Choosing Provisioning and Authentication Methods

This section provides an overview of the various provisioning and authentication mechanisms that the Zscaler service supports. Zscaler recommends deploying Identity Federation using SAML for provisioning and authentication.

Provisioning Methods

Untitled Document

Identity Federation using SAML

Hosted User Database

Synchronize with Directory Server

Zscaler Authentication Bridge

Users are provisioned and authenticate once to an identity provider.

Recommended for provisioning and authentication.

Benefits

  • No changes to existing firewall
  • First time authentication can be totally transparent to the user
  • Can be obtained for free through Zscaler partners

Requirements

  • Need to obtain the SAML service and implement it
  • If you want to use a cloud-based identity provider, check its availability in your region.


Upload user information to the database manually, through CSV import or the Zscaler Authentication Bridge.

Benefits

  • Easy to deploy
  • No need to back up data

Supported Authentication Methods

  • Passwords (Default)
  • Kerberos
  • One-Time Link
  • One-Time Password

If SAML is not feasible, this is recommended for organizations with up to 100 users.


Synchronize user, group and department data from a directory server, such as a Microsoft Active Directory (AD) or LDAP server. (Passwords are never synchronized.)

Benefits

  • Use existing infrastructure
  • Secure communications
  • User data can be synchronized periodically or on demand

Requirements

  • Configure firewall to allow the service to synchronize with directory server
  • The Zscaler service must have read-only access to the directory

Supported Authentication Methods

  • LDAP BIND
  • One-Time Link
  • One-Time Password
  • Preprovisioned Cookies

If SAML is not feasible, this is recommended for organizations with more than 100 users.

A virtual appliance that you can use to automatically import user information from an Active Directory (AD) or a Lightweight Directory Access Protocol (LDAP) server to the Zscaler database,

Benefits

  • Does not require inbound connections to your directory server
  • Virtual appliance is managed and maintained by your organization
  • User data can be synchronized periodically or on demand

Requirements

  • Download and Install the virtual appliance

Supported Authentication Methods

  • Hosted User Database
  • LDAP BIND
  • SAML
  • One-Time Link
  • One-Time Password


Authentication Methods

Untitled Document

Identity Federation using SAML

Kerberos

With SAML, users authenticate once to an identity provider and can be provisioned on the service.

Recommended for provisioning and authentication.

Benefits

  • No changes to existing firewall
  • First time authentication can be totally transparent to the user
  • Can be obtained for free through Zscaler partners

Requirements

  • Need to obtain the SAML service and implement it
  • If you want to use a cloud-based identity provider, check its availability in your region.


Zscaler supports authentication using Kerberos, an industry standard secure protocol that is widely used to authenticate users to network services.

Benefits

  • It enables the Zscaler service to authenticate users when they use applications that do not support cookies, such as Office 365 and Windows Metro Apps.
  • It enables transparent Single Sign-On (SSO) authentication for users. Users authenticate themselves once, when they log in to their corporate domain. They do not have to log in and authenticate themselves to the Zscaler service.
  • The service can enforce granular user, group and department policies on FTP transactions as well as HTTPS transactions, without having to decrypt the HTTPS transactions.
  • Your organization does not need to configure its firewall to allow incoming connections from the Zscaler Enforcement Nodes (ZENs).
  • Kerberos is a secure open standard protocol that most operating systems support, including Windows 7, Windows 8, OS X, Linux, and FreeBSD. Additionally, most browsers support Kerberos authentication, including Internet Explorer, Firefox and Safari.

Requirements

  • A PAC file must be used to forward traffic to the Zscaler service.
  • Users must be provisioned on the Zscaler service before they can use Kerberos for authentication.

Additionally, the following are required in a Windows environment:

  • A domain controller that runs Windows Server 2003, 2008 or higher.
  • Client devices must run Windows Vista or higher.
Untitled Document

Directory Server

One-Time Link

One-Time Token

The service queries a directory server to verify the password. Used only with LDAP Synchronization as the provisioning method. 

Benefits

  • Use existing authentication infrastructure
  • Secure communications
  • No software or hardware installation on site
  • Passwords do not leave the organization

Requirements

  • Configure firewall to allow Zscaler service
  • The directory server must allow the Zscaler service to perform an LDAP BIND

The service emails a unique URL for the user to click and log in without a password.

Benefits

  • No need to manage passwords
  • Easy to deploy
  • Corporate or AD passwords do not leave organization
  • Can send link to temporary email address instead of corporate
  • No administrator intervention
  • No need for users to remember passwords.
  • No software or hardware installation on site

Requirements

  • Allow users to click on links
  • Links can be sent to valid email addresses only

The service emails a temporary password for the user to log in.

Benefits

  • Users don’t click on links
  • Users manage passwords themselves, without
  • administrator intervention
  • Authentication not dependent on Active Directory passwords.
  • No software or hardware installation on site

Requirements

  • Valid email addresses
Untitled Document

Passwords

Zscaler Authentication Bridge

Upload and store passwords on the database of the service. Used with hosted user database only.

Benefits

  • Does not require valid email addresses
  • Supports password complexity enforcement.
  • Supports password expiry at configured intervals.

Requirements

  • Administrators need to manage passwords
  • No software or hardware installation on site

A virtual appliance that you can use to provision and authenticate users,

Benefits

  • Virtual appliance is managed and maintained by your organization
  • User data can be synchronized periodically or on demand
  • Password do not leave the organization

Requirements

  • Download and Install the virtual appliance