Configuring Zoom with ADFS as an iDP

I was recently asked to configure Zoom with ADFS and found certain parts of the following documentation provided by Zoom:

Configuring Zoom With ADFS
https://support.zoom.us/hc/en-us/articles/202374287-Configuring-Zoom-With-ADFS

… a bit confusing so I would like to write this post to provide a clear example of the settings required in the portal.

To configure Zoom to use ADFS as an iDP, you’ll need to log into the administration console, navigate to Admin > Advanced > Single Sign-On and click on Enable Single Sign-On:

Once in the portal, edit the SAML settings as shown in the screenshot below:

The two configuration settings I felt wasn’t clear in the instructions were:

• Identity provider certificate
• Issuer (IDP Entity ID)

What confused me with the Identity provider certificate was whether we should copy and paste the tags in or not and the answer is no:

As for the Issuer (IDP Entity ID), ensure that you use the ADFS URL:

The instructions for configuring the ADFS servers were fairly straight forward so I won’t include them in this post. If you experience any issues with logging via the ADFS portal, you can turn on logging in the Zoom administrative portal by enabling the Save SAML response logs on user sign-in:

With the above enabled, a new tab will be available to review sign-in attempts:

Configuring Zoom with ADFS throws the error: "An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid federation metadata endpoint."

Problem

I was recently asked to configure Zoom with ADFS as per the following documentation:

Configuring Zoom With ADFS
https://support.zoom.us/hc/en-us/articles/202374287-Configuring-Zoom-With-ADFS

… and was not able to complete the process because the following error was displayed when importing the federation metadata:

An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid federation metadata endpoint.

Searching on the internet earlier this year did not return any posts that helped resolve this issue and opening up a ticket with Zoom had us wait months before we received a reply (escalated by the client’s account manager). To give Zoom some credit, the support engineer who reached out to us was extremely quick with response and very helpful. I am unsure if searching for this error will yield the KB he forwarded to us so this post serves to help anyone who may run into the same problem.

Solution

One of the possible reasons why the import of the federation metadata would fail on the ADFS server is if when TLS 1.2 is not enabled on ADFS. The server in this example was a fresh install of Windows Server 2019 and navigating to the following registry showed that TLS 1.2 was not explicitly enabled:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

To correct this issue, simply following the steps provided in this Zoom article:

How to enable TLS 1.2 on an ADFS Server (Windows Server 2012 R2)
https://support.zoom.us/hc/en-us/articles/360033739531-How-to-enable-TLS-1-2-on-an-ADFS-Server-Windows-Server-2012-R2-

The following PowerShell cmdlets create the keys required to enable TLS 1.2:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

The following PowerShell cmdlet enable’s Strong Authentication for .Net Framework:

The following PowerShell cmdlets disables SSL 3.0:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

Here is the list of cmdlets demonstrated above:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

With TLS 1.2 enabled, strong encryption enabled, and SSL 3.0 enabled, the import of the federation metadata should now succeed.