Configuring Shibboleth for Zoom

Lohr, Donald A - lohrda lohrda at jmu.edu
Sat Aug 29 00:22:42 UTC 2020 

What we learned.

We are releasing eduPersonUniqueId in the Shibboleth SAML assertion in the nameid field. On our Zoom SSO "SAML Response Mapping" we set <NameID> as the "Employee Unique ID" value.

We are doing SSO auto-provisioning.

When using <NameID> as the unique profile key in lieu of Zoom's default email address, Zoom tracks when the user's email address is set on the profile and will not allow it to update again once the existing email value is 12 hours old. See Gotcha#2 below.

We were able to successfully test this <NameID> model by getting to the left of the @ and even to the right of @ in the email address changes to update a user's Zoom profile.

Gotcha#1:
The "Associated Domains" setting has to be configured with your email domain(s) before the use of the <NameID> in your Zoom configuration will manage and update your email values when they change. For us, we have two email domains. The "Associated Domains" item also has to be configured so you pull into your Zoom site license all of those users that had an existing Zoom license based on their email address from your email domain(s).

Gotcha#2: Once a Zoom profile is created or it was just updated with a new email address value, Zoom will not allow a change to the email field on said user's Zoom profile for 12 hours. Meaning if a user's email address changes in your LDAP directory at 8:00am and user logs into their existing Zoom profile (say) at 08:15am and their new email address updates their Zoom profile. If then at 10:00am the user's email address changes again in your LDAP directory and the user tries to login again to Zoom at 10:30, they will get a Zoom error page. If you look in your Zoom's site "SAML Response Logs" for that user's login, using the view details link, toward the bottom you will see reference to the 12 hour window.

Once the 12 hours has past, the user's next Zoom login will update their Zoom profile with the new email address.

I have asked our account rep "why 12 hours" and even recommended a site specific setting that might better align with our business processes but have not gotten any response yet.

Don

--
D o n a l d   L o h r
I n f o r m a t i o n   S y s t e m s
J a m e s   M a d i s o n   U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0

On Aug 21, 2020, at 10:42 PM, Lohr, Donald A - lohrda <lohrda at jmu.edu<mailto:lohrda at jmu.edu>> wrote:


https://support.zoom.us/hc/en-us/articles/201363003-Getting-started-with-SSO<https://urldefense.proofpoint.com/v2/url?u=https-3A__support.zoom.us_hc_en-2Dus_articles_201363003-2DGetting-2Dstarted-2Dwith-2DSSO&d=DwMGaQ&c=eLbWYnpnzycBCgmb7vCI4uqNEB9RSjOdn_5nBEmmeq0&r=Pa2DB88IW_s2TyLfktHtWA&m=fLnm-WN9U4d94T42-8yB77D1UNg2gyNoFMXbDF8Oh9w&s=apt4aG3d0K1Wv8QERvPkmi6ynRplZudGFD6sPI3ZN8c&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200829/66b0c858/attachment.htm>

More information about the users mailing list