Configuring Shibboleth for Zoom
Ray Bon
rbon at uvic.ca
Mon Aug 24 17:12:24 UTC 2020
eduPersonPrincipalName here.
Ray
On Sat, 2020-08-22 at 18:44 +0000, Lohr, Donald A - lohrda wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
We want a Shibboleth / Zoom configuration, where, if the user's email address changes (we have several scenarios where that happens) that the SSO assertion data to Zoom profile matching is not based on a user's email address but on something that is unique and never changing. And for us a user's email address, while unique, is not never changing. So using something like a user's eduPersonTargetedID value or their eduPersonUniqueId value to match on in lieu of their email address value works better for us.
Thanks,
Don
On Aug 21, 2020, at 10:50 PM, Mike Osterman <ostermmg at whitman.edu<mailto:ostermmg at whitman.edu>> wrote:
Hi Donald,
We didn't use Shib for it, but rather the SAML IdP in CAS, but we have been sending eduPersonTargetedID and it's working just fine.
I literally just set up LTI Pro for Canvas last night, and only in our test Canvas instance, but the SSO seemed to work just fine.
On the LTI Pro front: one piece of advice is to join the EDU-ZOOM listserv as there's a fair amount of discussion around LTI Pro and configuring it in an SSO environment.
Good luck!
Mike
On Fri, Aug 21, 2020 at 7:42 PM Lohr, Donald A - lohrda <lohrda at jmu.edu<mailto:lohrda at jmu.edu>> wrote:
Referring to this URL:
https://support.zoom.us/hc/en-us/articles/201363003-Getting-started-with-SSO<https://urldefense.proofpoint.com/v2/url?u=https-3A__support.zoom.us_hc_en-2Dus_articles_201363003-2DGetting-2Dstarted-2Dwith-2DSSO&d=DwMFaQ&c=eLbWYnpnzycBCgmb7vCI4uqNEB9RSjOdn_5nBEmmeq0&r=Pa2DB88IW_s2TyLfktHtWA&m=GaeRgD-t3sx9pq6ZYQOIEWiWpYUYPfC1BO1pzgiVxuc&s=_V81VvDtXlg_ymfsyQaINE-3e5n3BB78G9am2aVjlII&e=>
...it states the following:
First, configure your IdP to send us the following
* Any unique identifier linked to nameID such as eduPersonTargetedID, persistentID, or mail
* (Optional) Accepted attributes are email (urn:oid:0.9.2342.19200300. 100.1.3), sn (urn:oid:2.5.4.4), and givenName (urn:oid:2.5.4.42).
Our plan would be to configure Shibboleth to set the nameID for Zoom to not be a user's email address. We want to use a better unique & never changing attribute, the user's eduPersonUniqueId attribute value. We will also send Zoom a user's mail, givenname and sn attribute values.
Is anyone's Shibboleth configuration for Zoom using something other than email as the nameID value? If so have you encountered any issues with nameID not set as a users email value? Especially with SSO login, the emailing of or accepting invitations or using the Canvas LTI Pro component.
--
D o n a l d L o h r
I n f o r m a t i o n S y s t e m s
J a m e s M a d i s o n U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rbon at uvic.ca<mailto:rbon at uvic.ca>
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200824/17bf4a1d/attachment.htm>
More information about the users
mailing list