Configuring Shibboleth for Zoom

Mak, Steve makst at
Sun Aug 23 02:27:12 UTC 2020

I forgot to mention that we also do automatic role, group, and license-type assignment based on eduPersonEntitlement, and the Zoom system uses a first match wins process.

Each of the role, group, and license assignments are independent and can all use separate values from the EPE attribute.
From: users <users-bounces at> on behalf of Mak, Steve <makst at>
Sent: Saturday, August 22, 2020 10:23 PM
To: Shib Users <users at>
Subject: Re: Configuring Shibboleth for Zoom

We've done extensive SSO testing with Zoom and this is what we found.

The primary account identifier for Zoom is whatever attribute you put in the Zoom Email Address in the SAML mapping.

We had a school use email address and eduPersonTargetedID as a fallback and if our users suppressed their email address the user would be logged into a new account based on their EPTID. Those with EPTIDs could not be easily invited to meetings.

We've tried a combo of Zoom Email mapped to email and Zoom Employee Unique ID to EPPN/employeeNumber, but all that did was create a complex account identifier, where if either changed it resulted in an error or a new account.

What we've settled on is this: Zoom Email mapped to EPPN, and we deny release of email address to Zoom. This is the only choice we had due to a desire to cross integrate with Canvas and other EDU services.

- Steve

From: users <users-bounces at> on behalf of Les LaCroix <llacroix at>
Sent: Saturday, August 22, 2020 5:56 PM
To: Shib Users <users at>
Subject: Re: Configuring Shibboleth for Zoom


We have Shibb configured with the usual SAML persistent NameID, and Zoom configured to pay attention to eduPersonUniqueID as the user identifier, mail for email address etc.  The config has been in place since last spring term, and we haven't had any issues with logins or invitations.



Les LaCroix '79

Strategic Technologist

Information Technology Services

t: (507) 222-5455

On Fri, Aug 21, 2020 at 9:42 PM Lohr, Donald A - lohrda <lohrda at<mailto:lohrda at>> wrote:

Referring to this URL: states the following:

First, configure your IdP to send us the following

  *   Any unique identifier linked to nameID such as eduPersonTargetedID, persistentID, or mail
  *   (Optional) Accepted attributes are email (urn:oid:0.9.2342.19200300. 100.1.3), sn (urn:oid:, and givenName (urn:oid:

Our plan would be to configure Shibboleth to set the nameID for Zoom to not be a user's email address. We want to use a better unique & never changing attribute, the user's eduPersonUniqueId attribute value. We will also send Zoom a user's mail, givenname and sn attribute values.

Is anyone's Shibboleth configuration for Zoom using something other than email as the nameID value?  If so have you encountered any issues with nameID not set as a users email value? Especially with SSO login, the emailing of or accepting invitations or using the Canvas LTI Pro component.

D o n a l d   L o h r
I n f o r m a t i o n   S y s t e m s
J a m e s   M a d i s o n   U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0
For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list