cancel
Showing results for 
Search instead for 
Did you mean: 

SSO with Entra failing to allow users

salle01
Explorer
Explorer

Hello, I recently set up SSO in Entra and the Zoom Admin portal. I followed the instructions provided by both Zoom and Microsoft (https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0064121 and https://learn.microsoft.com/en-us/entra/identity/saas-apps/zoom-tutorial). I got every piece of required information set up, such as the vanity URL, the certificate, the sign-in and sign-out URLs, IDP Entity ID, changed the binding to HTTP-Redirect, and so on. However, when any user tries logging in via SSO, they get an generic error saying something went wrong. When I look at the SAML response logs, I get the following information:

 

Error Code: 1020
Error Message: The user is not an SSO user and has been blocked for SSO login by the "Prior to Sign-in" option, please manually import the SSO user.

 

I should note that I also set up the "Provision User" setting to "Prior to Sign-In". We've already set up all of our users in Zoom using their emails. I used one of our users to test this out, and despite their email that they used for SSO and their email already used for Zoom being the same, the error still occurs. I was reading you can import new users using a CSV file and check a box that says "SSO User" when importing. I'd rather not have to recreate everyone's Zoom accounts. Is there something I'm missing?

1 ACCEPTED SOLUTION

salle01
Explorer
Explorer

I found the issue. All we had to do is change the Provision User setting to At Sign-In.

View solution in original post

4 REPLIES 4

colegs
Community Champion | Employee
Community Champion | Employee

@salle01 - Is the user you are adding already a member of your account, or do they exist outside of your account?  I believe this error indicates they are outside of your account, and they would need to accept an invite (sent via email) to join your account.  It could also be that since you are saying that they need to be preprovisioned, but they do not have SSO as a sign-on method already, it would require you to run in the CSV file to add their SSO credentials, or turn on SCIM/Provisioning so that their current account is in sync with Entra.  I would have to test to see what happens if they only have an email sign-in method, but if you see them in your account, that would be my guess...

salle01
Explorer
Explorer

I found the issue. All we had to do is change the Provision User setting to At Sign-In.

wouldn't that create a new user if they don't exist in zoom already?

we're having the same issue but don't want to use at sign-in because of limitations in zoom licenses... we don't want the users to be created dynamically at sign in

colegs
Community Champion | Employee
Community Champion | Employee

@alex-aguilar - As long as you require users to be assigned the Zoom application in Entra, it won't create any users you do not intend to have a license.