For updates on this blog and other blogs: Follow @SteveIDM

 

In this blog we are going to walk through the process of integrating Zoom with Workspace ONE Access.  There are two very important prerequisites before you can setup the SAML integration with zoom:

  1. You need an approved Vanity URL.
  2. Users need to be created with an SSO Profile (unless you are using JIT)

 

Zoom Vanity URL

In your Zoom administration console, under Admin -> Account Management -> Account Profile. You can apply for the Vanity URL at the bottom of this screen. Note: It might take some time to get this approved by Zoom.

 

Screen Shot 08-27-20 at 02.01 PM.PNG

 

Zoom Users

When you create users in Zoom, they need to be created with the "SSO User" feature. Users can be created via CSV or through their API. If you are using the API to create users, you will need to include the "SSOCreate" action:

 

 

{
  "action": "ssoCreate",
  "user_info": {
    "email": "steve@vmtestdrive.com",
    "type": 1,
    "first_name": "Steve",
    "last_name": "Test"
  }
}

 

When users are created, you will see the SSO Icon:

Screen Shot 08-27-20 at 01.56 PM.PNG

Zoom Single Sign-On Setup

 

In order to configure Zoom for Single Sign-On, you will need to your IDP Metadata from Workspace ONE Access.

  1. Log into the Workspace ONE Administration Console
  2. Go to Catalog -> Web Applications and Click the Settings Button
  3. Click on SAML Metadata ->Identity Provider (IdP) Metadata

 

In your Zoom Administration Console:

  1. Go to Admin -> Advanced -> Single Sign-On
  2. Enter your Sign-in page URL. This can be found in the "md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"" tag. This URL will end in /SAAS/auth/federation/sso
    Screen Shot 08-27-20 at 02.44 PM.PNG
  3. Paste your Identity Provider Certificate (Signing). Note: Proper certificate formatting is not required.
  4. Leave the default SP Provider (SP) Entity ID
  5. In the "Issuer (IDP Entity ID)" enter the value from the WS1 Metadata. This can be found entityID field which is on the first line of the metadata. This URL will end in idp.xml.
  6. Select HTTP-POST for the binding.
  7. Select "SHA-256" for the Signature Hash Algorithm.
    Screen Shot 08-27-20 at 02.45 PM.PNG
  8. Under Security, select Sign SAML Request and Save SAML response logs on user sign-in.
  9. Under Provision User, select "Prior to Sign-in" unless you are doing JIT.
  10. Download your metadata at https://yourcompany.zoom.us/saml/metadata/sp

 

Workspace ONE Access Single Sign-On Setup

  1. Log into the Workspace ONE Administration Console
  2. Go to Catalog -> Web Apps
  3. Click New
  4. Provide a Name (ie. Zoom) and an Icon
    Screen Shot 08-27-20 at 02.25 PM.PNG
  5. Click Next
  6. Open the previously downloaded metadata and copy/paste into the URL/XML section.
    Screen Shot 08-27-20 at 02.27 PM.PNG
  7. Click Next, Next Save.
  8. Edit the Zoom Application we just created.
    Screen Shot 08-27-20 at 02.33 PM.PNG
  9. Click Next
  10. Enter the correct Username Value that will be used to match the corresponding users in Zoom.
    Screen Shot 08-27-20 at 02.31 PM.PNG
  11. Open Advanced Properties
  12. Select Sign Response, Sign Assertion and include Assertion Signature
    Screen Shot 08-27-20 at 02.35 PM.PNG
  13. Under Signature Algorithm, change the value to SHA256 with RSA
  14. Under Digest Algorithm, change the value to SHA256
    Screen Shot 08-27-20 at 02.36 PM.PNG
  15. Click Next, Next Save
  16. Assign the Zoom App to your users in Workspace ONE Access.

 

Log into Workspace ONE Access as an end user and test the application.  Use the SAML Response Logs in Zoom to help troubleshoot.

 

Screen Shot 08-27-20 at 02.39 PM.PNG