How do I configure SAML Single Sign-On for admins?
The Zscaler service supports Identity Provider (IDP)-initiated SAML to authenticate admins. The admin can log in to the Zscaler admin portal directly from an SSO provider's portal by clicking the Zscaler application icon. This feature also enables you to integrate admin authentication with your existing two-factor authentication solution.
Note that admins are not added through auto-provisioning. Rather, an admin must be added in the Zscaler admin portal and can then use SAML authentication to log in to the Zscaler admin portal. The Zscaler service does provide a password authentication option for admins, but the Zscaler service recommends that admins use SAML authentication to log in to the Zscaler admin portal. However, the service also recommends that you have at least one super admin with password authentication enabled to ensure an admin can still access the admin portal if SAML servers external to the Zscaler service become unreachable. The Zscaler service supports SAML 2.0 and above.
- Admin account(s) created for your organization's admin(s). See Adding Administrators.
- Configure an IdP, such as ADFS, Okta, etc.
- Obtain the SSL certificate of the IdP. You will upload this certificate to the Zscaler service portal when you configure the service to use SAML.
To enable SAML single sign-on for admins:
- Go to Administration > Administrator Management.
- Select the SAML tab.
- Select Enable SAML Authentication.
- Upload SSL certificate: Click Upload, and then click Choose File to navigate to the public certificate that is used to verify the digital signature of the IdP. This is the base-64 encoded PEM format that you downloaded from the IdP. The file extension must be .pem without any other dots (.) in the file name.
- Download XML Metadata: Click Download to export the metadata of the Zscaler service. The metadata details the Zscaler SAML capabilities and is used for autoconfiguration. Some IdPs require importing of the metadata to configure the Zscaler service as a service provider.
- Issuer: Optionally, enter the IdP issuer associated with the Zscaler service.
- Click Save and activate the change.
Click below for examples of how to add the Zscaler service to an IDP.
For configuring IDPs other than ADFS or Okta, note that the following information may be necessary:
- The ACS URL: https://admin.<cloud_name>.net/adminsso.do
- In place of <cloud_name> above, enter the name of the cloud on which your organization is provisioned. To learn how you can find your cloud name, click here.
- The SSL certificate format must Base-64 encoded PEM format
- Entity ID: admin.zscalerbeta.net