Configuring Shibboleth for Zoom

John Watt John.Watt at glasgow.ac.uk
Mon Aug 24 07:34:32 UTC 2020 

We had related problems with Zoom because we send transient NameIDs and we have a certain class of users who don't assert an institutional email address. This resulted in these users getting a fresh account created every time they logged in based on the transient nameID. Zoom were unable to solve this, they have a uniqueID attribute which can be set but this still doesn't work if the user has no email address, so we implemented a block in the IdP ContextCheck that stopped these people logging in until their line managers has requested email addresses for them.


----------------------------------------------------------------------

Dr. John Watt

IT Services, Room 405C, James Watt North Bldg.

University of Glasgow, Glasgow G12 8QQ

The University of Glasgow, charity number SC004401

________________________________
From: users <users-bounces at shibboleth.net> on behalf of Mak, Steve <makst at upenn.edu>
Sent: 23 August 2020 20:10
To: Shib Users <users at shibboleth.net>
Subject: Re: Configuring Shibboleth for Zoom

Employee Unique ID: The unique ID for the user. Use this for simplifying the process when users change their email address.
We tried this and couldn't get it to work. We had hoped that setting EPPN (or something very stable) to the Employee Unique ID mapping would prevent issues with users suppressing or changing their email address and found that to be false.

I never had full admin access to the Zoom SSO settings so I never got a chance to look for a setting to "track email address changes at login", so I can't speak of its existence or efficacy.

We also did not do any NameID configuration changes for our side. We simply send transient ID for NameID. I don't recall seeing documentation that Zoom could use NameID for anything.
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Les LaCroix <llacroix at carleton.edu>
Sent: Sunday, August 23, 2020 11:35 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Configuring Shibboleth for Zoom

The primary account identifier for Zoom is whatever attribute you put in the Zoom Email Address in the SAML mapping.

Yes, but you can also have Zoom track email address changes at login.  From Zoom's help:

Employee Unique ID: The unique ID for the user. Use this for simplifying the process when users change their email address. If your unique ID is in the NameID element, enter <NameID> instead.

I don't think that this was configurable when we first started with Zoom, but I wouldn't swear to that either.  FWIW we map email address to the user's actual email address and Employee Unique ID to eduPersonUniqueID.
-L


[https://lh6.googleusercontent.com/QEL1To3Ci_dJA1huaKzfZ0Lf4MaZlAy_f-W3vQjbyzNq_yXq_ZYGv3tuT4dkaZS_bZ5X6fZR4iKzBboZhxbCF5htZFnLNKGqmrzHsVJtsjsy0pfK5w2z0Dlq-EtZcWhv0PxBpWmR]<http://www.carleton.edu/>

Les LaCroix '79

Strategic Technologist

Information Technology Services

t: (507) 222-5455


On Sat, Aug 22, 2020 at 9:23 PM Mak, Steve <makst at upenn.edu<mailto:makst at upenn.edu>> wrote:
We've done extensive SSO testing with Zoom and this is what we found.

The primary account identifier for Zoom is whatever attribute you put in the Zoom Email Address in the SAML mapping.

We had a school use email address and eduPersonTargetedID as a fallback and if our users suppressed their email address the user would be logged into a new account based on their EPTID. Those with EPTIDs could not be easily invited to meetings.

We've tried a combo of Zoom Email mapped to email and Zoom Employee Unique ID to EPPN/employeeNumber, but all that did was create a complex account identifier, where if either changed it resulted in an error or a new account.

What we've settled on is this: Zoom Email mapped to EPPN, and we deny release of email address to Zoom. This is the only choice we had due to a desire to cross integrate with Canvas and other EDU services.

- Steve


________________________________
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> on behalf of Les LaCroix <llacroix at carleton.edu<mailto:llacroix at carleton.edu>>
Sent: Saturday, August 22, 2020 5:56 PM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: Configuring Shibboleth for Zoom

Donald,

We have Shibb configured with the usual SAML persistent NameID, and Zoom configured to pay attention to eduPersonUniqueID as the user identifier, mail for email address etc.  The config has been in place since last spring term, and we haven't had any issues with logins or invitations.

-Les


[https://lh6.googleusercontent.com/QEL1To3Ci_dJA1huaKzfZ0Lf4MaZlAy_f-W3vQjbyzNq_yXq_ZYGv3tuT4dkaZS_bZ5X6fZR4iKzBboZhxbCF5htZFnLNKGqmrzHsVJtsjsy0pfK5w2z0Dlq-EtZcWhv0PxBpWmR]<http://www.carleton.edu/>

Les LaCroix '79

Strategic Technologist

Information Technology Services

t: (507) 222-5455


On Fri, Aug 21, 2020 at 9:42 PM Lohr, Donald A - lohrda <lohrda at jmu.edu<mailto:lohrda at jmu.edu>> wrote:

Referring to this URL:


https://support.zoom.us/hc/en-us/articles/201363003-Getting-started-with-SSO


...it states the following:


First, configure your IdP to send us the following

  *   Any unique identifier linked to nameID such as eduPersonTargetedID, persistentID, or mail
  *   (Optional) Accepted attributes are email (urn:oid:0.9.2342.19200300. 100.1.3), sn (urn:oid:2.5.4.4), and givenName (urn:oid:2.5.4.42).


Our plan would be to configure Shibboleth to set the nameID for Zoom to not be a user's email address. We want to use a better unique & never changing attribute, the user's eduPersonUniqueId attribute value. We will also send Zoom a user's mail, givenname and sn attribute values.


Is anyone's Shibboleth configuration for Zoom using something other than email as the nameID value?  If so have you encountered any issues with nameID not set as a users email value? Especially with SSO login, the emailing of or accepting invitations or using the Canvas LTI Pro component.

--
D o n a l d   L o h r
I n f o r m a t i o n   S y s t e m s
J a m e s   M a d i s o n   U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200824/4b276a76/attachment.htm>

More information about the users mailing list