Zoom SSO certificate rotation

Zoom has enhanced Single Sign-On (SSO) certificate support, allowing account owners and admins to have Zoom automatically update the certificate when a new one is available, instead of manually updating the certificate. Admins can also roll back their SSO configuration to utilize a previous certificate as well.

Note: In keeping up with standard industry practices, Zoom will be updating its single sign-on (SSO) certificate ahead of its expiration on Tuesday, December 31, 2024. Prior to proceeding with the Zoom SSO certificate rotation, please ensure that the DigiCert Global Root G2 is included in your trust stores. Most cloud-based Identity Provider (IdP) services already include this. On- premise based IdP servers may require an update to the certificate trust store. Failure to have the DigiCert Global Root G2 included in your trust store will result in service disruption when rotating the Zoom SSO certificate.

No action is required for accounts using an identity provider (IDP) or configuration that supports dynamic metadata refresh, as your IDP will automatically download the latest Zoom certificate and rotate it into your account’s configuration starting Friday, November 22, 2024. You should see the following in the Service Provider (SP) Certificate section of your Single Sign-On settings:
- Zoom Certificate (Expires on December 21, 2025 UTC)
- Automatically manage the certificate option is checked
- Additionally, if your IDP implementation does not require a service provider certificate, the above options will not be visible in your web portal and no further action will be required.
Action is required for Single Sign-on on Zoom setup with the following security options selected.
- Sign SAML request
- Sign SAML Logout request
- Support encrypted assertions
Action is required between November 21 to December 31, if you choose to disable the automatic update or if your IDP does not support automatic certificate rotation. You can begin the certificate rotation process by selecting the new certificate in the Single Sign-On settings in the Zoom Web Portal. You can also modify which certificate Zoom uses for interacting with your IDP on that page. Once the new certificate has been rotated, you and your users can continue to log into Zoom utilizing SSO without interruption.

Requirements for Zoom SSO certificate rotation

- Zoom owner or admin privileges
- Business or Education account with approved Vanity URL

New SSO certificate management options
- Service provider certificate
- Automatically manage the certificate
ADFS certificate rotation

New SSO certificate management options

Service provider certificate

The service provider certificates are used to sign the SAML request and the SAML logout request when sending these requests to your IDP. Due to your IDP utilizing these certificates to verify the signature of the SAML/logout request, it is imperative that the certificates are the same in both Zoom as well as your IDP. If the certificate is different, your IDP might give an error and not allow a user to be able to log in.

This certificate can be found within the Zoom SAML metadata located at https://yourvanityurl.zoom.us/saml/metadata/sp.

Automatically manage the certificate

Status

Behaviors

On (Default)

Two certificates will be set for the Zoom metadata if the latest certificate detected is not currently selected for SAML requests.

Zoom will try to auto-rotate (update) the certificate if your IDP is set to monitor the Zoom metadata URL and supports encrypted assertion.

Off

Only one certificate for the Zoom metadata is set in the SSO settings. Zoom will not auto-rotate to a new certificate.

ADFS certificate rotation

If your ADFS server does not have Monitor relying party enabled for the Zoom SAML metadata URL, you will need to update the certificate manually.

Automatically update the certificate via metadata URL

To enable the monitoring option on your ADFS server:

1. Sign in to your ADFS server.
2. Open Administrative Tools, then open the AD FS Management Console (MMC).
3. On the left navigation, click Trust Relationships, then click Relying Party Trusts.
4. Right-click on the Relying Party Trust for Zoom, then click Properties.
5. On the Monitoring tab, enter your Zoom SAML Metadata URL (https://yourvanityurl.zoom.us/saml/metadata/sp).
6. Enable Monitor relying party.
7. Click Apply.

Manually update the certificate via metadata URL

To manually update the certificate using the metadata URL:

1. Sign in to the Zoom web portal.
2. In the navigation menu, click Advanced then Single Sign-On.
3. In the Service Provider (SP) Certificate section, click Edit and select Zoom Certificate (Expires on December 21, 2025 UTC).
  This will update the Zoom certificate to the latest certificate (the certificate with the farthest expiration date).
4. Sign in to your ADFS server.
5. Open Administrative Tools, then open the AD FS Management Console (MMC).
6. On the left navigation, click Trust Relationships, then click Relying Party Trusts.
7. Right-click on the Relying Party Trust for Zoom, then click Properties.
8. Enter your Zoom SAML Metadata URL (https://yourvanityurl.zoom.us/saml/metadata/sp).
9. Click Test URL.
10. After the successful validation, click Ok, then click Apply.
11. Close the Properties window.
12. Right-click on the Relying Party Trust for Zoom, and click Update from Federation Metadata.
13. On the Identifiers tab, click Update.
14. Verify the certificate Effective and Expiration dates are for the new certificate on the Encryption and Signature tabs.
  Note: the Encryption tab may contain only one certificate or possibly none, if your SSO does not have support encrypted assertion enabled. This also goes for the Signature tab if your SSO does not have Sign SAML Request or Sign SAML Logout Request enabled.

Once the certificate has been updated, Zoom recommends doing a couple of test logins to ensure SSO is working properly.

Troubleshooting errors in ADFS log

Signing certificate error MSIS3015

"Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3015: The signing certificate of the claims provider trust 'xxxxxxxx.zoom.us' identified by thumbprint '175F66EE7911A55ECF3549280C85A0BB941CEC16' is not valid."

Encryption certificate error MSIS3014

"Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3014: The encryption certificate of the relying party trust 'microsoft:identityserver:xxxxxxx.zoom.us' identified by thumbprint '175F66EE7911A55ECF3549280C85A0BB941CEC16' is not valid."

If you receive either of these errors, this might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted. We recommend rolling back your certificate to the previous certificate and test to ensure the errors have been resolved. Once the errors have been resolved, re-update the certificate via the metadata URL.

Manually update the certificate by file

Download the certificate from Zoom

1. Sign in to the Zoom web portal.
2. In the navigation menu, click Advanced then Single Sign-On.
3. In the Service Provider (SP) Certificate section, click Edit and select Zoom Certificate (Expires on December 21, 2025 UTC).
  This will update the Zoom certificate to the latest certificate (the certificate with the farthest expiration date).
4. Click View, to open the details page for the certificate.
5. Click Download to download the certificate file.

Upload the certificate to ADFS

1. Login to your ADFS server.
2. Open Administrative Tools, then open the AD FS Management Console (MMC).
3. On the left navigation, click Trust Relationships, then click Relying Party Trusts.
4. Right-click on the Relying Party Trust for Zoom, then click Properties.
5. Click the Encryption tab, then click Browse.
6. Open the downloaded certificate file.
7. Click the Signature tab.
8. Remove any currently listed certificates.
9. Click Add, and choose the latest certificate.