Zoom SSO certificate rotation

Zoom has enhanced Single Sign-On (SSO) certificate support, allowing account owners and admins to have Zoom automatically update the certificate when a new one is available, instead of manually updating the certificate. Admins can also roll back their SSO configuration to utilize a previous certificate as well.

Note: In keeping up with standard industry practices, Zoom will be updating its single sign-on (SSO) certificate ahead of its expiration on Tuesday, December 31, 2024. Prior to proceeding with the Zoom SSO certificate rotation, please ensure that the DigiCert Global Root G2 is included in your trust stores. Most cloud-based Identity Provider (IdP) services already include this. On- premise based IdP servers may require an update to the certificate trust store. Failure to have the DigiCert Global Root G2 included in your trust store will result in service disruption when rotating the Zoom SSO certificate.

• No action is required for accounts using an identity provider (IDP) or configuration that supports dynamic metadata refresh, as your IDP will automatically download the latest Zoom certificate and rotate it into your account’s configuration starting Friday, November 22, 2024. You should see the following in the Service Provider (SP) Certificate section of your Single Sign-On settings:
  • Zoom Certificate (Expires on December 30, 2025 UTC)
  • Automatically manage the certificate option is checked
  • Additionally, if your IDP implementation does not require a service provider certificate, the above options below will not be visible in your web portal and no further action will be required.
• Action is required for Single Sign-on on Zoom setup with the following security options selected. 
  • Sign SAML request
  • Sign SAML Logout request
  • Support encrypted assertions
• Action is required between November 21 to December 31, if you choose to disable the automatic update or if your IDP does not support automatic certificate rotation. You can begin the certificate rotation process by selecting the new certificate in the Single Sign-On settings in the Zoom Web Portal. You can also modify which certificate Zoom uses for interacting with your IDP on that page. Once the new certificate has been rotated, you and your users can continue to log into Zoom utilizing SSO without interruption. 

Requirements for Zoom SSO certificate rotation

• • Zoom owner or admin privileges
  • Business or Education account with approved Vanity URL

New SSO certificate management options

Service provider certificate

The service provider certificates are used to sign the SAML request and the SAML logout request when sending these requests to your IDP. Due to your IDP utilizing these certificates to verify the signature of the SAML/logout request, it is imperative that the certificates are the same in both Zoom as well as your IDP. If the certificate is different, your IDP might give an error and not allow a user to be able to log in. 

This certificate can be found within the Zoom SAML metadata located at https://yourvanityurl.zoom.us/saml/metadata/sp.

Automatically manage the certificate     

ADFS certificate rotation 

If your ADFS server does not have Monitor relying party enabled for the Zoom SAML metadata URL, you will need to update the certificate manually.

Automatically update the certificate via metadata URL

To enable the monitoring option on your ADFS server:

1. 1. Sign in to your ADFS server.
   2. Open Administrative Tools, then open the AD FS Management Console (MMC).
   3. On the left navigation, click Trust Relationships, then click Relying Party Trusts.
   4. Right-click on the Relying Party Trust for Zoom, then click Properties.
   5. On the Monitoring tab, enter your Zoom SAML Metadata URL (https://yourvanityurl.zoom.us/saml/metadata/sp).
   6. Enable Monitor relying party.
   7. Click Apply.

Manually update the certificate via metadata URL

To manually update the certificate using the metadata URL:

1. 1. Sign in to the Zoom web portal.
   2. In the navigation menu, click Advanced then Single Sign-On.
   3. In the Service Provider (SP) Certificate section, click Edit and select Zoom Certificate (Expires on December 30, 2025 UTC).
      This will update the Zoom certificate to the latest certificate (the certificate with the farthest expiration date).
   4. Sign in to your ADFS server.
   5. Open Administrative Tools, then open the AD FS Management Console (MMC).
   6. On the left navigation, click Trust Relationships, then click Relying Party Trusts.
   7. Right-click on the Relying Party Trust for Zoom, then click Properties.
   8. Enter your Zoom SAML Metadata URL (https://yourvanityurl.zoom.us/saml/metadata/sp).
   9. Click Test URL.
   10. After the successful validation, click Ok, then click Apply.
   11. Close the Properties window.
   12. Right-click on the Relying Party Trust for Zoom, and click Update from Federation Metadata.
   13. On the Identifiers tab, click Update.
   14. Verify the certificate Effective and Expiration dates are for the new certificate on the Encryption and Signature tabs.
       Note: the Encryption tab may contain only one certificate or possibly none, if your SSO does not have support encrypted assertion enabled. This also goes for the Signature tab if your SSO does not have Sign SAML Request or Sign SAML Logout Request enabled.

Once the certificate has been updated, Zoom recommends doing a couple of test logins to ensure SSO is working properly.

Troubleshooting errors in ADFS log

Signing certificate error MSIS3015

"Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3015: The signing certificate of the claims provider trust 'xxxxxxxx.zoom.us' identified by thumbprint '175F66EE7911A55ECF3549280C85A0BB941CEC16' is not valid."

Encryption certificate error MSIS3014

"Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3014: The encryption certificate of the relying party trust 'microsoft:identityserver:xxxxxxx.zoom.us' identified by thumbprint '175F66EE7911A55ECF3549280C85A0BB941CEC16' is not valid."

If you receive either of these errors, this might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted. We recommend rolling back your certificate to the previous certificate and test to ensure the errors have been resolved. Once the errors have been resolved, re-update the certificate via the metadata URL.

Manually update the certificate by file

Download the certificate from Zoom

1. 1. Sign in to the Zoom web portal.
   2. In the navigation menu, click Advanced then Single Sign-On.
   3. In the Service Provider (SP) Certificate section, click Edit and select Zoom Certificate (Expires on December 30, 2025 UTC).
      This will update the Zoom certificate to the latest certificate (the certificate with the farthest expiration date).
   4. Click View, to open the details page for the certificate.
   5. Click Download to download the certificate file.

Upload the certificate to ADFS

1. 1. Login to your ADFS server.
   2. Open Administrative Tools, then open the AD FS Management Console (MMC).
   3. On the left navigation, click Trust Relationships, then click Relying Party Trusts.
   4. Right-click on the Relying Party Trust for Zoom, then click Properties.
   5. Click the Encryption tab, then click Browse.
   6. Open the downloaded certificate file.
   7. Click the Signature tab.
   8. Remove any currently listed certificates.
   9. Click Add, and choose the latest certificate.

Once the certificate has been updated, Zoom recommends doing a couple of test logins to ensure SSO is working properly.

If SSO logins are not working correctly when testing, rollback to the previous certificate, and test logins. If SSO login is successful, re-upload the certificate using the above steps.

Shibboleth certificate rotation 

Shibboleth V3

Note: When using the Shibboleth, please ensure the support encrypted assertion is enabled.

If your Shibboleth utilizes the HTTPMetadataProvider, FileBackedHTTPMetadataProvider, or the DynamicHTTPMetadataProvider MetadataProvider Type, then Shibboleth will monitor Zoom's metadata. If it does not use one of the listed MetadataProvider Types, you will need to manually download and update the metadata file on the Shibboleth server.

If your Shibboleth utilizes the ResourceBackedMetadataProvider, LocalDynamicMetadataProvider, FilesystemMetadataProvider MetadataProvider Type, you may be able to update the metadata file without restarting your web server (such as the Apache Tomcat or another Java Application).

For more details, visit the Shibboleth configuration wiki.

Manual update certificate via webserver restart

1. 1. Sign in to the Zoom web portal.
   2. In the navigation menu, click Advanced then Single Sign-On.
   3. In the Service Provider (SP) Certificate section, click Edit and select Zoom Certificate (Expires on December 30, 2025 UTC).
      This will update the Zoom certificate to the latest certificate (the certificate with the farthest expiration date).
   4. Download the new metadata from https://yourvanityurl.zoom.us/saml/metadata/sp.
   5. Update the existing metadata file on the Shibboleth server, with the new certificate file.
   6. Restart the webserver.

Note: If you do not restart the webserver, you will have to wait for Shibboleth to load the file, which can take a minimum of 5 minutes but up to a maximum of 24 hours. During this period, users may not be able to log in using SSO. 

Graceful manual update of the certificate

1. 1. Download the new metadata from https://yourvanityurl.zoom.us/saml/metadata/sp.
   2. Update the existing metadata file on the Shibboleth server, with the new certificate file.
   3. Wait 48 hours for Zoom to auto-detect and update to the new certificate.
   4. Check your Zoom SSO configuration to see if the certificate is updated to the latest one (2025) automatically,
      • If successful: Download the metadata file from the metadata URL again, and update the server with the new file.
      • If unsuccessful: Wait another day for Zoom to auto-detect the new certificate.