Configuring Zoom with Google Workspace / Google Apps for SSO

If your organization uses Google Workspace / Google Apps, you can set up single sign-on (SSO), which will allow you to set up a default user type for SSO and SAML mapping with provisioning. We also offer a log in with Google option, which requires no additional configuration. 

This article covers:

• How to configure SSO via SAML for Zoom
  • Set up Google as a SAML identity provider
  • Set up Zoom as a SAML service provider
  • Configure SAML information from Google
  • Complete SAML response mapping
• How to enable the Zoom app in Google
• How to troubleshoot common errors with setting up SAML mapping with Zoom and Google

Prerequisites for managing Zoom with Google Workspace for SSO

• Google Admin console privileges for your domain
• Business or Education account with approved Vanity URL
• Zoom account owner or admin privileges

Note: Without an approved associated domain, users will need to confirm to being provisioned on the account through an email automatically sent to them. Provisioning will take place without email confirmation for any users falling under an approved domain.

How to configure SSO via SAML for Zoom

Set up Google as a SAML identity provider

1. Sign in to the Google Admin console as an admin.
2. From the Admin Console dashboard, go to Apps > Overview > Web and mobile apps.
3. Click Add app, then search for Zoom and press Enter.
4. Select Zoom (Web SAML).
5. The Google IDP Information window will open and the Single Sign-On URL and the Entity ID URL fields automatically populate.
6. Copy the SSO URL, Entity ID, and the text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- in the Certificate field to enter in step 4 of Configure SAML information from Google.
7. Click Continue.
8. In the Service Provider Details window, enter the following:
   • ACS URL: https://vanityurl.zoom.us/saml/SSO
   • Entity ID: https://vanityurl.zoom.us
   • Start URL: Leave blank
9. Click Continue.
10. (Optional) Configure attributes, or use the following configuration for basic mapping:
    • First name: userName
    • Last name: userLast
    • Primary email: userEmail
11. Click Finish.
12. Complete the steps in the following section.

Set up Zoom as a SAML service provider

Configure SAML information from Google

1. Sign in to the Zoom web portal as an admin.
2. In the navigation menu, click Advanced, then click Single Sign-On.
3. Click the SAML tab to configure SSO manually.
4. Provide the following information that you copied from step 6 of Set up Google as a SAML identity provider:
   • Service Provider (SP) Entity ID: Select https://vanityurl.zoom.us or paste the Entity ID.
   • Sign-in Page URL: Paste the SSO URL.
   • Identity Provider Certificate: Paste the certificate text, making sure to only provide the text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
5. For Binding: Can be left as default.
6. Do the following for Security options: 
   • Sign SAML request: Clear the check box.
   • Sign SAML Logout request: Clear the check box.
   • Support encrypted assertions: Clear the check box.
   • Enforce automatic logout after user has been logged in for: Select this check box and choose the amount of days.
   • Save SAML response logs on user sign-in
7. Next to Provision User, select At Sign-In (Default). 
8. Click Save Changes.

Complete SAML response mapping

Map attributes as needed to configure Zoom users based on the Google mapping. Learn more about setting up SAML mapping.

How to enable the Zoom app in Google

To enable the Zoom app in Google Admin console, refer to Google's documentation for the Zoom cloud application.

How to troubleshoot common errors with setting up SAML mapping with Zoom and Google

Post (vanity URL) 404 (not found): Confirm that ACS URL is set correctly. It should look like the following: https://vanityurl.zoom.us/saml/SSO

Error 403: not_a_saml_app or app_not_configured_for_user: There may have been a delay for settings to sync. Allow for a longer period of replication time, and ensure that Save SAML response logs on user sign-in option is selected in the Zoom web portal so you can easily check logs for future troubleshooting.

App not configured for user:

• Confirm Entity ID URL in Google and Zoom match. 
• Wait for Google to sync the app to all users

Metadata for issuer https://accounts.google.com/o/saml2?idpid=(unique idpid) wasn't found (-1): Confirm that the Issuer matches what it is in the metadata. It will look very similar to the Sign-in page URL, but there are slight differences.

Other errors: Confirm that the ACS URL is https://vanityurl.zoom.us/saml/SSO with the SSO portion capitalized.

For additional troubleshooting, submit a request.