Comment by paxys
1 year ago
The idea is that the company's Zoom admin should always specify the exact list of users who are allowed to be in their Zoom account. The email domain should have no bearing. So if you sign in as bob@mycorp.com, and that is a valid corporate account with the right permissions, you are let through. If you try bob+foo@mycorp.com, it should always fail. The pattern of "oh they have a mycorp.com email so they are probably legit" was broken from the start.
This is thankfully less of an issue now since everyone is moving to SAML-based logins and SCIM provisioning.
> This is thankfully less of an issue now since everyone is moving to SAML-based logins...
Hate to break it to you but SAML is same shit different coat of paint, the xml encryption/signature/encoding stuff it pulls makes it just as much a tarpit for bugs and misconfiguration.
SCIM seems pretty decent though to explicitly state who is and isn't on the Guestlist.
What I’ve also seen is integrations with a different OIDC endpoint for company X. It’s still OIDC, but it’s not “sign in with Google”.
This will help, but at the same time will ruin the whole idea of seamless corp users registration in external service, and damage adoption and increase friction.
If a company has no directory of their employees, associated company email addresses, and employment status, they likely have much worse problems.
Most companies have these directories but in different forms, including Wiki pages. The idea of auto-enrollment is that it is based on a standard and widely adopted OAuth protocol.
8 replies →