About the Zscaler Authentication Bridge
The Zscaler Authentication Bridge (ZAB) is a virtual appliance that you can use to provision as well as authenticate users. You can use the ZAB to automatically import user information from an Active Directory (AD) or a Lightweight Directory Access Protocol (LDAP) server to the Zscaler database, without requiring inbound connections to your directory server. The ZAB can be used solely as a provisioning tool in conjunction with another authentication mechanism, such as SAML or Kerberos. Alternatively, it can be used for authentication as well, using LDAP with SSL client certificates.
The ZAB scales to hundreds of thousands of users. It requires minimal administration. After you deploy it, you can configure the service to automatically synchronize users on demand or daily, weekly or monthly. See How do I deploy a Zscaler Authentication Bridge?
You can download the ZAB from the Zscaler service portal and install it as a virtual appliance on a hypervisor at your location. As shown in the diagram, the ZAB opens a long-living secure outbound tunnel to the Zscaler Central Authority (CA). It downloads the authentication profile configuration of your organization from the CA and connects to the directory server. It synchronizes user information from the directory server to the Zscaler cloud on demand or as scheduled.
The service synchronizes data as follows:
- It adds users, groups and departments that are in the directory server, but not in the Zscaler service. It can synchronize up to 128 groups per user.
- It deletes users, groups and departments that are in the service, but not in the directory server. The service invalidates the authentication cookies of the users that were deleted and they are no longer allowed to authenticate.
- If there is a discrepancy between the information that’s in the service and in the directory server, the ZAB modifies its data to match what’s in the directory server.
The ZAB does not synchronize passwords. Passwords are always stored and maintained on your directory server.
A ZAB can also be used as an authentication tool. As shown in the diagram below, the Zscaler service communicates only with the ZAB during the authentication process. The service directs requests to the ZAB, which in turn authenticates users against your organization's directory server. Note that the passwords are always stored on your directory server. They are never stored on the ZAB or the CA.