5.1 Associating Accounts with Identity Providers

In order to associate an account to its IDP, the account’s ADN hosts a DNS TXT record, per cloud, pointing to the corresponding IDP domain. Specifying the cloud identifier in the record supports ADNs configuring different IDPs for different clouds. Note that since accounts are expected to change their IDP rarely, clients can cache this mapping aggressively. For example, if an account hosted on the Zoom commercial cloud is using example.org as their ADN and generic-idp.com as their IDP, then the DNS entry for example.org should include a TXT record with a value like: v=zoomadn us.zoom.idp.commercial=examplecorp.generic-idp.com As part of the process of validating IDP attestations (see Section 5.4), clients request the IDP domain value from the Zoom server, and compare it with the value returned in the account’s DNS TXT record. In addition, once the ZTT is deployed, clients will also check that this information matches what is in the ZTT for auditing purposes. If the values do not match, then clients won’t complete verification of or display any identifiers for the account’s users.