Configuring Single Sign-On for Zoom with WSO2 Identity Server

In the wake of remote working, zoom has become one of the most essential tools for video conferencing. In this piece, I will walk you through how you can configure single sign-on (SSO) for zoom with the WSO2 Identity Server.

When SSO is configured and enabled for your organization on zoom, it allows the users of your organization to login using the organizations’ WSO2 identity server user credentials. The users need not have separate user accounts on zoom. Zoom SSO (based on SAML 2.0) would automatically provision the users based on the SAML response from the WSO2 Identity Server. Furthermore, this allows the identity admins to create users, update user information and deactivate users in zoom via the WSO2 Identity Server.

After configuring, the initial authentication flow for a user would be as follows.

Authentication flow

In the following sections, I would explain how to configure the WSO2 Identity Server, how to configure Zoom, and finally, how to test the configuration.

Before you begin, please make sure the following prerequisites are met.

• Zoom owner or admin privileges
• Business or Education account with approved Vanity URL
• Single Sign-On Enabled
• WSO2 Identity Server admin privileges

Configuring WSO2 Identity Server

Before Zoom can send requests to WSO2 Identity Server, Zoom client must be added as a service provider at the WSO2 Identity Server.

To register Zoom as a service provider in WSO2 Identity Server,

• Sign in to the Management Console.
• On the Main menu, click Identity > Service Providers > Add.
• Fill in the Service Provider Name and provide a brief Description (optional) of the service provider as follows.

registering Zoom as a service provider

• Click Register to add the new service provider.
• Next, enter a suitable name for the service provider in the Service Provider Name text box.

registering Zoom as a service provider

Claim Configuration

We need to configure the claims for the service provider in the Identity Server configurations.

To do this, first, click on the claim Configuration tab.

claim configuration

From the expanded menu, set the Claim Mapping Dialect to Use Local Claim Dialect and click on Add Claim URI that is against the Requested Claims field.

claim configuration

Add the claims as following. Then, set the Subject Claim URI to http://wso2.org/claims/emailaddress.

claim configuration

Inbound Authentication Configuration

• Under the Inbound Authentication Configuration section, click SAML2 Web SSO Configuration and click on configure.

SAML2 Web SSO Configuration

• Select Manual Configuration and enter the required details as given below.

Issuer — https://yourcompany.zoom.us

Assertion Consumer URL — https://yourcompany.zoom.us/saml/SSO

NameID format — urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Provide issuer ID and ACS url for Zoom

Please refer to Configuring SAML2 Web SSO when filling out the other fields.

• After entering the details, click on Download IDP Metadata and Register at the bottom.

Download IdP metadata

Save the IdP metadata file since it is required for the Zoom configuration.

Configuring Zoom

• Log in to Zoom as an administrator.
• To enter your SSO information, go to https://zoom.us/account/sso.

Zoom SSO configuration

There, you will be prompted with the above SAML SSO configuration page. Fill in the fields with the details from the IdP metadata file.

• First, open the IdP metadata file downloaded earlier and find the SingleSignOnService location, SingleLogoutService Location and the X509Certificate values.

IdP metadata

• In the Sign-in page URL text box, paste the SingleSignOnService Location value from the IdP metadata file.
• In the Sign-out page URL text box, paste the SingleLogoutService Location value from the IdP metadata file.
• In the x.509 Certificate text box, paste the X509Certificate value from the IdP metadata file. * Note: Remove the Begin Certificate and End Certificate*
• From the Service Provider (SP) Entity ID drop-down list, select the https URL.
• In the Issuer (IDP Entity ID) text box, paste the entityID value from the IdP metadata file
• For Binding, select http-post or http-redirect.
• Select the default user type (Basic or Pro) accordingly.
• Click Save Changes.

Mapping Basic Information

First, go to https://zoom.us/account/sso for the Single Sign-On configurations.

There, click on the SAML Response Mapping tab.

SAML SSO configuration in Zoom

The first section of this page covers Basic SAML Information Mapping.

SAML Basic Information Mapping

Add the Source Attribute listed below for the corresponding value. This should be identical to the claim URIs we previously configured in the Identity Server side.

Testing the Integration

To start, all SSO users need to access https://yourcompany.zoom.us to login using a browser, or if you login from the desktop or mobile client, you need to enter domain name of your vanity URL under SSO login.

Then, you will be redirected to the WSO2 Identity server for authentication.

Upon successful authentication, the user would be signed in to the respective zoom account.