SSO with Entra failing to allow users | Community
Skip to main content
S
Explorer
salle01
Explorer
September 10, 2024
Solved

SSO with Entra failing to allow users

  • September 10, 2024
  • 2 replies
  • 37 views

Hello, I recently set up SSO in Entra and the Zoom Admin portal. I followed the instructions provided by both Zoom and Microsoft (https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0064121 and https://learn.microsoft.com/en-us/entra/identity/saas-apps/zoom-tutorial). I got every piece of required information set up, such as the vanity URL, the certificate, the sign-in and sign-out URLs, IDP Entity ID, changed the binding to HTTP-Redirect, and so on. However, when any user tries logging in via SSO, they get an generic error saying something went wrong. When I look at the SAML response logs, I get the following information:

 

Error Code: 1020
Error Message: The user is not an SSO user and has been blocked for SSO login by the "Prior to Sign-in" option, please manually import the SSO user.

 

I should note that I also set up the "Provision User" setting to "Prior to Sign-In". We've already set up all of our users in Zoom using their emails. I used one of our users to test this out, and despite their email that they used for SSO and their email already used for Zoom being the same, the error still occurs. I was reading you can import new users using a CSV file and check a box that says "SSO User" when importing. I'd rather not have to recreate everyone's Zoom accounts. Is there something I'm missing?

Best answer by salle01

I found the issue. All we had to do is change the Provision User setting to At Sign-In.

2 replies

C
Community Champion | Employee
colegs
Community Champion | Employee
September 10, 2024

@salle01 - Is the user you are adding already a member of your account, or do they exist outside of your account?  I believe this error indicates they are outside of your account, and they would need to accept an invite (sent via email) to join your account.  It could also be that since you are saying that they need to be preprovisioned, but they do not have SSO as a sign-on method already, it would require you to run in the CSV file to add their SSO credentials, or turn on SCIM/Provisioning so that their current account is in sync with Entra.  I would have to test to see what happens if they only have an email sign-in method, but if you see them in your account, that would be my guess...

S
Explorer
salle01AuthorAnswer
Explorer
September 18, 2024

I found the issue. All we had to do is change the Provision User setting to At Sign-In.

A
Newcomer
alex-aguilar
Newcomer
November 14, 2024

wouldn't that create a new user if they don't exist in zoom already?

we're having the same issue but don't want to use at sign-in because of limitations in zoom licenses... we don't want the users to be created dynamically at sign in

C
Community Champion | Employee
colegs
Community Champion | Employee
November 15, 2024

@alex-aguilar - As long as you require users to be assigned the Zoom application in Entra, it won't create any users you do not intend to have a license.

    Terms & ConditionsAccessibility statement
    Copyright © Zoom Communications, Inc. All rights reserved.