We’ve heard from districts that want to improve Zoom security to ensure the safety of students and teachers. In response, we have worked with Zoom to develop a new solution for schools called the Zoom Secure Experience. This new experience “locks down” meetings in your domain – only teachers, staff and admins can create meetings, and only verified users (including students) in your domain can join these Zoom meetings.
Additionally, usernames for individuals joining will be locked. Students will have the default name: "First Name + Last Name" (Example: Harry Potter) as displayed in Clever. Notably, this Secure Experience does not require students to have Zoom accounts!
We think this is a great experience and now recommend it to our districts as a best practice. If you’d like to enable to Zoom Secure Experience for your district, please follow the steps below.
Things to Note:
- This Secure Experience requires all users to authenticate via Clever before joining a Zoom meeting
- This experience does not give Zoom accounts to students
- These instructions assume you’ve already set up Zoom + Clever SSO for your teachers & staff. If you have not already done so, please start begin by following the instructions here.
- If there are any users in your district who want to join Zoom meetings and aren't in Clever, you'll want to add them to your Clever upload (e.g. staff.csv).
If certain users in your districts need to continue hosting unauthenticated meetings, you can allow this by creating multiple Zoom User Groups and applying the settings below on a group-by-group basis.
First, please confirm you have completed Zom + Clever SSO for your teachers & staff as described here: https://support.clever.com/hc/en-us/articles/360040481852
- Log in as Clever admin and click this link:
- Add the Zoom External Auth application by selecting Request application
- Select the top-left checkbox to enable this application for all users in the district and select Request with sharing
Please Note: This is a special application that will not appear in any user-facing portals. This application must be added in addition to the Zoom - Teachers & Staff app you’ve already configured.
- Log in to Zoom
- Navigate to Account Management > Account Settings
- Turn OFF "Allow participants to rename themselves"
- Turn ON “Only authenticated users can join meetings”
- Turn OFF “Only authenticated users can join meetings from Web client”
Image: Steps 2-4
Next to “Only authenticated users can join meetings,” click the lock icon to enforce this for all your users:
Click Edit next to Sign in to Zoom (Default)
- In a new tab, navigate to:https://schools.clever.com/applications/saml-zoom-external-auth/settings
• Under 'SAML Details' copy the Metadata URL
- Enter the copied Metadata URL in a new browser tab and press Enter.
• Copy the value found between the tags: <ds:X509Certificate>
- Configure settings in Authentication Configuration as follows and click Save
Name: Sign in with Clever
Authentication Method: Sign in to External SSO
Sign-in page URL: https://samlidp.clever.com/saml-zoom-external-auth/assert
Identity provider certificate: Enter the X509 certificate from the Zoom External Auth app as identified in Steps 8-9.
Email Address: <blank>
First Name: FirstName
Last Name: LastName
- In the Zoom dashboard, once you have clicked Save an option to download your “SP metadata XML” will appear. Download and open this file. Locate the entityID and Location values and enter those in Clever as the “Entity ID” and “Assertion Consumer Service URL”, respectively.
SP metadata XML:
(Note: your values will be different than what’s pictured)
- Click Confirm to save the variables.
Testing the Secure Experience
To test the Secure Experience:
- Create a new meeting using a district Zoom account and start the meeting.
- In the Zoom meeting, click the in the top left to locate the meeting URL
- Copy the URL and attempt to join the meeting from a new private/incognito browsing window (make sure to NOT be logged in to Zoom or Clever)
- You should be prompted to log in to Clever before proceeding.
Please note, if using a private/incognito window you will need to search for your school before logging in. During a normal browsing session, if they are clicking on the Zoom link from Clever, they will be automatically authenticated!
- Student clicks on a meeting link in the Clever Portal
- Student is prompted to authenticate with Clever. If they are already logged into Clever, the authentication will happen automatically!
- Student enters the Zoom meeting. Their Zoom name will be auto-populated with"First Name + Last Name" (Example: Harry Potter)
Join from your browser: if a student is joining from their browser, they will be prompted to enter a name, however, this name will be overwritten by the Clever authentication.
Pictured below: self-selected name
Pictured below: the correct Clever name