Configuring Shibboleth for Zoom

Lohr, Donald A - lohrda lohrda at
Sat Aug 22 18:44:26 UTC 2020

We want a Shibboleth / Zoom configuration, where, if the user's email address changes (we have several scenarios where that happens) that the SSO assertion data to Zoom profile matching is not based on a user's email address but on something that is unique and never changing. And for us a user's email address, while unique, is not never changing. So using something like a user's eduPersonTargetedID value or their eduPersonUniqueId value to match on in lieu of their email address value works better for us.


On Aug 21, 2020, at 10:50 PM, Mike Osterman <ostermmg at<mailto:ostermmg at>> wrote:

Hi Donald,

We didn't use Shib for it, but rather the SAML IdP in CAS, but we have been sending eduPersonTargetedID and it's working just fine.

I literally just set up LTI Pro for Canvas last night, and only in our test Canvas instance, but the SSO seemed to work just fine.

On the LTI Pro front: one piece of advice is to join the EDU-ZOOM listserv as there's a fair amount of discussion around LTI Pro and configuring it in an SSO environment.

Good luck!

On Fri, Aug 21, 2020 at 7:42 PM Lohr, Donald A - lohrda <lohrda at<mailto:lohrda at>> wrote:

Referring to this URL:<> states the following:

First, configure your IdP to send us the following

  *   Any unique identifier linked to nameID such as eduPersonTargetedID, persistentID, or mail
  *   (Optional) Accepted attributes are email (urn:oid:0.9.2342.19200300. 100.1.3), sn (urn:oid:, and givenName (urn:oid:

Our plan would be to configure Shibboleth to set the nameID for Zoom to not be a user's email address. We want to use a better unique & never changing attribute, the user's eduPersonUniqueId attribute value. We will also send Zoom a user's mail, givenname and sn attribute values.

Is anyone's Shibboleth configuration for Zoom using something other than email as the nameID value?  If so have you encountered any issues with nameID not set as a users email value? Especially with SSO login, the emailing of or accepting invitations or using the Canvas LTI Pro component.

D o n a l d   L o h r
I n f o r m a t i o n   S y s t e m s
J a m e s   M a d i s o n   U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0
For Consortium Member technical support, see<>
To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>
For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list