We have collected the information below from our connected institutions to the best of our knowledge. Sometimes procedures change; we depend on someone notifying us. Sorry if the below info does not work for you. If you have remarks or tips you want to share, please send them to support@surfconext.nl.
Yes, you can connect your institutional IdP to Zoom using SURFconext. But: Zoom uses a 'single tenant' architecture: for every customer, Zoom instantiates a separate environment. More about what a single tenant is can be found here. Due to the single tenant nature, both SURF and the institution need to do something before you can use Zoom using SURFconext.
Where to start
Institutions need to sign in with the account that comes with their Zoom license. SURF does not have that information, so institutions need to configure their part of the connection in the Zoom interface. After the institution has taken some steps, SURF also needs to take some steps to finish setting up the connection.
- Most information can be found at https://support.zoom.us/hc/en-us/articles/201363003-Getting-Started-with-SSO
- You need to get a 'vanity URL', approved by Zoom can take some time (especially in times of demand for the service). So start this process first at Zoom.
Configure the SURFconext metadata in the Zoom Interface
Some screenshots of the configuration can be found below.
- Decide if you want to connect to our test or our production environment. You must upload the SURFconext IdP metadata file to Zoom to complete the SAML setup.
- To connect to the SURFconext Test Environment use the following metadata and save this as an XML:
- https://metadata.test.surfconext.nl/idp-metadata.xml. If asked, the following applies:
- Sign-in page URL→ IdP login url: https://engine.test.surfconext.nl/authentication/idp/single-sign-on/key:20190208
- Certificate → IdP certificate is the Assertion signing certificate as found in the SURFconext IdP proxy metadata on https://metadata.test.surfconext.nl/ (Download as PEM: engine.test.surfconext.nl 20190208 certificate)
- Issuer → IdP issuer: https://engine.test.surfconext.nl/authentication/idp/metadata
- Binding → IdP binding: choose "HTTP - Redirect"
- https://metadata.test.surfconext.nl/idp-metadata.xml. If asked, the following applies:
- In case you want to configure the connection for your production IdP, connect to the SURFconext Production Environment using the following data:
- https://metadata.surfconext.nl/idp-metadata.xml
- Sign-in page URL→ IdP login url: https://engine.surfconext.nl/authentication/idp/single-sign-on/key:20181213
- Certificate → IdP certificate is the Assertion signing certificate as found in the SURFconext IdP proxy metadata on https://metadata.surfconext.nl/
- Issuer → IdP issuer: https://engine.surfconext.nl/authentication/idp/metadata
- Binding →IdP binding: choose "HTTP - Redirect"
- https://metadata.surfconext.nl/idp-metadata.xml
- To connect to the SURFconext Test Environment use the following metadata and save this as an XML:
- SAML response mapping → You need to choose what attributes to use. Best are:
- urn:mace:dir:attribute-def:givenName
- urn:mace:dir:attribute-def:sn
- urn:mace:dir:attribute-def:mail
- eduPersonTargetedID/NameID
with NameIDFormat = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Send your metadata to SURFconext
- You need to send SURF the metadata you get from Zoom or upload the metadata in your Zoom instance in our SP Dashboard. Send us a mail if you need such an instance.
- The 'vanity URL' will contain the abbreviation of the institution, for example 'surf.zoom.com', resulting in the application URL like 'https://surf.zoom.us/'. The location of the SAML metadata then will be 'https://surf.zoom.us/saml/metadata/sp'. Send this to the SURFconext supportteam.
Screenshots
Below are a couple of screenshots of a working configuration.
SAML configuration
Mapping of the SURFconext attributes to Zoom fields
The SAML Response Logs may be helpful to diagnose issues
Provide entityID for Zoom instances with https:// as prefix
