@robotdan Jay Swaminarayan!
Thanx, however the issue was resolved yesterday, with the Required Lambda after trying multiple options.
Here are the steps from scratch to follow for FusionAuth Configuration to work with ZOOM SSO

The Steps to resolve this issue with FusionAuth & Zoom SSO
Tested with FusionAuth Version: 1.19+

Before FusionAuth, we would need Few settings from Zoom SSO

1. Login to Zoom Account > My Account > Advanced > Single Sign-On > Enable
2. Copy: Service Provider (SP) Entity ID setting, it should be either <vanity>.zoom.us or https://<vanity>.zoom.us/
3. You will need this for configuring Fusion Auth, (Yes, Zoom will not allow to save SAML until all the fields are filled, don't worry, we will come there later. keep zoom settings page open)

Now, lets create & configure FusionAuth App for zoom sso

1. Login to FusionAuth with Admin Access
2. Goto > Application > Create New Application As usual with Default Configuration.

Note: Before Configuring SAML Settings in FusionAuth, we need to create

• SHA-256 Certificate with Proper Issuer required by Zoom
• An appropriate Lambda Function to match the Response expected by Zoom
  Follow these steps for both of this

---

CREATE SHA-256 CERTIFICATE FOR ZOOM

1. Go To > Settings > Key Master
2. "Generate RSA" From Top Right Drop Button

Name: Any Name, its for Identification, e.g. ZoomSAMLCertificateKey
Issuer: <vanity>.zoom.us (Should match the value set in Zoom's SAML "Service Provider (SP) Entity ID" setting)
Algorithm: RSA using SHA-256
Key lenght: 2048

3. Submit
   ==============================

---

CREATE SAML Populate Lambda as Required by Zoom

1. Go To > Customizations >Lambda > Add
2. Create New Lambda from top right [+] button

Name: Any Name for Identification: e.g. "SAML v2 Populate Lambda for Zoom App"
Type: SAML v2 Populate
Debug Enabled: as required

Body:

        function populate(samlResponse, user, registration) {
                    samlResponse.assertion.subject.subjectConfirmation.notBefore = null;
                    samlResponse.assertion.conditions.notBefore = null;
        }

3. Save
   ==============================

Now, we are ready to configure SAML settings in our App

5. Go To > Applications > Newly Created App > Enable SAML
6. Configure SAML Settings as following

Issuer: <vanity>.zoom.us (Should match the value set in Zoom's SAML "Service Provider (SP) Entity ID" setting)
Audience: leave it blank (default)
Callback URL (ACS): https://<vanity>.zoom.us/saml/SSO
Logout URL: https://<vanity>.zoom.us/ (or where ever to redirect after logout)
Signing key: Select the Key Generated in previous step e.g. "ZoomSAMLCertificateKey"
XML signature canonicalization method: Exclusive
Response populate lambda: Recently Created Lambda e.g. "SAML v2 Populate Lambda for Zoom App"
Debug Enabled: as required

Done, with FusionAuth, its ready for Zoom SSO

Now come to Zoom Page and Copy required settings from FusionAuth

1. You will have most details from the FusionAuth Application
2. Go to > Applications List > Click on our newly created Zoom App
3. Scroll to "SAML v2 Integration details" section

Get Zoom's SAML Settings from FusionAuth

Zoom's Sign-in Page URL:     <---     FA's Login URL
Zoom's Sign-out Page URL:     <---     FA's Logout URL
Zoom's Service Provider (SP) Entity ID == Select whatever you choose earlier as Issuer during Certificate Creation
Zoom's Issuer (IDP Entity ID):     <---     FA's Entity Id

Zoom's Identity Provider Certificate:     <---     
GoTo > FusionAuth's Settings > Key-Master > Click 🔍 on our Key generated for Zoom App
the value in "Base64 encoded" is to be used for Zoom's Identity Provider Certificate	

Zoom's Binding: HTTP-Redirect
Zoom's Signature Hash Algorithm: SHA-256
Zoom's Security: 
      Sign SAML request -- Unchecked
      Sign SAML Logout request -- Unchecked
      Support encrypted assertions -- Unchecked
      Enforce automatic logout after user has been logged in for -- Unchecked
      Save SAML response logs on user sign-in -- As Required
Zoom's Provision User: At Sign-in (Default) or As Required

4. [Save Changes] in Zoom
5. It's DONE! It should work as intended.
   Note: there can be errors still, but mostly will not be related to SAML.

@dan
Thanx again,

The callback fails only when the user first login with google, later it works. Like my app therefore is receiving the redirect

Edit:
Also, the regular Username/Password login is working fine, so the AppAuth-Android catching redirect seems not to be the issue, i guess.

Hello Dan!

Aah! that should work, with still having the /signin-back button to take me to the app.

Thanx

@dan @robotdan Looking for your support ASAP.

@dan @robotdan Please respond to the above.

Jay Swaminarayan!

While this was functioning perfectly well during previous versions, after upgrading to 1.34.xx the SAML SSO has started getting failed after returning to the service.

I have tried resetting all the settings and even trying to add new application and enabling the SAML exchanging and configuring the settings.
After lot of troubleshooting and decoding the AuthResponse payload, we could find the following issue.

<ns3:Status>
<ns3:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/>
<ns3:StatusMessage>Unable to authentication the user via the nested OAuth workflow. Consult the logs for additional details.</ns3:StatusMessage>
</ns3:Status>

Following is the full response object.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<ns3:Response xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" ID="_76de3fda-0f4c-45f2-b382-79bfa78be431">
<Issuer/>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_76de3fda-0f4c-45f2-b382-79bfa78be431">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>MymT6dHHijkye+3R8Ysj6aoMkxdJUhbfCqHqxAp98MY=</DigestValue></Reference></SignedInfo>
<SignatureValue>CSZc9rLHOOyn50PMHkERzdReV+aW4pS4qCjAsET/0DIcPt6ptAaLNiRPl2/v56uxJ1Dx4a+RCGSUf3A5mrQCIFsLhNXgmDHkET8pzUwiAIxm7JsM76z7Tk0/AcUok93XlkjjnEFxuRe/QwsxXQhG2NYalRM8IWyqkfz27NVaM5lK/TSpzW6ub/C9EAxXVx925rf3Op8ILKUJLrenp8pYscGuKHH29qhA0V2+riP+ShZqb5iHruqZZjNA7qUGRAIbZeu7MuFNh5Es2wMK3wemUOwpGY+5i6u85Yffl854+68lk5u9JhsJ18sdhzMK9nwsJ48dPhiH8w53jDmxX9+8BA==</SignatureValue><KeyInfo><X509Data>
<X509Certificate>MIICxTCCAa2gAwIBAQIRALtIbH2EDUSVqXSCIdaei+IwDQYJKoZIhvcNAQELBQAwHjEcMBoGA1UEAxMTaHR0cHM6Ly9ndXJ1a3VsLm9yZzAeFw0yMjA0MjUwMzQzMTFaFw0zMjA0MjUwMzQzMTFaMB4xHDAaBgNVBAMTE2h0dHBzOi8vZ3VydWt1bC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFhi/uU8xbFpN00//RZbBj6BalrMcSpLIFhQ4zdj5DJx1e1jDlAKVAFDnaImvgkEGTipxETcN3wDp0umBhf+P2GRfKq5ZRcbiYgR4LnZl8TRKQrJa3hL2wCpYAlhHW4oc4zeNSoCzQra9URTPFXVF1Md319eLyZz8Ao+x08hqgHdS7bluBxlCHaqrR/eQtPmuRofhGKPTvTOaMyAf1+AIU2P6V3YV11WdRisytbmPNdACnrY0h9Uh+iR+S9owsXSrRQiY4tFV8qt8Oeo4St+gMSbYTKm8M3RNJgR2OxfHasDrknT6Wgjgtu03nxL7K19K6MT0P73Oi+roaFxl64mDnAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAERqZhMk9VAcPMYMDjHv/YrCAVgWntmKU3KIDxLhzpvW1uWo45Ni1G1cXiQTAi39uTdP7w2LmoKO6HbbLmWnQIOx06XxqdE4sllQRe7Za62wY4zI0XSuAPMWCHlGoKmXoKb2xz6QCmOHxQM46itfxF0amfZiZnx6bDUwEI9Iu8pTeAGejpoyCMmiV2zeP1yWoeoM/B2lPEZU+HD18Z87QY8hxCLP3rU1tD5Lm2vw+fpN6dWPD0q/rN6TgwiQtJieIRCeBYOu1OZrzfrIGurf1vTLZ4JuLHSE+zGfdxNPRFtA7BaQdlz1g83Nb2BUNRbkYXAQOVaaodcsb/Pu9t4Bx5w=</X509Certificate></X509Data></KeyInfo></Signature>
<ns3:Status>
<ns3:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/>
<ns3:StatusMessage>Unable to authentication the user via the nested OAuth workflow. Consult the logs for additional details.</ns3:StatusMessage>
</ns3:Status>
</ns3:Response>

I suppose this must be some very simple configuration issue, however, kindly help me get some info on the above, so that this can be Resolved.

Thanking you,

Jay Swaminarayan!

Hello @dan @robotdan,

Many portals have started implementing Google's one-tap signing feature. When can we have that feature? or Is this in our roadmap?

https://developers.google.com/identity/gsi/web/guides/overview#consent_and_sign-in_with_one_tap

the above is the link for reference.

@robotdan Jay Swaminarayan!
Thanx, however the issue was resolved yesterday, with the Required Lambda after trying multiple options.
Here are the steps from scratch to follow for FusionAuth Configuration to work with ZOOM SSO

The Steps to resolve this issue with FusionAuth & Zoom SSO
Tested with FusionAuth Version: 1.19+

Before FusionAuth, we would need Few settings from Zoom SSO

1. Login to Zoom Account > My Account > Advanced > Single Sign-On > Enable
2. Copy: Service Provider (SP) Entity ID setting, it should be either <vanity>.zoom.us or https://<vanity>.zoom.us/
3. You will need this for configuring Fusion Auth, (Yes, Zoom will not allow to save SAML until all the fields are filled, don't worry, we will come there later. keep zoom settings page open)

Now, lets create & configure FusionAuth App for zoom sso

1. Login to FusionAuth with Admin Access
2. Goto > Application > Create New Application As usual with Default Configuration.

Note: Before Configuring SAML Settings in FusionAuth, we need to create

• SHA-256 Certificate with Proper Issuer required by Zoom
• An appropriate Lambda Function to match the Response expected by Zoom
  Follow these steps for both of this

---

CREATE SHA-256 CERTIFICATE FOR ZOOM

1. Go To > Settings > Key Master
2. "Generate RSA" From Top Right Drop Button

Name: Any Name, its for Identification, e.g. ZoomSAMLCertificateKey
Issuer: <vanity>.zoom.us (Should match the value set in Zoom's SAML "Service Provider (SP) Entity ID" setting)
Algorithm: RSA using SHA-256
Key lenght: 2048

3. Submit
   ==============================

---

CREATE SAML Populate Lambda as Required by Zoom

1. Go To > Customizations >Lambda > Add
2. Create New Lambda from top right [+] button

Name: Any Name for Identification: e.g. "SAML v2 Populate Lambda for Zoom App"
Type: SAML v2 Populate
Debug Enabled: as required

Body:

        function populate(samlResponse, user, registration) {
                    samlResponse.assertion.subject.subjectConfirmation.notBefore = null;
                    samlResponse.assertion.conditions.notBefore = null;
        }

3. Save
   ==============================

Now, we are ready to configure SAML settings in our App

5. Go To > Applications > Newly Created App > Enable SAML
6. Configure SAML Settings as following

Issuer: <vanity>.zoom.us (Should match the value set in Zoom's SAML "Service Provider (SP) Entity ID" setting)
Audience: leave it blank (default)
Callback URL (ACS): https://<vanity>.zoom.us/saml/SSO
Logout URL: https://<vanity>.zoom.us/ (or where ever to redirect after logout)
Signing key: Select the Key Generated in previous step e.g. "ZoomSAMLCertificateKey"
XML signature canonicalization method: Exclusive
Response populate lambda: Recently Created Lambda e.g. "SAML v2 Populate Lambda for Zoom App"
Debug Enabled: as required

Done, with FusionAuth, its ready for Zoom SSO

Now come to Zoom Page and Copy required settings from FusionAuth

1. You will have most details from the FusionAuth Application
2. Go to > Applications List > Click on our newly created Zoom App
3. Scroll to "SAML v2 Integration details" section

Get Zoom's SAML Settings from FusionAuth

Zoom's Sign-in Page URL:     <---     FA's Login URL
Zoom's Sign-out Page URL:     <---     FA's Logout URL
Zoom's Service Provider (SP) Entity ID == Select whatever you choose earlier as Issuer during Certificate Creation
Zoom's Issuer (IDP Entity ID):     <---     FA's Entity Id

Zoom's Identity Provider Certificate:     <---     
GoTo > FusionAuth's Settings > Key-Master > Click 🔍 on our Key generated for Zoom App
the value in "Base64 encoded" is to be used for Zoom's Identity Provider Certificate	

Zoom's Binding: HTTP-Redirect
Zoom's Signature Hash Algorithm: SHA-256
Zoom's Security: 
      Sign SAML request -- Unchecked
      Sign SAML Logout request -- Unchecked
      Support encrypted assertions -- Unchecked
      Enforce automatic logout after user has been logged in for -- Unchecked
      Save SAML response logs on user sign-in -- As Required
Zoom's Provision User: At Sign-in (Default) or As Required

4. [Save Changes] in Zoom
5. It's DONE! It should work as intended.
   Note: there can be errors still, but mostly will not be related to SAML.

@robotdan You may also please look into this and tell me!

Zoom Error Message Says:
The signature is not trusted or invalid, please check the certificate.

Also, I could figure out to remove the tags and NotBefore attribute using lambda but still, the problem persists.

Zoom engineering team tried is also ready and trying its best to support FusionAuth. They said me if we figure this out it will be a support FusionAuth officially.

My ticket is still on.

Kindly help

Jay Swaminarayan!

Hello @dan

It has been 2 weeks now that I am working with Zoom Premium support in connection with using FA as SAMLv2 IdP.

Everything seems to be configured properly but still, it fails.

Zoom as we know is a very widely used products and they (their engineering support) say they work with all popular IdPs, but they don't find this issue.

After a lot of working out, they said, it is probably failing due to "NotBefore" attribute in the Assertion>Conditions tag.

They say, this shouldn't be there. Now, I am not sure whats the issue.
Kindly help us.

@robotdan Thank you very much for your reply... Well, this is 1 time but although Please let me know where to purchase for the support and a direct link to the suited package shall be appreciated.

Moreover,

1. Why is just rendering the SSO page taking so long?, Password hashing is far story...
2. We have completely reduced crypto to Factor=2 with SHA-256 but still, an 8core CPU is reaching 100% for about 25-30 TPUs
3. We are trying the "creating nodes" way.
4. Also locally trying to profile FusionAuth Process Stack.
5. Also, please favour us by telling on a High level / Approximation if there is nothing running on the VM and it's only to load FusionAuth SSO, what should be the best Performance expected. I agree, there must be some configs, threads, workers into the equation. But If you were to optimize all those, what would you achieve on an approximation. This will help us understand if its the Limitation by the server resources (CPU/RAM/NODES) or its simply some misconfiguration somewhere.

Oh! Yes, we have tried that much earlier, sorry didn't tell you... we are out of Memory Heap... Right now its taking 100% CPU.

Java Process consumes 100% CPU when more than around 1000 users tries to login in at a time
Its

ONLY a max of 20 clients per second and 1000 users over a min with an average response time of 10secs!

We have checked all possible things what we could hunt over the internet. But with our limited knowledge, we are unable to solve this.