Okta configuration with Zoom

Single sign-on allows you to login to your Zoom account using your company credentials. A connection is made between Okta, the identity provider (idP), and Zoom, the service provider (SP), to allow users to directly connect to their zoom accounts. 

Once you configured your Okta account with Zoom, you can follow these instructions to manage users.

Requirements for Okta configuration with Zoom

• Zoom owner or admin privileges
• Business, Education, or Enterprise account with approved Vanity URL
• Single Sign-On enabled
• Okta admin privileges

Note: Without an approved Associated Domain, users will need to confirm to being provisioned on the account through an email automatically sent to them. Provisioning will take place without email confirmation for any users falling under an approved domain.

Supported Features by SSO Protocol

The following table summarizes the SSO features currently supported for each protocol.

How to add the Zoom app

There are two ways that you can configure Zoom with Okta. You can use the pre-built Zoom app in the Okta Application Console to automatically configure the Okta app for Zoom, or you can set up a custom app in Okta for Zoom.

Add the Zoom pre-built app to Okta

1. In Okta Console, go to Applications.
2. Click Add Application.
3. Search for Zoom.
4. Click Add.
5. This will take you to the General Settings page.

• Application label: You can leave this as Zoom or rename as desired.
• Subdomain: Enter only the custom part of your Vanity URL. For example, if your vanity URL is https://mydomain.zoom.us, only enter mydomain.
• ACS URL: If multiple vanity URLs or Identity Providers (IDPs) are enabled for your Zoom account, these details must be configured after completing the Zoom Single Sign-On (SSO) setup.
• Audience URI: If multiple vanity URLs or Identity Providers (IDPs) are enabled for your Zoom account, these details must be configured after completing the Zoom Single Sign-On (SSO) setup.
• OIDC App ID: Leave this blank if you are using SAML. If you are using OpenID Connect (OIDC), this value is generated by Zoom and must be entered after completing the Zoom Single Sign-On (SSO) setup.
• (Optional) Application visibility: Check the options if you don’t want to make this app visible to your users.
• Click Done.

Add the Zoom custom app to Okta

1. In the Okta console, click Applications.
2. Click Add Application.
3. Click Create New app.
   • Platform: Web
   • Sign on method: SAML 2.0
4. Click Create. This will take you to the General Settings page.
   • App Name: You can give the app the name of your choice, something that will identify this as the Zoom app for you on the Okta side, eg. Zoom.
   • (Optional) App logo: Upload the Zoom logo if desired
   • (Optional) App visibility: Check these options if you don’t want to show the Zoom custom app to show to your users in Okta.
5. Click Next. This will take you to the Configure SAML page.
   • Single sign on URL: For Zoom accounts without multiple vanity URLs or IDPs enabled, enter: https://yourvanityurl.zoom.us/saml/SSO. For accounts with these features enabled, enter https://zoom.us/saml2/sso/{unique id} . The unique id will be updated in subsequent steps.
   • Check Use this for Recipient URL and Destination URL
   • Leave Allow this app to request other SSO URLs unchecked
   • Audience URI (SP Entity ID): For Zoom accounts without multiple vanity URLs or IDPs enabled, enter: https://yourvanityurl.zoom.us. For accounts with these features enabled, enter https://zoom.us/sp/{unique id}, where the unique id will be updated in the following steps.
   • Default RelayState: Leave blank.
   • Name ID Format: Select EmailAddress.
   • Application username: Select Okta username.
   • Click Show Advanced Settings.
   • Response: Choose Signed.
   • Assertion Signature: Choose Unsigned.
   • Signature Algorithm: Choose RSA-SHA256.
   • Digest Algorithm: Choose SHA256.
   • Assertion Encryption: You can choose either. If you choose encrypted, you will need to check the option for encrypted assertions on the Zoom side. If unsure, leave as Unencrypted.
   • Enable Single Signout: Leave unchecked.
   • Authentication context class: Choose PasswordProtectedTransport.
   • Honor Force Authentication: Choose Yes.
   • SAML Issuer ID: Leave blank.
   • Attribute Statements:
     
      

     Name	Name format	Value
     email	Unspecified	user.email
     firstName	Unspecified	user.firstName
     lastName	Unspecified	user.lastName

   • Group Attribute Statements: Leave blank.
   • Preview the SAML Assertion: You can click to preview the SAML assertion.
6. Click Next.
7. This will take you to the Okta feedback page. Enter your feedback if desired and click Next.

How to connect Zoom and Okta (SAML)

Zoom and Okta need to create a trusted relationship with each other to allow communication.

1. In Okta Console, go to Applications.
2. Click on the Zoom app.
3. Click the Sign On tab.
   • To retrieve the Okta SAML configuration, click View Settings, then Sign on methods. Under More details, click SAML 2.0.
4. Open a new browser window and sign in to the Zoom web portal as an admin or as the owner.
5. In the navigation menu in the Zoom web portal, click Advanced then Single Sign-On.
6. Click Enable Single Sign-On.
7. On the SAML tab, click Edit.
8. From the instruction page in Okta, copy the following in the Zoom SSO page:
   
    

   From Okta	To Zoom
   Sign in URL	Sign-in Page URL box
   Sign out URL	Sign-out Page URL box
   Signing Certificate	Identity Provider Certificate box
   Issuer (IDP Entity ID)	Issuer (IDP Entity ID) box

9. In Binding, select HTTP-Redirect.
10. In Signature Hash Algorithm, select SHA-256.
11. In Security and Provision User, select as desired.
12. Click Save Changes.

How to configure Zoom and Okta with OpenID Connect (OIDC)

How to configure Okta for multiple vanity URLs or IDPs

1. Sign-in to your Okta admin account.
2. In the Okta console, click Applications.
3. Click on the Zoom app.
4. Click the General tab.
5. Retrieve the unique ID from Zoom's SP entity ID.
6. Replace the {unique id} placeholders in the ACS URL and Audience URI with the unique id copied from Zoom
7. Clear the Subdomain settings.
8. Save your changes.

How to switch from single vanity URL and IDP to multiple vanity URLs or IDPs

1. Navigate to Applications in the Okta Console.
2. Select the Zoom app.
3. Navigate to the General tab.
4. Click App Settings, then click Edit.
   • For ACS URL, enter https://zoom.us/saml2/sso/{unique id}, where the unique ID should match the unique ID in the Zoom SP entity ID.
   • For Audience URI, enter the Zoom SP entity ID obtained from Zoom.
   • Remove the Subdomain setting
5. Save your changes.

Switch the Zoom app sign-on method to OpenID Connect

1. In the Okta console, click Applications, then open the Zoom app.
2. Click the Sign On tab.
3. Click Edit under Settings.
4. Under Sign on methods, select OpenID Connect.
5. Click Save.

Configure Zoom for OpenID Connect (OIDC)

1. Sign in to the Zoom web portal as an owner or admin.
2. Go to the Single Sign-On (SSO) configuration page and configure SSO via OIDC.
3. Discovery document URL: Enter your Okta discovery document URL in the format https://{yourOktaDomain}/.well-known/openid-configuration, then click Retrieve data.
   Clicking Retrieve data automatically populates the following fields from Okta, so you do not need to enter them manually:
   • Issuer
   • Authorization endpoint URL
   • Token endpoint URL
   • JWKS URL
   • User info endpoint URL
   • End session endpoint URL
4. Client ID: Enter the Client ID copied from the Okta Sign On tab.
5. Client secret: Enter the Client secret copied from the Okta Sign On tab.
6. Scopes: Leave the default values (for example, openid and email).
7. Provision user: Leave as At Sign-In (Default), or select another option as needed. This determines whether users are created within your account in advance to allow them to sign in with SSO, or created dynamically as they sign in with SSO.
8. (Optional) Save SSO response logs: Leave checked if you want Zoom to save the SSO response logs.
9. Leave all other settings at their default values.
10. Click Save.

For the Zoom mobile app, users can only choose from signatures that have already been added.

Complete the OIDC App ID in Okta

1. On the Zoom OIDC Configuration page, locate the Callback URL. It has the format https://zoom.us/sso/oidc/{OIDC App ID}/callback.
2. Copy the {OIDC App ID} segment from the Callback URL
3. Sign in to your Okta admin account.
4. In the Okta console, click Applications, then open the Zoom app.
5. Click the General tab, then click Edit under App Settings.
6. Paste the copied value into the OIDC App ID field.
7. Save your changes.

How users sign in with SSO

Once single sign-on is configured, users can sign in to Zoom with SSO. The steps to start an SP-Initiated sign-in are the same for both SAML and OIDC: users start the sign-in from Zoom (the Service Provider) rather than from the Okta dashboard.

To start an SP-Initiated sign-in, users should open Zoom and sign in through your Vanity URL (for example, https://yourcompany.zoom.us) or select Sign In with SSO in the Zoom client and enter your company domain. For detailed, client-by-client steps, refer to Signing in with SSO.

 

With OpenID Connect (OIDC), only SP-Initiated SSO is supported, so users must start the sign-in from Zoom. IdP-Initiated SSO (starting from the Okta dashboard) is supported only for SAML.