Zoom SAML Single Sign-On (SSO)
This topic describes how to configure CyberArk Identity Zoom SAML template for SSO.
Zoom offers the #1 Cloud Video Conferencing Experience that unifies HD video conferencing, mobility and web meetings together as a free cloud service.
Zoom Requirements
Configuring Zoom for single sign-on requires
- A Zoom account with administrator privileges.
-
A signed certificate.
You can either download one from the Identity Administration portal or use your organization’s trusted certificate.
Set up the certificates for SSO
To establish a trusted connection between the web application and CyberArk Identity, you need to have the same signing certificate in both the application and the application settings in the Identity Administration portal.
If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file on the application’s Trust page in the Identity Administration portal. You also upload the public key certificate in a .cer or .pem file to the web application.
What to know before configuring SSO for Zoom
-
If you configure CyberArk Identity to use SP-initiated SSO to launch Zoom, be aware that you can still log in to your Zoom account using the
www.zoom.usURL. (In most other applications that use SP-initiated SSO, the application blocks users from logging in directly to the application account.) SP-initiated SSO uses just the domain-specific URL with Zoom, such ashttps://acme.zoom.uswhere acme is your custom domain. -
Zoom offers automatic user provisioning. After you’ve created your administrative account in Zoom and configured SSO, you don’t need to register additional users. Once Zoom receives the SAML response from CyberArk Identity, Zoom checks to see if the user already exists. If the user doesn’t already exist, Zoom creates the user account automatically with the user account received in the SAML response.
-
The additional users that Zoom creates based on the SAML response are part of the original Zoom administrator account but they are non-administrative users (they can’t edit Zoom account settings, for example).
Configure Zoom for Single Sign-On
The following steps are specific to this application and are required in order to enable SSO. For information on optional configuration settings available in the Identity Administration portal, see Configure optional application settings.
A video for how to configure the Zoom template for SSO is also available.
-
Add the Zoom application in the Identity Administration portal.
-
In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.
-
On the Search page, enter the application name in the Search field and click the search button.
-
Next to the application name, click Add.
-
On the Add Web App page, click Yes to confirm.
-
Click Close to exit the Application Catalog.
The application opens to the Settings page.
-
-
On the Settings page in the Identity Administration portal, specify the following settings:
Option
Description
Your Zoom domain name
Enter your Zoom domain name. For example, if you login to Zoom using https://acme.zoom.us, enter acme.
Application ID
Configure this field if you are deploying a mobile application that uses the CyberArk mobile SDK. CyberArk Identity uses the Application ID to provide single sign-on to mobile applications. Note the following:
The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.
There can only be one SAML application deployed with the name used by the mobile application.
The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters.
Show in User app list
Select Show in User app list to display this web application in the user portal. (This option is selected by default.)
If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won’t display for users in the user portal.
-
In the Identity Provider Configuration area of the Trust page, expand the certificate area and select the certificate that you want to use for the application, then click Download.
-
Open a new tab in your web browser.
It is helpful to open the web application and the Identity Administration portal simultaneously to copy and paste settings between the two browser windows. -
Go to the following URL and sign in as an admin user:
https://www.zoom.us
-
Click MY ACCOUNT, then scroll down to the Advanced area and click Single Sign-On.
- Click Enable Single Sign-On.
-
Open the certificate that you downloaded earlier in a text editor, then copy the contents and paste them into the web application's certificate field.
-
In the Identity Provider Configuration area of the Trust page, copy the Sign-in and Sign-out URLs from the Identity Administration portal and paste them into Zoom's sign-in and sign-out fields.
-
In the Service Provider Configuration area of the Trust page, select the Metadata option, then enter the following URL (where "mycompany" is your company's Zoom domain) in the URL field and click Load.
https://mycompany.zoom.us/saml/metadata/sp
-
Specify the following remaining options in the web application:
Option
Required or optional
Set it to
Description
Vanity URL
Required
[a URL of your choice and approved by Zoom]
For example, if your company name is acme, you could request that your vanity URL is https://acme.zoom.us.
Binding
Required
HTTP-POST
Default user type
Basic, Pro, or Corp
This applies to automatic user provisioning. If the user who attempts to connect to Zoom does not yet exist in your Zoom account, Zoom creates a user account of this type automatically for the user.
See https://support.zoom.us/hc/en-us/articles/201363003-Getting-Started for more information.
-
Deploy the application by setting permissions on the application.
-
On the Permissions page, click Add.
-
Select the user(s), group(s), or role(s) that you want to grant permissions to, then click Add.
The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.
-
Select the permissions you want and click Save.
Default permissions automatically deploy the application to the User Portal if the Show in user app list option is selected on the Settings page. Do not select this option if you intend to use only SP-initiated SSO.
Change the permissions if you want to add additional control or if you prefer not to automatically deploy the application.
-
-
On the Account Mapping page, configure how the login information is mapped to the application’s user accounts.
Available options vary depending on your application type.
Option
Description
Directory Service Field
Use this option if the user accounts are based on user attributes.
For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from theCyberArk Cloud Directory.Also see Authentication security options for information on the option to use the password supplied by Active Directory users.
All users share one name
Use this option if you want to share access to an account (for example, some people share an application developer account).
Check Allow users to view credentials to allow users to view User Identity (User Name and Password) for an application in the User Portal > Application Settings (select the gear icon in the application tile). Users must have the View permission enabled. This can help users who may need offline access to the application.
The ability to view the User Identity information in the application only applies to application passwords stored in CyberArk Identity. It does not apply to applications where passwords are stored in the PAM - Self-Hosted Vault.If this option is not checked (default), User Identity information for an application is not shared in the User Portal > Application Settings.
Contact CyberArk Support to disable the Allow users to view credentials option.Use the Authentication Key to enable TOTP for admin-added applications. For instructions, see Enable one-time passwords for sites with two-factor authentication.
Prompt for user name
Use this option if you want users to supply their own user name and password. This option only applies to some application types such as user password, custom NTLM, and browser extension applications. The first time that users launch the application, they enter their login credentials for that application. The CyberArk Cloud Directory stores the user name and password so that the next time the user launches the application, the CyberArk Cloud Directory logs in the user automatically.
Account Mapping Script
You can customize the user account mapping here by supplying a custom JavaScript. For example, you could use the following line as a script:
LoginUser.Username = LoginUser.Get('mail')+'.ad';The script sets the login user name to the user’s mail attribute value in Active Directory and adds ‘.ad’ at the end. For example, if the user’s mail attribute value is Adele.Darwin@acme.com then the account mapping script sets LoginUser.Username to Adele.Darwin@acme.com.ad. For more information about writing a script to map user accounts, see the SAML application scripting.
Also see Authentication security options for information on the option to use the password supplied by Active Directory users.
- Click Save.
Use this page to configure the application for single sign-on.
For more information about Zoom
For more information about configuring Zoom for SSO, see the following information:
https://support.zoom.us/entries/22826921-Getting-Started
For information about editing and adding Zoom users, see the following information:
https://support.zoom.us/entries/23437441-About-User-Management
