Configuring ADFS for Admin SAML Single Sign-On
This example illustrates how to configure a Windows Server 2008 R2 running SAML 2.0 ADFS as an IdP for the Zscaler service to enable SAML single sign-on for your organization's admins. It assumes that ADFS 3.0 is already installed on the Windows server. Refer to the Windows ADFS documentation for additional information about the steps in the example. Below are relevant technical attributes:
ACS URL: https://admin.<cloud-name>/adminsso.do
- For example, if your cloud is Zscalerone.net, https://admin.zscalerone.net/adminsso.do would be your ACS URL. To learn how you can find your cloud name, click here.
- Hashing algorithms: AES-1 and AES-256
Below are the prerequisites for configuring the ADFS server:
- ADFS account with admin privileges
- Admin account(s) created for your organization's admin(s). See Adding Administrators.
- XML Metadata, downloaded from the Zscaler admin port.
To add the Zscaler service to ADFS, go to Start > ADFS Management 2.0 to launch the ADFS management application and do the following:
A. Configure the Zscaler service as a relying party trust
In ADFS, a relying party is a Federation Service or application that requests and consumes claims from a claims provider in a particular transaction. Complete the following steps to add Zscaler as a relying party trust.
- In the ADFS 3.0 Management window, open the Trust Relationships > Relying Party Trusts folder. In the Actions menu on the right, click Add Relying Party Trust.
- When the Add Relying Party Trust wizard appears, click Start.
The wizard steps are listed on the column on the left.
- Enter a Display name for the Zscaler service, such as Admin SAML Zscaler-Beta, and then click Next.
Allow the wizard to run through the next three steps (Choose Profile, Configure Certificate, Configure URL, and Configure Identifiers).
- In Configure Multi-factor Authentication Now? select I do not want to configure multi-factor authentication settings for this relying party trust at this time and then click Next.
- In Choose Issuance Authorization Rules, select Permit all users to access this relying party and click Next.
- Ensure the option to open the Edit Claim Rules dialog is checked. Click Finish to add the relying party trust to the database.
B. Add a Claim Rule
Configure the SAML Assertions to be federated to Zscaler for identifying the admin with the following steps.
- When the Edit Claim Rules window appears, click Add Rule.
- In Choose Rule Type of the Add Transform Claim Rule wizard, select Send LDAP Attributes as Claims as the claim rule template so the claims contain LDAP attribute values from the attribute store, AD. Then click Next.
- In Configure Claim Rule, do the following and click Finish.
- Enter a name for the claim rule (for example, zsbeta claims).
- From the Attribute Store menu, choose Active Directory.
- Map the LDAP attributes that represent the user's login name to the field in the outgoing claim.
- From the LDAP Attribute column, select User-Principal-Name.
From the Outgoing Claim Type column, select Name ID.
The email address is sent as the Name ID.
C. Export the Certificate
To export the certificate that you will upload to the Zscaler service:
- In the ADFS 3.0 Management window, open the Service > Certificates folder. In the Actions menu on the right, click View Certificate.
- In the Certificate window, go to the Details tab and click Copy to File… to open the Certificate Export wizard.
- In Export File Format, choose Base-64 encoded as the file format of the certificate you want to export and click Next.
- In File to Export, either click Browse to navigate to the file you want to export or enter the file name. Click Next.
- Click Finish to exit the wizard.
Upload this certificate to the Zscaler service. See Enabling SAML Single Sign-On for Admins.