Configuring Shibboleth for Zoom
Les LaCroix
llacroix at carleton.edu
Sun Aug 23 15:35:31 UTC 2020
>
> The primary account identifier for Zoom is whatever attribute you put in
> the Zoom Email Address in the SAML mapping.
Yes, but you can also have Zoom track email address changes at login. From
Zoom's help:
Employee Unique ID: The unique ID for the user. Use this for simplifying
the process when users change their email address. If your unique ID is in
the NameID element, enter <NameID> instead.
I don't think that this was configurable when we first started with Zoom,
but I wouldn't swear to that either. FWIW we map email address to the
user's actual email address and Employee Unique ID to eduPersonUniqueID.
-L
<http://www.carleton.edu/>
*Les LaCroix '79*
Strategic Technologist
Information Technology Services
t: (507) 222-5455
On Sat, Aug 22, 2020 at 9:23 PM Mak, Steve <makst at upenn.edu> wrote:
> We've done extensive SSO testing with Zoom and this is what we found.
>
> The primary account identifier for Zoom is whatever attribute you put in
> the Zoom Email Address in the SAML mapping.
>
> We had a school use email address and eduPersonTargetedID as a fallback
> and if our users suppressed their email address the user would be logged
> into a new account based on their EPTID. Those with EPTIDs could not be
> easily invited to meetings.
>
> We've tried a combo of Zoom Email mapped to email and Zoom Employee Unique
> ID to EPPN/employeeNumber, but all that did was create a complex account
> identifier, where if either changed it resulted in an error or a new
> account.
>
> What we've settled on is this: Zoom Email mapped to EPPN, and we deny
> release of email address to Zoom. This is the only choice we had due to a
> desire to cross integrate with Canvas and other EDU services.
>
> - Steve
>
>
> ------------------------------
> *From:* users <users-bounces at shibboleth.net> on behalf of Les LaCroix <
> llacroix at carleton.edu>
> *Sent:* Saturday, August 22, 2020 5:56 PM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* Re: Configuring Shibboleth for Zoom
>
> Donald,
>
> We have Shibb configured with the usual SAML persistent NameID, and Zoom
> configured to pay attention to eduPersonUniqueID as the user identifier,
> mail for email address etc. The config has been in place since last spring
> term, and we haven't had any issues with logins or invitations.
>
> -Les
>
> <http://www.carleton.edu/>
>
> *Les LaCroix '79*
>
> Strategic Technologist
>
> Information Technology Services
>
> t: (507) 222-5455
>
>
> On Fri, Aug 21, 2020 at 9:42 PM Lohr, Donald A - lohrda <lohrda at jmu.edu>
> wrote:
>
> Referring to this URL:
>
>
>
> https://support.zoom.us/hc/en-us/articles/201363003-Getting-started-with-SSO
>
>
> ...it states the following:
>
>
> First, configure your IdP to send us the following
>
> - Any unique identifier linked to nameID such as eduPersonTargetedID,
> persistentID, or mail
> - (Optional) Accepted attributes are email (urn:oid:0.9.2342.19200300.
> 100.1.3), sn (urn:oid:2.5.4.4), and givenName (urn:oid:2.5.4.42).
>
>
> Our plan would be to configure Shibboleth to set the nameID for Zoom to
> not be a user's email address. We want to use a better unique & never
> changing attribute, the user's eduPersonUniqueId attribute value. We will
> also send Zoom a user's mail, givenname and sn attribute values.
>
>
> Is anyone's Shibboleth configuration for Zoom using something other than
> email as the nameID value? If so have you encountered any issues with
> nameID not set as a users email value? Especially with SSO login, the
> emailing of or accepting invitations or using the Canvas LTI Pro component.
>
> --
> D o n a l d L o h r
> I n f o r m a t i o n S y s t e m s
> J a m e s M a d i s o n U n i v e r s i t y
> 5 4 0 . 5 6 8 . 3 7 3 0
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200823/b88c5871/attachment.htm>
More information about the users
mailing list