Zoom SSO with MojoAuth
Connect Zoom to MojoAuth as your SAML 2.0 Identity Provider (IdP) so users sign in to Zoom with your organization's vanity URL instead of a Zoom email/password. Zoom acts as the Service Provider (SP).
How it works
- SP-initiated: user starts at your Zoom vanity URL (
https://<vanity>.zoom.us) and clicks the SSO sign-in option. - IdP-initiated: user starts from a MojoAuth launcher (or the Test SSO button) and lands directly in the Zoom web portal or client.
- Zoom identifies the account by NameID (email) — there is no separate JIT attribute-driven user creation flow like Salesforce; the Zoom user must already exist (or be auto-created only if your Zoom account has that provisioning option enabled).
Prerequisites
- A MojoAuth project (test or live) with Developers access to create Applications.
- A Zoom Business, Education, or Enterprise account — SAML SSO is not available on Basic/Pro plans.
- An approved Vanity URL (associated domain) for the Zoom account, e.g.
https://acme.zoom.us. Zoom must verify and activate this domain before the SAML SSO settings become available; request it via Zoom support if you haven't already. - Zoom account owner or admin role with access to Advanced → Single Sign-On.
Zoom's SAML SSO configuration only appears once your vanity URL request has been approved and activated by Zoom. If you don't see Single Sign-On under Advanced in the Zoom Admin dashboard, your vanity URL is likely still pending — contact Zoom support.
Step 1 — Create the MojoAuth SAML connection
Create a connection
In the MojoAuth dashboard: Developers → Applications → New Application → SAML 2.0 SSO. Enter a connection name (e.g. Zoom) and click Create connection. MojoAuth creates a draft connection and auto-issues its signing certificate.
See SAML SSO Connections for the full concept if you haven't created one before.
Copy the IdP values
The connection page shows the IdP values you'll paste into Zoom:
| Value | URL |
|---|---|
| IdP metadata URL (Entity ID) | {BASE}/saml/{projectId}/sps/{spId}/metadata |
| IdP SSO URL (Sign-in page URL) | {BASE}/saml/{projectId}/sps/{spId}/sso |
| IdP SLO URL (Sign-out page URL) | {BASE}/saml/{projectId}/sps/{spId}/slo |
| IdP signing certificate | Download .crt / Copy PEM button on the connection page |
Step 2 — Configure Zoom
Open Single Sign-On settings
In the Zoom Admin dashboard, go to Advanced → Single Sign-On (some accounts show this under Security → SAML instead). Click the SAML tab, then Edit.
Enter the MojoAuth IdP values
Fill in the SAML configuration fields with the values copied in Step 1:
| Zoom field | Value |
|---|---|
| Sign-in page URL | {BASE}/saml/{projectId}/sps/{spId}/sso |
| Sign-out page URL | {BASE}/saml/{projectId}/sps/{spId}/slo |
| Identity provider certificate | paste the MojoAuth PEM (or upload the .crt) |
| Issuer (Identity Provider Entity ID) | the MojoAuth IdP metadata URL — this is the IdP Entity ID |
| Binding | HTTP-POST (recommended) or HTTP-Redirect — must match what you set on the MojoAuth connection |
Zoom also displays its own Service Provider (SP) Entity ID, further down the same page — this is fixed per account and derived from your vanity URL:
| Zoom gives you | Typical value |
|---|---|
| SP Entity ID | https://<vanity>.zoom.us |
| SP ACS URL | https://<vanity>.zoom.us/saml/SSO |
Zoom does not support importing IdP metadata by URL — every field (Sign-in URL, Sign-out URL, Issuer, certificate) must be entered manually. Double- and triple-check for trailing slashes or copy/paste whitespace, especially in the certificate field.
Save
Click Save at the bottom of the SAML configuration page. Zoom will not let you enable SSO for the account until the Sign-in URL, Issuer, and certificate are all filled in.
Step 3 — Give the SP details back to MojoAuth
Zoom doesn't publish SP metadata for import, so use Manual configuration on the MojoAuth connection page:
- SP Entity ID:
https://<vanity>.zoom.us - ACS URL:
https://<vanity>.zoom.us/saml/SSO - Click Save.
Set the MojoAuth connection's NameID format to emailAddress. Zoom matches the incoming
assertion to a Zoom user account strictly by email address — there is no Federation ID equivalent.
Step 4 — SAML response / attribute mapping
Zoom reads the user's email from the NameID, and can optionally read a small set of User.*
attributes from the assertion to populate profile fields and license/department assignment. Add
these attribute mappings on the MojoAuth connection:
saml_name | source | name_format |
|---|---|---|
| (NameID) | email | — set under NameID format, not as an attribute row |
User.Email | email | basic |
User.FirstName | firstName | basic |
User.LastName | lastName | basic |
User.Department | a constant, e.g. Engineering, or identifier if you encode department there | basic |
Zoom's SAML mapping does not provision new users or assign license types purely from the assertion — the Zoom user account (and its Basic/Licensed/On-Prem type) must already exist under User Management → Users, matched by email. Attribute mapping here only enriches profile fields on an existing match; it does not create accounts or grant licenses.
Step 5 — Test
- SP-initiated: open
https://<vanity>.zoom.usin a browser (or the Zoom desktop client, using "Sign In with SSO" and entering the vanity subdomain). You should be redirected to MojoAuth's hosted login, then back into Zoom. - IdP-initiated: click Test SSO on the MojoAuth connection page. This posts an unsolicited
assertion straight to Zoom's SP ACS URL (
https://<vanity>.zoom.us/saml/SSO) and should land you in the Zoom web portal. - Success looks like: no SAML error page, and the signed-in Zoom account matches the email in the assertion's NameID (check Admin → User Management → Users to confirm).
Test with a user who already exists in Zoom with a matching email first. Once basic SSO works, test a second account to confirm the vanity URL and SSO flow work consistently for the whole account, not just one user.
Troubleshooting
Vanity URL / "Single Sign-On" option missing from Advanced menu Your associated domain hasn't been approved yet. SAML SSO configuration is gated behind an approved vanity URL — confirm approval status with Zoom support before troubleshooting further.
"Invalid certificate" or signature validation failure
The Identity provider certificate pasted into Zoom doesn't match MojoAuth's current signing
certificate, or was pasted with extra line breaks/whitespace. Re-copy the PEM (or re-download the
.crt) from the MojoAuth connection page and paste it again, making sure to include the
-----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- lines exactly once each. If MojoAuth
rotates its signing certificate, you must update this field in Zoom.
"We couldn't find your account" / NameID email mismatch
Zoom matches strictly on email address. If the MojoAuth connection's NameID format isn't set to
emailAddress, or the email source field doesn't contain the same address as the user's Zoom
account, Zoom will reject the login. Check the NameID format on the MojoAuth connection and confirm
the user's email in your identity source matches their Zoom account email exactly (case and domain).
"Issuer mismatch" / audience validation error
The Issuer field in Zoom's SAML settings doesn't exactly match the MojoAuth IdP metadata URL
({BASE}/saml/{projectId}/sps/{spId}/metadata). Re-copy it from the MojoAuth connection page,
watching for trailing slashes or http vs https.
License type or department not applied after login
Zoom's SAML attribute mapping enriches an existing user's profile — it does not assign license type
or auto-create accounts. Confirm the user already has the correct license type set under User
Management → Users, and that User.Department (or other mapped attributes) are spelled exactly as
Zoom expects.
Redirect loop / bounced back to the standard Zoom login
Users are landing on zoom.us instead of your vanity URL. SSO only triggers from
https://<vanity>.zoom.us (or the desktop client's "Sign In with SSO" flow) — confirm users are
using the vanity subdomain, not the generic Zoom sign-in page.
Next steps
- SAML SSO Connections — connection concepts, attribute mapping, NameID formats, signing options.
- Managing Applications — edit, disable, or delete this connection.
- Integration Guides overview — more provider guides.