Building a Zscaler Lab Part 2 (Zscaler and SAML IdP Integration)

We’re getting closer to the real fun where we can start provisioning Application access and Securing traffic with Zscaler. Before we can do that we have some work to do.

Let’s connect an Identity Provider (IdP) to our Zscaler Tenant.

If you’ve seen a Zscaler presentation at all , you’ve probably seen the above image. This effectively maps out the Zero Trust process for Authentication and where it fits in the overall scheme of establishing connections. I’ve highlighted the piece covered in this post in the slide above. See the official documentation here. https://help.zscaler.com/zia/adding-identity-providers

Step 1: Login to your Zscaler Admin Portal for the Cloud your tenant is provisioned on. Assuming you are a customer , partner, or working with your Zscaler team on setting up a PoV test, use the link provided to you.

On the Admin page, go to Administration> Authentication

Then on the “Identity Providers” tab, we’ll select the “+ Add IdP” , if you already happen to have one setup, and are prompted with another option, just select “Add another…” and Next.

On the Add IdP page we’ll need some of the info we saved from Azure before, if you didn’t save it you’ll need to go back into your Azure Tenant and get it.

Enter the following required details:

  • Name: Azure (or whatever you want)
  • Status: Enabled
  • SAML Portal URL: <Paste in Login URL link you saved.>
  • Login Name Attribute: NameID <– This is case-sensitive.
  • IdP SAML Certificate: Upload .pem file you saved from before
  • Vendor: Microsoft Azure Active Directory

You should end up with an IdP profile that looks something like the following.

Now that we’ve connected our Azure IdP, we need to set Zscaler to use it. Navigate back to Administration>Authentication , then just select the SAML Authentication Type. Select Save at the bottom of the page, then be sure to “Activate” your changes.

That’s really it for enabling an authentication source. Next Post I’ll cover off enabling SCIM for updates and changes.

Building a Zscaler Lab Part 1 (Identity Provider)

Everything in the world of Zero Trust comes down to a few basic ideas. The first and probably most important is Identity. Network and Application access in Clouds has long been primarily controlled strictly based on WHERE a given connection is coming from not WHO is initiating it.

I won’t detail the creation of an M365 Tenant here, but for detail sake here’s what I have. It’s just a Trial Licensed M365 Business Standard tenant. It comes with everything we need to get the ball rolling. I’ve activated a custom domain name inside it already. I’ve also installed and connected the Entra ID Sync tool from my on prem AD Controller and am syncing user accounts.

SAML

Zscaler’s preferred method for user authentication uses Security Assertion Markup Language (SAML). Though ZIA allows other authentication methods, ZPA only supports SAML. Zscaler supports any SAML 2.0+ (POST Binding) compliant Identity Provider (IdP).

There are many IdPs, however the ones Zscaler sees most often are Azure AD, ADFS, and Okta. This post will focus on integrating authentication with Azure and what it takes to setup Azure as your IdP inside Zscaler.

In your Azure Tenant, view the Entra ID Overview page, then begin the process of adding your custom domain name. Microsoft Instructions here.

Once your custom domain is active and if you are syncing AD resources to Azure , make sure the users and groups are all populated in Entra ID.

Now the fun part begins, building the actual SAML connections to your Zscaler Tenant.

Back on the Entra ID Overview page select the Enterprise Applications option.

Then select + New Application

At the search box for the Catalog of applications, enter “zscaler”, then select the correct Zscaler Cloud for your Instance. Click the “Create” button to add it. For Zscaler Internet Access on zscalertwo.net select Zscaler Two.

After the Zscaler application is created, select the “Single Sign-On” option. Then click the SAML box.

On the Basic SAML Configuration click Edit.

This is where things get a bit more specific. On the Basic SAML Config page, you’ll need to copy down a few bits of information as you’ll be copying and pasting information between Azure and your Zscaler Tenant. It’s a good idea to have a Secure Notepad document that can hold some of this information.

First update the Reply URL (Assertion Consumer Service URL) it’s conveniently listed where it says “Patterns”.

Copy the Patterns URL, then select “Add reply URL” and paste it there. As well as in the Sign on URL area below. Click “Save” at the top, then click the X to close the window. When prompted to Test single sign-on, click “No, I’ll test later”.

Scroll down to the SAML Certificates section. Click the Download link for the Certificate (Base64) and save that in your Secure Storage with your other setup information.

IMPORTANT NOTE: Zscaler only supports certificates that end with the .pem extension. So we’ll need to modify the Base64 certificate from Azure before we can use it in the Zscaler Admin portal. Simply enough, just change the file extension to .pem from .cer

Back on the SAML page, scroll down again, and copy the Login URL, save it in your Notepad for later.

That’s the Azure side for enabling SAML for Zscaler, next post I will walk through the Zscaler side, which is detailed here in the very useful Zscaler Help site.

Building a Zscaler Lab

Welcome to my Blog on building out my Zscaler Personal Tenant. I will walk through the required steps to create and connect my Home Lab environment to my Zscaler Cloud Zero Trust Exchange Tenant.

Here’s the breakdown.

Identity:

My lab has two main Identity Sources or Providers. (IdP)

Azure AD now called Microsoft Entra ID will be my primary Identity Provider with Local User accounts synced from my On Prem Microsoft Active Directory. Technically you could say this is only one ID Source but I see distinctly different uses here even though they are synced together.

Datacenter:

I have two Datacenter locations, each of them operating as independent locations. Each has its own Edge Firewall in place. They are interconnected via an IPSEC VPN tunnel for ease of access and management during deployment. This however will prove to be our first major use case for connecting to the Zscaler Zero Trust Exchange. Enabling secure communications between each Datacenter WITHOUT a VPN and WITHOUT opening any External Firewall Ports.

Inside each Datacenter is a Nested VMware ESXi Cluster of vSphere Hosts with a Single NSX Manager controlling both environments. The goal here is to show how and where adding Zscaler to your Datacenter Environment can increase the level of Security that protects your most critical Infrastructure. While at the same time enabling Secure connectivity to the Applications inside each location and Secure Connectivity to the Management Plane (vCenter, NSX Manager, etc).

Existing Infrastructure for this Build:

  • VMware vSphere Hosts (nested)
  • VMware vCenter Servers (1 in each site, not linked)
  • VMware NSX Manager
  • Microsoft Server 2022 Active Directory
  • Microsoft Certificate Authority Services (offline Root with Issuing CA)
  • Firewalls for Connectivity
  • VLAN backed networking for ease of initial deployment
  • Simple BGP Pairing between NSX T0 and pFsense Gateway
  • M365 Account with Entra ID
  • Open EMR
  • WordPress