Grouper Users - Open Discussion List

[Pascal Rigaux <>]

For information, if you do not force SSO for all your users ("Managed 
Domains" : https://support.zoom.us/hc/en-us/articles/203395207-Managed-domain ),
users can log either using their non SSO account (created before SSO) or SSO
(zoom merges the 2 accounts using mail as id)

SAML2 provisioning will only apply when users use SSO.

And it seems first SSO login for users having created their account before 
SSO,
will not apply SAML2 group memberships :'-(

I created a ticket to zoom support 4 days ago, no answer yet. The ticket:

> SAML group mapping not working on first SSO login
>
> On first SSO login for an existing mail user, the SAML group mapping fails 
to apply: the user has no group whereas our SAML mapping puts all users in a 
group.

Good luck !

On 02/05/2020 19:23, Black, Carey M. wrote:
> Some one claimed ( on  
> <> ) that
>
> “Zoom supports SAML2 SSO, so can rely on your InC federated IdP for authN of 
> users, including consuming attributes.”
>
>
> I have no details on how Zoom “supports/works/does not work with suppling 
> group memberships” as part of the SAML attributes.
>
> However, if that works, then I would strongly suggest that approach over 
> “provisioning to ZOOM”.
>
> SAML is “just in time”.
> Which means:
> No overhead for: “constant sync”/”sync delays”/”errors in sync events”
>
> You get there and you get what you are authorized for every time you get 
> there. ( or you don’t get there and Zoom does not know you even exist. )
>
> And there is a good (IMHO) example of how to model Grouper to IdP entity ID 
> too. REF: 
> https://wiki.shibboleth.net/confluence/display/KB/Grouper+Integration+Example
>
>
> That being said, we are not ( to my knowledge ) sending group data to Zoom 
> via our IdP. And I know our IdP operator has real issues with “custom 
> attributes” per application. So YMMV on that part of the implementation too.
>
> --
>
> Carey Matthew 
>
> *From:* 
> <> *On Behalf Of *Hyzer, Chris
> *Sent:* Saturday, May 2, 2020 12:26 PM
> *To:* 
> *Cc:*  Mailing List <>
> *Subject:* RE: [grouper-users] Provision to Zoom Groups
>
> I don’t know of a currently solution to that but im interested in working on 
> one if that works for you
>
> *From:*  
> <> *On Behalf Of *Andre Daniels
> *Sent:* Wednesday, April 29, 2020 6:30 PM
> *To:* Grouper-Users < 
> <>>
> *Subject:* [grouper-users] Provision to Zoom Groups
>
> All,
>
> What is the best way to provision groups to Zoom?
>
> Andre
>
> --
>
> Andre Daniels
>
> Sr. Developer/Security Analyst
>
> University of California Santa Cruz
>
> (831) 459-1980
>
>  <>


--
Pascal Rigaux

Expert en développement et déploiement d'applications
DSIUN-SAS (service applications et services numériques)
Université Paris 1 Panthéon-Sorbonne  -  Centre Pierre Mendès France (PMF)
B 407 - 90, rue de Tolbiac -  75634 PARIS CEDEX 13 - FRANCE
Tél : 01 82 09 08 74 - 06 74 55 57 67