SAML Configuration Example: OneLogin

This example illustrates how to configure OneLogin as an IdP for the Zscaler service. It also describes how to integrate Active Directory and configure an AD connector. Refer to the OneLogin documentation for additional information about the steps in the example.

Prerequisites

Ensure that you have the following before you start configuring OneLogin:

Configuring OneLogin

To configure OneLogin:

  1. Add the Zscaler service.
  2. Download the certificate.
  3. Assign users.
  4. Add the Active Directory server.
  5. Install the AD Connector.

After you configure OneLogin and the Zscaler service, you can then test the configuration as described in Testing the Configuration.

Adding the Zscaler Service as an Application

  1. Log in to OneLogin as a company administrator and click Find apps.
    See image.
  2. In the Find apps window, enter Zscaler in the search field, and then click add beside Zscaler in the list of results.
    See image.
  3. In the Add Zscaler window, choose Zscaler in the This app will be used by field.
  4. Click Continue.
  5. In the Single Sign-on tab, do the following, and then click Update:
    • In the Credentials section, select Configured by admin.
    • In the Default values section, select Email from the NameID menu.
    • Copy the SAML Endpoints URL. You will paste this in the URL of the SAML Portal to which users are sent for authentication field of the Zscaler service portal.
      See image.

1a

1a

2a

2a

5a

5a

Downloading the Certificate

To download the certificate, go to Security > SAMLand download the x.509 certificate in PEM format.
See image.

1b

1b

Assigning Users to the Zscaler Application

You can assign users individually or by roles. This example describes how to assign users by role.

To assign users to the Zscaler application:

  1. In OneLogin, go to People > Roles and click edit.
  2. Select Zscaler from the list of apps, click Commit changes, and then click Update.

Adding a New Directory

To add a directory:

  1. Go to People > Directories and click New Directory.
  2. Click Windows Server Active Directory.
    See image.
  3. In the New Directory window, click Update.
  4. In the Active Directory window, do the following and click Update:
    • Download the AD Connector and save the file.
    • Copy the token, which you will use when you install the AD connector.
      See image.
  5. When the confirmation message appears, click Save File.

2c

2c

4c

4c

Installing the OneLogin Active Directory Connector

To install the connector:

  1. Navigate to where you saved the AD connector and run it.
  2. When the wizard appears, click Next.
  3. Specify where you’d like to install the connector and click Next.
  4. In the Directory Token window, paste the token that you copied in step 4 of the preceding section, Adding a New Directory and click Next.
    See image.
  5. Click Close to exit the wizard.
  6. The installation is complete.

4d

4d

Testing the Configuration

If you are already logged in to the Zscaler service, browse to https://login.zscaler.net/zscaler.portal (or replace zscaler.net with the cloud name you are using), and click Logout.

To learn how you can find your cloud name, click here.

Otherwise, ensure that your traffic is being forwarded to the Zscaler service and then browse to a web site. When prompted for authentication, provide your SAML login credentials to login. (If any error occurs, see Troubleshooting Guidelines.)