Keyclock and Zoom SSO configuration

API and Webhooks
1

Do we have anywhere steps to integrate Keycloak SAML client with ZOOM SSO ?

There is very little documentation available around configuring SSO.

2

Hey @jitensachdeva,

Please see our support docs for SSO info:

Thanks,
Tommy

3

Thanks I have gone through this but this was not helpful as every SAML provider comes with its own set of configuration.

4

Hey @jitensachdeva,

Checkout this support doc as well:

Let me know if that helps!

Thanks,
Tommy

5

Hi @jitensachdeva. I’m in the process of integrating keycloak and zoom at work.

Using the settings I leave below, we were able to successfully create a user and log it into Zoom. Of course there are still many tests and fine tuning to do; this is not the final setup.

Keycloak’s client

  • Client ID: yourcompany.zoom.us (note there’s no leading ‘https://’)
  • Client Protocol: saml
  • Enabled: ON
  • Include AuthnStatement: ON
  • Sign Documents: OFF
  • Sign Assertions: ON
  • Signature Algorithm: RSA_SHA256
  • SAML Signature Key Name: KEY_ID
  • Canonicalization Method: EXCLUSIVE
  • Force POST Binding: OFF
  • Force Name ID Format: ON
  • Name ID Format: (pick one according to your needs)
  • Valid Redirect URIs: https://yourcompany.zoom.us/*
  • Master SAML Processing URL: https://yourcompany.zoom.us/saml/SSO
  • Logout Service POST Binding URL: https://yourcompany.zoom.us/saml/SingleLogout
  • Logout Service Redirect Binding URL: https://yourcompany.zoom.us/saml/SingleLogout

For testing purposes, we used the builtin mappers (X500 email, X500 givenName y X500 surname)

Zoom settings

  • Sign-in Page URL: yourkeycloakbaseURL/auth/realms/yourrealm/protocol/saml
  • Sign-out Page URL: yourkeycloakbaseURL/auth/realms/yourrealm/protocol/saml
  • Identity provider certificate: you can copy the content of the tag dsig:X509Data from yourkeycloakbaseURL/auth/realms/yourrealm/protocol/saml/descriptor
  • Service Provider (SP) Entity ID: yourcompany.zoom.us
  • Issuer (IDP Entity ID): yourkeycloakbaseURL/auth/realms/yourrealm
  • Binding: HTTP-Redirect
  • Signature Hash Algorithm: SHA-256

Attributes mapping

  • Email address: `urn:oid:1.2.840.113549.1.9.1 (i.e. value from X500 email)
  • First Name: urn:oid:2.5.4.42 (i.e. value from X500 givenName)
  • Last Name: urn:oid:2.5.4.4 (i.e. value from X500 surname)
  • Employee Unique ID: (in our case, NameID)

Hope this serves you as a starting point,
Angel

1 Like
6

Hey @angelj,

Thanks for contributing to the Zoom Developer Community! :slight_smile:

-Tommy