Zoom SSO certificate rotation

Zoom has enhanced Single Sign-On (SSO) certificate support, allowing account owners and admins to have Zoom automatically update the certificate when a new one is available, instead of manually updating the certificate. Admins can also roll back their SSO configuration to utilize a previous certificate as well.

Note: Following standard industry practices, we provided an updated single sign-on (SSO) certificate on November 1, 2025, ahead of the expiration of our current certificate on December 21, 2025. You may need to take action to ensure uninterrupted SSO login functionality.

 

Do I need to take action?

✅ No action required

⚠️ Action required

If ANY of these conditions are true:
 
  • The Service Provider (SP) Certificate section is not visible in your Single Sign-On settings

  • The Service Provider (SP) Certificate section in your Single Sign-On settingsis displaying the latest Zoom Certificate (expires on 11/30/2026 UTC)


 
Take action before Dec. 21 if the Service Provider (SP) Certificate drop-down is visible AND:

  • The SP Certificate section in yourSingle Sign-On settings does not display the latest Zoom Certificate (expires on 11/30/2026 UTC)

Note: If "Automatically manage the certificate option" is checked, it may take a few days for your IdP to automatically rotate the certificate. Not all IdPs support automatic rotation. Consult with your IdP's documentation for any questions.

Requirements for Zoom SSO certificate rotation

Table of Contents

New SSO certificate management options

Service provider certificate

The service provider certificates are used to sign the SAML request and the SAML logout request when sending these requests to your IDP. When utilizing these certificates to verify the signature of the SAML/logout request, it is imperative that the certificates are the same in both Zoom as well as your IDP. If the certificate is different, your IDP might give an error which will prevent users from being able to sign in.

This certificate can be found within the Zoom SAML metadata located at https://yourvanityurl.zoom.us/saml/metadata/sp.

Automatically manage the certificate     

StatusBehaviors
On (Default)

Two certificates will be set for the Zoom metadata if the latest certificate detected is not currently selected for SAML requests. 

Zoom will try to auto-rotate (update) the certificate if your IDP is set to monitor the Zoom metadata URL and supports encrypted assertion.

 

Note: Your IdP must support automatic certificate rotation. Not all IdPs support automatic rotation. Consult with your IdP's for any questions. 
Off

Only one certificate for the Zoom metadata is set in the SSO settings. Zoom will not auto-rotate to a new certificate. The certificate will have to be manually rotated on expiration.

 

ADFS certificate rotation 

If your ADFS server does not have Monitor relying party enabled for the Zoom SAML metadata URL, you will need to update the certificate manually.

Automatically update the certificate via metadata URL

To enable the monitoring option on your ADFS server:

    1. Sign in to your ADFS server.
    2. Open Administrative Tools, then open the AD FS Management Console (MMC).
    3. On the left navigation, click Trust Relationships, then click Relying Party Trusts.
    4. Right-click on the Relying Party Trust for Zoom, then click Properties.
    5. On the Monitoring tab, enter your Zoom SAML Metadata URL (https://yourvanityurl.zoom.us/saml/metadata/sp).
    6. Enable Monitor relying party.
    7. Click Apply.

Manually update the certificate via metadata URL

To manually update the certificate using the metadata URL:

    1. Sign in to the Zoom web portal.
    2. In the navigation menu, click Advanced then Single Sign-On.
    3. In the Service Provider (SP) Certificate section, click Edit and select Zoom Certificate (Expires on December 21, 2025 UTC).
      This will update the Zoom certificate to the latest certificate (the certificate with the farthest expiration date).
    4. Sign in to your ADFS server.
    5. Open Administrative Tools, then open the AD FS Management Console (MMC).
    6. On the left navigation, click Trust Relationships, then click Relying Party Trusts.
    7. Right-click on the Relying Party Trust for Zoom, then click Properties.
    8. Enter your Zoom SAML Metadata URL (https://yourvanityurl.zoom.us/saml/metadata/sp).
    9. Click Test URL.
    10. After the successful validation, click Ok, then click Apply.
    11. Close the Properties window.
    12. Right-click on the Relying Party Trust for Zoom, and click Update from Federation Metadata.
    13. On the Identifiers tab, click Update.
    14. Verify the certificate Effective and Expiration dates are for the new certificate on the Encryption and Signature tabs.
      Note: the Encryption tab may contain only one certificate or possibly none, if your SSO does not have support encrypted assertion enabled. This also goes for the Signature tab if your SSO does not have Sign SAML Request or Sign SAML Logout Request enabled.

Once the certificate has been updated, Zoom recommends doing a couple of test logins to ensure SSO is working properly.

Troubleshooting errors in ADFS log

Signing certificate error MSIS3015

"Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3015: The signing certificate of the claims provider trust 'xxxxxxxx.zoom.us' identified by thumbprint '175F66EE7911A55ECF3549280C85A0BB941CEC16' is not valid."

Encryption certificate error MSIS3014

"Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3014: The encryption certificate of the relying party trust 'microsoft:identityserver:xxxxxxx.zoom.us' identified by thumbprint '175F66EE7911A55ECF3549280C85A0BB941CEC16' is not valid."

If you receive either of these errors, this might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted. We recommend rolling back your certificate to the previous certificate and test to ensure the errors have been resolved. Once the errors have been resolved, re-update the certificate via the metadata URL.

Manually update the certificate by file

Download the certificate from Zoom

    1. Sign in to the Zoom web portal.
    2. In the navigation menu, click Advanced then Single Sign-On.
    3. In the Service Provider (SP) Certificate section, click Edit and select Zoom Certificate (Expires on December 21, 2025 UTC).
      This will update the Zoom certificate to the latest certificate (the certificate with the farthest expiration date).
    4. Click View, to open the details page for the certificate.
    5. Click Download to download the certificate file.

Upload the certificate to ADFS

    1. Login to your ADFS server.
    2. Open Administrative Tools, then open the AD FS Management Console (MMC).
    3. On the left navigation, click Trust Relationships, then click Relying Party Trusts.
    4. Right-click on the Relying Party Trust for Zoom, then click Properties.
    5. Click the Encryption tab, then click Browse.
    6. Open the downloaded certificate file.
    7. Click the Signature tab.
    8. Remove any currently listed certificates.
    9. Click Add, and choose the latest certificate.

Once the certificate has been updated, Zoom recommends doing a couple of test logins to ensure SSO is working properly.

If SSO logins are not working correctly when testing, rollback to the previous certificate, and test logins. If SSO login is successful, re-upload the certificate using the above steps.

Refer to your IdP documentation for instructions on how to do this.