PingOne for Enterprise

Adding Zoom to Your PingOne for Enterprise Dock

Add the Zoom application to your PingOne for Enterprise dock from the application catalog.

About this task

Single sign-on (SSO) is only available to paid business and educational Zoom accounts.

Steps

  1. In the PingOne for Enterprise admin console, go to Applications → Application Catalog.

  2. Optional: In the Search field, search for the application.

  3. Click the Zoom application line to expand it and click Setup.

    As of June 2023, Zoom no longer allows the creation of new JSON Web Token (JWT) applications.

    If you want to enable user provisioning for Zoom, select the Zoom - OAuth application in the PingOne for Enterprise Application Catalog.

    For more information, see JWT App Type Deprecation FAQ in the Zoom documentation.

  4. In a separate tab, go to https://zoom.us.signin and sign on to your account as an administrative user.

  5. In the Zoom admin console, click Single Sign-On.

  6. On the Vanity URL line, click Apply.

  7. In the Vanity URL field, enter a vanity URL for your organization and click Apply.

    For more information, see Guidelines for Vanity URL requests in the Zoom documentation.

    Zoom takes 1-2 business days to process vanity URL requests.

Next steps

After Zoom approves your vanity URL request, return to the Zoom app catalog application and click Continue to Next Step.

Zoom Connection Configuration

Steps

  1. Import the metadata for Zoom:

    Choose from:

    • To upload the metadata file: Click Select File.

    • To enter the URL of the metadata: Click Or use URL.

      If you upload a metadata file, the Entity ID field is automatically populated to include the https prefix. Leaving this prefix intact can cause configuration errors.

      After you upload the metadata file, you should verify that the Entity ID value is in the format <vanity name>.zoom.us.

  2. Required: In the ACS URL and Entity ID fields, replace the ${vanity} variables with your Zoom vanity URL.

  3. In the Target Resource field, enter a URL to redirect the user to after identity provider (IdP)-initiated SSO.

  4. In the Single Logout Endpoint field, enter a URL for PingOne for Enterprise to send single logout (SLO) requests to.

    If you enter a value in the Single Logout Endpoint field, it should be in the format https://<vanity name>.zoom.us/saml/SingleLogout.

  5. In the Single Logout Response Endpoint field, enter a URL for PingOne for Enterprise to send SLO responses to.

    Using the https://<your vanity URL>.zoom.us/saml/singlelogout SLO endpoint for both Single Logout Endpoint and Single Logout Response Endpoint improves your security by ending the user session in the application when the user’s SSO session ends.

  6. To add a Primary Verification Certificate, click Browse to locate and upload a local certificate file used to verify SLO requests and responses coming from Zoom.

  7. To add a Secondary Verification Certificate, click Browse to locate and upload a local certificate used to verify SLO requests and responses if the primary certificate fails.

  8. To require your identity bridge to re-authenticate users with an active SSO session, select the Force Re-authentication check box .

  9. If you want PingOne for Enterprise to pass the RequestedAuthnContext request to the IdP for your account, select Pass-Thru RequestedAuthnContext to IdP.

    This option is available only if you upload a primary verification certificate.

  10. To encrypt outgoing SAML assertions, select the Encrypt Assertion check box.

  11. On the Signing line:

    Choose from:

    • To have PingOne for Enterprise sign outgoing SAML assertions: Click Sign Assertion. This is the default option.

    • To have PingOne for Enterprise sign responses to incoming SAML assertions: Click Sign Response.

  12. In the Signing Algorithm list, select an algorithm with which to sign SAML assertions.

  13. To enter a custom URL to launch Zoom from the dock, select the Use Custom URL check box.

  14. To enable user provisioning, select the Set Up Provisioning check box.

Next steps

Click Continue to Next Step.

Zoom Provisioning

About this task

If you don’t need to set up user provisioning, proceed to Zoom Attribute Mapping.

Steps

  1. Sign on to the Zoom App Marketplace as an administrator.

  2. Click Develop → Build App.

  3. On the Choose your app type page, in the Server-to-Server OAuth tile, click Create.

  4. In the App Name field, enter a name for your application and click Create.

  5. On the App credentials tab, copy the Account ID, Client ID, and Client Secret values, then click Continue.

You will enter these values into PingOne for Enterprise later.

  1. On the Information tab, complete the following information:

    1. In the Short description field, enter a description for the application.

    2. In the Company Name field, enter the name of your organization.

    3. In the Name, enter the name of the contact for your Zoom account administrator.

    4. In the Email address field, enter to company email address of your Zoom account administrator.

      The information on this tab is required for you to activate your application.

  2. On the Features tab, click Continue.

  3. On the Scopes tab:

    1. Click Add Scopes.

    2. On the Add Scopes dialog, select the check boxes to add the following scopes:

      • User

        • View and manage sub account’s user information (user:master)

        • View all user information (user:read:admin)

        • View users information and manage users (user:write:admin)

      • Account

        • View and manage sub accounts (account:master)

        • View account info (account:read:admin)

        • View and manage account info (account:write:admin)

      • SCIM2

        • Call Zoom SCIM2 API (scim2)

    3. Click Done to add the selected scopes.

  4. On the Activation tab, click Activate.

  5. In PingOne for Enterprise, click Continue to Next Step until you see the Application Configuration tab.

  6. On the Application Configuration tab, configure your Zoom connection.

    1. Review the values for the SCIM_URL and OAUTH_TOKEN_URL fields, and change if necessary.

      The default values will work for most customers.

    2. In the OAUTH_ACCOUNT_ID field, enter your Zoom account ID.

    3. In the OAUTH_CLIENT_ID field, enter your Zoom client ID

    4. In the OAUTH_CLIENT_SECRET field, enter your Zoom client secret.

    5. From the REMOVE_ACTION list, select one of the following options:

      • If you select Disable, a user you disable or delete in PingOne for Enterprise will be disabled in Zoom.

      • If you select Delete, a user you disable or delete in PingOne for Enterprise will be deleted in Zoom.

    6. Click Continue to Next Step.

Zoom Attribute Mapping

About this task

PingOne for Enterprise automatically populates required SAML attributes.

For Zoom, the required attribute is SAML_SUBJECT. Map this to the attribute of the user’s email address, usually SAML_SUBJECT or email.

Steps

  1. To add an additional optional attribute, click Add new attribute.

  2. In the Application Attribute field, enter the attribute name as it appears in the application.

  3. In the Identity Bridge Attribute or Literal Value field, choose one of the following:

    Choose from:

    • To map to the application attribute: Enter or select a directory attribute.

    • To assign to the application attribute: Select As Literal, then enter a literal value.

  4. To create advanced attribute mappings, click Advanced.

    For more information, see Create advanced attribute mappings.

Next steps

Click Continue to Next Step.

Zoom Customization

Steps

  • To change the application icon, click Select image and upload a local image file.

    The image file must be:

    • PNG, GIF, or JPG format

    • 312 x 52 pixels maximum

    • 2 MB maximum file size

      Images are scaled to 64 x 64 pixels for display.

  • To change the name of the application displayed on the dock, in the Name field, enter a new name.

  • To change the description of the application, in the Description field, enter the new description text.

  • To change the category to which the application is assigned on the dock, in the Category list, select a category.

    For information about creating custom application categories, see Creating a custom application category.

Next steps

Click Continue to Next Step.

Zoom Group Access

About this task

The Group Access tab shows every user group that you have created.

For more information about creating user groups, see Add user groups.

Steps

  • To add a group’s access to the application, on the line for that group, click Add.

  • To remove a group’s access, on the line for that group, click Remove.

  • When you’re finished assigning groups, click Continue to Next Step.

Next steps

On the Review Setup tab, review your configuration, and click Finish to add the application to your PingOne for Enterprise Dock.

Zoom SAML Connection

Steps

  1. On the Review Setup tab:

    1. On the Signing Certificate line, click Download to download the signing certificate.

    2. On the SAML Metadata line, click Download to download the metadata file.

  2. In a separate tab, sign on to the Zoom admin console and go to the Single Sign-On tab.

  3. In Zoom, set the Sign-in Page URL value:

    1. Open the metadata file in a text editor.

    2. Copy the SingleSignOnService Location value.

      Example:https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=<idpid value>

    3. In the Zoom admin console, paste the Location value into the Sign-in Page URL field.

  4. Optional: In the Sign-Out page URL field, enter https://<vanity name>.zoom.us/saml/SingleLogout.

    An SLO URL improves security by ending a user session in Zoom when the user’s SSO session ends.

  5. In the Service Provider (SP) Entity ID list, select the non-HTTPS option.

  6. In the Enter Issuer field, paste the entityID value from the metadata file.

  7. Enter the Identity provider certificate value:

    1. Open the signing certificate file in a text editor.

    2. Copy the contents of the signing certificate file, excluding the BEGIN CERTIFICATE and END CERTIFICATE lines.

    3. In the Zoom admin console, paste the certificate contents into the Identity provider certificate field.

  8. On the Binding line, click either HTTP-POST or HTTP-Redirect.

    HTTP-POST is the more secure option, because it doesn’t expose the SAML token as a query parameter in the URL.

  9. On the Signature Hash Algorithm line, click SHA-256.

  10. On the Security line, select the check boxes of the security policies to implement.

    Improve your security by selecting Sign SAML request and Save SAML response logs on user sign-in.

  11. Click Save Changes.