You can configure your account to login via Single Sign-On (SSO) with Active Directory Federation Services (ADFS). You can use SAML mapping to assign users licenses, groups, and roles based on their ADFS configuration. Read more about Single Sign-On.
This article covers:
Prerequisites for SSO with ADFS
- Business or Education Account with Zoom with approved Vanity URL
- ADFS Server Access
- Zoom Admin or Owner Access
Note: Without an approved Associated Domain, users will need to confirm to being provisioned on the account through an email automatically sent to them. Provisioning will take place without email confirmation for any users falling under an approved domain.
How to configure SSO for ADFS in Zoom
- Find and download/view your ADFS XML metadata at https://[SERVER]/FederationMetadata/2007-06/FederationMetadata.xml
*[SERVER]: your ADFS server (adfs.example.com) - From the Zoom Admin page, click on Single Sign-on to View the SAML tab.
- Enter the following information into the SAML tab options:
- Sign-in page URL:
https://[SERVER]/adfs/ls/idpinitiatedsignon.aspx?logintoRP=[Vanity].zoom.us- *Note: if the SP Entity ID in Zoom is set to https://[vanity].zoom.us, the logintoRP section of the sign-in URL should match, as "...?logintoRP=https://[vanity].zoom.us"
- Sign-out page URL: https://[SERVER]/adfs/ls/?wa=wsignout1.0
- Identity provider certificate: X509 Certificate from XML Metadata in step 1
*Use the first X509 Certificate in the XML file:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate> - Service Provider (SP) Entity ID: Select the option without https.
- Issuer: http or https://[SERVER]/adfs/services/trust (entityID in metadata)
- Binding: HTTP-POST
- Security
- Sign SAML Request: Check this option if you are signing the SAML request in ADFS.
- Support Encrypted Assertions: If you are using encrypted assertions in ADFS, check this option.
- Enforce automatic logout after the user has been logged in for: Check this if you want the user to be logged out after a specified amount of time.
- Sign-in page URL:
How to configure SSO for Zoom in ADF
- Login to your ADFS server.
- Open ADFS 2.0 MMC
- Add a Relying Party Trust
Select Import data about the relying party published online or on a local network
Federation metadata address: https://YOURVANITY.zoom.us/saml/metadata/sp
- Add a display name ("Zoom") and finish the Wizard with default settings
- Add two claim rules:
- Type: Send LDAP Attributes as Claims
- Name: Zoom - Send to Email
- Mappings
- E-Mail-Addresses > E-Mail Address
- User-Principal-Name > UPN
- Given-Name > urn:oid:2.5.4.42
- Surname > urn:oid:2.5.4.4
- Type: Transform Incoming Claim
- Name: Zoom - Email to Name ID
- Incoming claim type: E-Mail Address
- Outgoing claim type: Name ID
- Outgoing name ID format: Email
Once you have completed the configuration steps, any user in your active directory should be able to login, based on the configuration you have set. To test, visit http://YOURVANITY.zoom.us and select Login.
Troubleshooting
Unable to log in using Google Chrome or Firefox
If you are unable to log in using Chrome or Firefox, and are seeing an 'Audit Failure' event with "Status: 0xc000035b" in the Event Viewer on the ADFS server, you will need to turn off Extended Protection. Chrome and Firefox do not support the Extended Protection of ADFS (IE does).
- Launch IIS Manager
- In the left panel, navigate to Sites > Default Web Site > ADFS > LS
- Double-click Authentication icon
- Right-click Windows Authentication
- Select Advanced Settings
- Turn OFF Extended Protection
How to generate and update the X509 certificate
If you are prompted to update your Identity Provider certificate in the Zoom portal, please refer to the instructions on the Microsoft Support site on how to generate a new certificate in ADFS. Once you have the new certificate, edit the SSO configuration on the Zoom portal and replace the existing certificate with the newly generated version.