How do I configure SAML?

You must complete the following steps to enable the Zscaler service to use SAML for provisioning and authenticating users.

  1. Review the prerequisites.
  2. Configure the IdP.
  3. Configure the Zscaler service.

See below for more.

Prerequisites

Before you configure the Zscaler service to use SAML for provisioning and authentication, ensure that you do the following:

  • Obtain and configure an IdP, such as ADFS, Okta or OneLogin. See below for links to configuration examples.
  • Obtain the SSL certificate of the IdP. You will upload this certificate to the Zscaler service portal when you configure the service to use SAML.
  • Export the XML meta-data from the IdP. You will use information from the metadata when you configure the service to use SAML.
  • If you are using PAC files to forward traffic to the Zscaler service, add the redirected URL to the bypass list in the PAC files otherwise the authentication will fail.  This is due to the browser trying to reach the authentication URL via the Zscaler service but the current user is not yet authorized to use the service so the request never passes through the Zscaler node.

Configuring the IdP

Click below for configuration examples that provide instructions for adding the Zscaler service to an IdP.

Configuring the Zscaler service for SAML

Complete the steps below to configure the service to use SAML for provisioning and authentication. The steps below explain how to download the Zscaler certificate, which you can upload to your IdP.

  1. Go to Administration > Authentication > Authentication Settings.
  2. Do the following:
    • From the Authentication Frequency menu, choose how often users are required to authenticate to the Zscaler service. If you select Custom, specify 1 to 180 days.
    • From the Authentication Type, choose SAML and click Configure SAML.
      • In the Identity Provider (IDP) Options section, complete the following:
        • SAML Portal URL: Enter the URL of the SAML portal to which users are sent for authentication. Ensure that it is publicly resolvable, if you want users to authenticate from the Internet. Additionally, ensure that it is protected using HTTPS.  You can obtain this information from the XML meta-data of the IdP.

          For example, for ADFS, you can obtain it from the line:
          SingleSignOnService Binding=....HTTP-POST* Location="https://10.10.10.1/adfs/ls/")
          For OneLogin, you can copy it from the SAML Endpoints URL field referenced in step 5 of Adding the Zscaler Service as an Application in Configuration Example: OneLogin.
        • Login Name Attribute: Enter the LDAP attribute that maps to the login name that users enter when they authenticate to the Zscaler service. Typically, it is NameID. (Note that NameID is entered as one word, with no spaces.) This field is case sensitive.
        • Public SSL Certificate: Click Upload, and then click Choose File to navigate to the public certificate that is used to verify the digital signature of the IdP. This is the certificate you downloaded from the IdP. The certificate must in base-64 encoded PEM format. The file extension must be .pem and have no other dots (.) in the file name.
      • In the Service Provider (SP) Options section, do the following:
        • Select Sign SAML Request if the Identity Provider expects the SAML request to be signed.
        • For the Signature Algorithm, choose SHA-2 (256-bit). Note that if you are reconfiguring SAML because the certificate expired, Zscaler recommends that you select the certificate with the later expiration date.
        • Under Request Signing SSL Certificate, choose which certificate you want to use for signing SAML requests.
        • Click SP’s Public Certificate to download the Zscaler certificate that you will upload to the IdP when you configure it.
        • Optionally, click Service Provider’s Metadata to export the metadata of the Zscaler service. The metadata advertises the Zscaler SAML capabilities and is used for auto-configuration. Some IdPs require importing of the metadata to configure the Zscaler service as a service provider.
      • In the Auto-Provisioning Options section,
        • Select Enable SAML Auto-Provisioning. If you do not enable this option, users will not be provisioned on the service.
        • Specify the LDAP attributes that map to the user name, group name, and department. These are case-sensitive.
          • User Display Name Attribute: This is typically displayName.
          • Group Name Attribute: This is typically memberOf.
          • Department Name Attribute: This is typically department.
  3. Click Save to exit the window.
  4. Click Save and activate the changes.

For background information on using SAML, click here.

For help with troubleshooting SAML, click here.