Synchronizing Users from a Directory Server

When you configure the Zscaler service to synchronize user information from the directory server to the Zscaler database, it uses the LDAP protocol to synchronize user, group and department information. (For additional information about LDAP, refer to RFC 2251, Lightweight Directory Access Protocol (v3).) It performs an LDAP search based on the configured parameters. The service imports users who have a User or Email attribute and who are part of the domain that is configured for the account. The service synchronizes data as follows:

  • It adds users, groups and departments that are in the directory server, but not in the service. It can synchronize up to 16 groups per user.
  • It deletes users, groups and departments that are in the service, but not in the directory server. Note that Zscaler does not actually delete users. Instead, it deactivates users. It invalidates the authentication cookies of the users that were deleted and they are no longer allowed to authenticate.
  • If there is a discrepancy between the information that’s in the service and in the directory server, it modifies its data to match what’s in the directory server.

Alternatively, if your organization cannot allow the Zscaler service to connect directly to your internal directory servers or if you want to bypass any firewall constraints on your network, your organizations can install an on-site Zscaler Authentication Bridge (ZAB). The ZAB, which is typically located in your DMZ, is an appliance that communicates with your internal directory servers. The Zscaler service communicates only with the ZAB, which then queries your directory server. (For information on obtaining a ZAB, contact your Zscaler representative.)

By default, the Zscaler service performs an LDAP query to the directory server to authenticate users whose data was synchronized from a directory server (described in the next section). You can configure the service to use another authentication method, as described in Choosing Provisioning and Authentication Methods

Authenticating Synchronized Users

By default, the Zscaler service performs an LDAP query to the directory server to authenticate users whose data was synchronized from a directory server. It performs an LDAP BIND to the directory server to validate a user’s password and authenticate a user. Therefore, passwords are always stored and maintained on your directory server. They are never synchronized.

Zscaler gives you the option to use secure LDAP, which we highly recommend, to ensure the privacy of the LDAP communications between the service and your directory server. As shown in the diagram below, when a synchronized user logs in to the Zscaler service, the Zscaler Central Authority (CA) searches for the user in the Zscaler database by the login attribute and email address specified by the user. If the CA finds the user, it displays the password request form. When the user submits the password request form, the CA retrieves the Distinguished Name and tries to perform an LDAP Bind to the directory sever using the Distinguished Name and password of the user. If the LDAP Bind succeeds, user authentication is successful.