdP groups to channels. For example, if your IdP has an existing attribute and value assigned to your company’s Billing department, you can assign the Billing department to the desired channel. If you create a new channel through SAML mapping, you are prompted to assign an existing user as the channel admin.
   • Recording Location: Specify the Communications Content storage location.
   • Zoom Rooms Admin: Specify if this user is a Zoom Rooms admin for the selected location.
   • Contact Group: Specify the contact groups to assign this user to.
     Note: This option is only available if you have the New Admin Experience enabled.
   • Zoom Phone Calling Plan: Specify if this user has a Zoom Phone license and requires a calling plan (for outbound calling or direct phone numbers).
     Note: This attribute can't be used for assigning calling plans to account owners. The account owner must be manually assigned a calling plan using the Zoom web portal before they can assign phone numbers using SAML mapping.
   • Zoom Phone Role: Specify Zoom Phone admin roles and permissions via SAML. Add advanced SAML mappings for phone admins, define the attribute names and values, and select roles from existing defined phone admin roles. All permissions and default targets for the selected roles will automatically apply to users based on the SAML values from the identity provider.
   • Zoom Phone Site: Specify if this user should be assigned to a site.
    
6. Enter the SAML Attribute, SAML Value and Resulting Value. You can add multiple SAML Attributes and/or values if you would like to designate different groups of users to receive different results.
   • SAML Attribute: Enter the Attribute Name being passed by your IdP.
   • SAML Value: Enter the value being passed by your IdP for this specific user or group of users.
     Note: This value is not case sensitive. For example, ABC and abc will be treated as the same value.
   • Resulting Value: Select how you want this user assigned in Zoom based on the SAML value.
    
7. Add additional SAML mappings by clicking Add.
8. Click Save Changes.

• Advanced SAML mapping affects new users and existing users (both member, admin, and custom roles) upon their next login using SSO.
• Advanced SAML mapping does not apply to the Zoom account owner.

You can also set up SAML auto mapping for some attributes.