Configure SSO to Zoom
- Stephen Call (Deactivated)
- Chris deRito (Deactivated)
Problem
You want to integrate Zoom with PortalGuard for Single Sign-On and/or Two-Factor Authentication.
Solution
Use our generic ZOOM SSO template and follow the steps below to set up the SSO integration for Zoom.
Quick Navigation
Install the Relying Party Template
Remote into the PortalGuard server and shut down the Identity Provider Configuration Editor.
Download the template file attached here and place it on your PortalGuard server in the following directory:
Program Files\PistolStar\PortalGuard\Policies
Open the Identity Provider Configuration Editor.
Click on the SAML Websites tab.
Verify the Zoom configuration now exists.
Modify the Relying Party Template
From within the Identity Provider Configuration Editor, edit the new configuration file verified in the previous section.
You may either double click the entry, or select the entry and then click the 'Edit' button.
On the General tab, ensure the 'Identifier' and 'Assertion Consumer Service URL' match the expected value for your instance of Zoom.
Important Note: This information will come from the settings denoted within for Zoom. If you have access to the Zoom metadata, these items can be found there as well. SAML Metadata is provided in XML format, and describes the application's properties such as access URLs and unique identifiers. The information specifically required by PortalGuard is detailed below:
The entityID value attached to the EntityDescriptor element from the metadata file translates to the 'Identifier' within PortalGuard.
The AssertionConsumerService element with a binding of 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' from the metadata file translates to the 'Assertion Consumer Service URL' within PortalGuard.
If you do not have Zoom metadata: Refer to step #5 within the Configure Zoom to Use PortalGuard for SSO section below for information on obtaining the 'entityID' for Zoom.
Ensure that you check the 'Use ACS from SAMLRequest' box and replace 'ACME' with the appropriate value for your Zoom vanity URL:
Navigate to the Identity Claims tab and validate that each claim is pulling the appropriate information.
For LDAP environments, each claim will be configured to pull a certain field value for the user.
For SQL environments, an SQL Query will be utilized with an expected return of the intended value.
In either case, a 'Static' value may be utilized as well.
Navigate to the IdP-Initiated tab. Modify the 'Display Text', 'Help Text', and 'Display Image' values according to the requirements for your environment.
'Display Text': The label for the Tile on the PortalGuard SSO Jump Page.
'Help Text': Context information that appears if the user hovers over the tile but does not click it.
'Display Image': Thumbnail to utilize for the tile on the PortalGuard SSO Jump Page.
'Hide on SSO Jump Page': Select this box if you want to hide the tile on the SSO Jump Page (e.g. users should navigate to this website directly).
Navigate to the Authorization tab and ensure the scope for this application matches the requirements for your environment.
Important Note: If the 'Authorized Users' box is empty, that means all users will be able to see/utilize this SSO Integration. Otherwise, only the users/groups/OUs present will be able to see/utilize this SSO Integration.
Click on the 'Save' button to commit your changes.
Configure Zoom to Use PortalGuard for SSO
IMPORTANT NOTE: The following steps are intentionally vague. Each application will require different configuration steps and these steps may change over time as the application grows and develops. If you experience a vastly different experience from what is below, please contact technical support via techsupport@portalguard.com to have this article updated. We recommend always confirming with configuration documentation specific to Zoom as well, to ensure no unwarranted mistakes are made.
Login to the Administrative side of Zoom.
Navigate to the 'Advanced' section on the left-hand side, and then choose 'Single Sign-On'.
Click on the 'SAML' Tab to modify those settings.
Validate that the 'Vanity URL' has been set and is '(Approved)'.
Use the following information as a guideline for how to populate the SAML settings within Zoom:
'Sign-in page URL':
The PortalGuard SSO URL, which should follow this structure:
https://YOUR.PG.URL/sso/go.ashx
'Sign-out Page URL':
The PortalGuard logout URL, which should follow this structure:
'Identity Provider certificate':
The Signing certificate from your PortalGuard metadata.
Access your PortalGuard metadata by navigating to the following URL structure: https://{YOUR.PG.URL}/sso/metadata.ashx
Open the file in a text editor.
Copy everything between the '<x509certificate>' tags, as shown in the example below:
'Service Provider (SP) Entity ID':
The identifier for the Zoom Service Provider
This should match the 'identifier' value for the Zoom relying party as noted in step #2 in the Modify the Relying Party Template section above.
'Issuer (IDP Entity ID)':
The Entity ID for your PortalGuard unstance.
This can be found in your PortalGuard metadata - using the value for the 'entityID' attribute.
You can also pull this from within the Identity Provider Configuration Editor:
Click on 'General IdP Settings' and navigate to the 'Response' tab. Copy the 'Issuer' value.
'Binding':
The binding utilized for sending the 'SAMLRequest' from Zoom.
PortalGuard supports both 'HTTP-POST' and 'HTTP-Redirect'
'Signature Hash Algorithm':
The support algorithm for Signing the SAML.
Zoom defaults to SHA-256. The template attached to this KB also utilizes the same.
'Security':
Various security settings within Zoom. These should be kept at the defaults.
'Provision User':
This setting determines whether or not a user account is created in Zoom when an SSO user authenticates and doesn't already have a Zoom account.
Save the changes.
Attempt a login by navigating to Zoom in a new incognito/inPrivate browsing session.
