For updates on this blog and other blogs: Follow @SteveIDM
In this blog we are going to walk through the process of integrating Zoom with Workspace ONE Access. There are two very important prerequisites before you can setup the SAML integration with zoom:
- You need an approved Vanity URL.
- Users need to be created with an SSO Profile (unless you are using JIT)
Zoom Vanity URL
In your Zoom administration console, under Admin -> Account Management -> Account Profile. You can apply for the Vanity URL at the bottom of this screen. Note: It might take some time to get this approved by Zoom.
Zoom Users
When you create users in Zoom, they need to be created with the "SSO User" feature. Users can be created via CSV or through their API. If you are using the API to create users, you will need to include the "SSOCreate" action:
{ "action": "ssoCreate", "user_info": { "email": "steve@vmtestdrive.com", "type": 1, "first_name": "Steve", "last_name": "Test" } }
When users are created, you will see the SSO Icon:
Zoom Single Sign-On Setup
In order to configure Zoom for Single Sign-On, you will need to your IDP Metadata from Workspace ONE Access.
- Log into the Workspace ONE Administration Console
- Go to Catalog -> Web Applications and Click the Settings Button
- Click on SAML Metadata ->Identity Provider (IdP) Metadata
In your Zoom Administration Console:
- Go to Admin -> Advanced -> Single Sign-On
- Enter your Sign-in page URL. This can be found in the "md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"" tag. This URL will end in /SAAS/auth/federation/sso
- Paste your Identity Provider Certificate (Signing). Note: Proper certificate formatting is not required.
- Leave the default SP Provider (SP) Entity ID
- In the "Issuer (IDP Entity ID)" enter the value from the WS1 Metadata. This can be found entityID field which is on the first line of the metadata. This URL will end in idp.xml.
- Select HTTP-POST for the binding.
- Select "SHA-256" for the Signature Hash Algorithm.
- Under Security, select Sign SAML Request and Save SAML response logs on user sign-in.
- Under Provision User, select "Prior to Sign-in" unless you are doing JIT.
- Download your metadata at https://yourcompany.zoom.us/saml/metadata/sp
Workspace ONE Access Single Sign-On Setup
- Log into the Workspace ONE Administration Console
- Go to Catalog -> Web Apps
- Click New
- Provide a Name (ie. Zoom) and an Icon
- Click Next
- Open the previously downloaded metadata and copy/paste into the URL/XML section.
- Click Next, Next Save.
- Edit the Zoom Application we just created.
- Click Next
- Enter the correct Username Value that will be used to match the corresponding users in Zoom.
- Open Advanced Properties
- Select Sign Response, Sign Assertion and include Assertion Signature
- Under Signature Algorithm, change the value to SHA256 with RSA
- Under Digest Algorithm, change the value to SHA256
- Click Next, Next Save
- Assign the Zoom App to your users in Workspace ONE Access.
Log into Workspace ONE Access as an end user and test the application. Use the SAML Response Logs in Zoom to help troubleshoot.