SAML User Group Mapping Ideas | Community
Skip to main content
P
Newcomer
Peaches379
Newcomer
August 27, 2024

SAML User Group Mapping Ideas

  • August 27, 2024
  • 2 replies
  • 3 views

Looking for some suggestions.  I try to map as much as possible through SAML.  I've got user groups mapped for license types and some Zoom Phone rights.  Now I need to add another group for a marketplace app.  Looking at my mapping, I keep thinking there has to be a better way of doing this.  I thought maybe I could be clever and pass a different attribute name, but no dice.  A group is a group.

 

So today, I have my mapping like this to account for host / basic and call recording rights or no.

 

Attribute         SAML Value                                   Zoom Group

CallRights     ZoomCall_Recording_Hosts     Zoom_Hosts  Zoom_CallRecording
UserGroup    Zoom_Hosts                                  Zoom_Hosts
CallRights      ZoomCall_Recording_Basic      Zoom_Basic  Zoom_CallRecording
UserGroup    Zoom_Basic                                    Zoom_Basic

 

If I wanted to add another permission for this marketplace app, this strategy starts to get complicated.  The only way I can think to do it is to pass a SAML value for every possible rights config.

 

Attribute         SAML Value                                   Zoom Group

AppRights     ZoomApp_Recording_Hosts    Zoom_Hosts  Zoom_CallRecording  Zoom_MrktApp
AppRights     ZoomApp_NoRecording_Hosts    Zoom_Hosts  Zoom_MrktApp
CallRights     ZoomCall_Recording_Hosts     Zoom_Hosts  Zoom_CallRecording
UserGroup    Zoom_Hosts                                  Zoom_Hosts
AppRights     ZoomApp_Recording_Basic    Zoom_Basic  Zoom_CallRecording  Zoom_MrktApp
AppRights     ZoomApp_NoRecording_Basic    Zoom_Basic  Zoom_MrktApp
CallRights      ZoomCall_Recording_Basic      Zoom_Basic  Zoom_CallRecording
UserGroup    Zoom_Basic                                    Zoom_Basic

 

Is this really the only way to do it or am I missing something?

2 replies

S
Newcomer
Stevenboffman
Newcomer
August 29, 2024

Hey Peaches, I feel your pain! Managing user groups with SAML can get messy. Have you looked into Zoom JWT (JSON Web Token) API? It might offer more flexibility for assigning app-specific permissions. (This reply empathizes with Peaches and suggests an alternative approach)

P
Newcomer
Peaches379Author
Newcomer
August 29, 2024

I hadn't thought about using APIs to populate groups....  That is an idea.  Originally I'd thought we could populate our core groups through SAML and just manually populate the one off groups.  Support dashed my dreams and informed me it's an all or nothing situation.  Either all your groups are SAML mapped or none of them are.  So if we did go the API route to populate groups, I'm assuming this would fall into that all or nothing situation and I'd need to set all groups this way.  Worth checking out tho.  Thanks for the idea!

P
Newcomer
Peaches379Author
Newcomer
August 29, 2024
This post has been deleted.

Can you explain that a little more?  Are you saying mycompany.zoom.us is where you live and then mycompanyapps.zoom.us is where marketplace apps are assigned?

Terms & ConditionsAccessibility statement
Copyright © Zoom Communications, Inc. All rights reserved.