Building a Zscaler Lab Part 2 (Zscaler and SAML IdP Integration)

We’re getting closer to the real fun where we can start provisioning Application access and Securing traffic with Zscaler. Before we can do that we have some work to do.

Let’s connect an Identity Provider (IdP) to our Zscaler Tenant.

If you’ve seen a Zscaler presentation at all , you’ve probably seen the above image. This effectively maps out the Zero Trust process for Authentication and where it fits in the overall scheme of establishing connections. I’ve highlighted the piece covered in this post in the slide above. See the official documentation here. https://help.zscaler.com/zia/adding-identity-providers

Step 1: Login to your Zscaler Admin Portal for the Cloud your tenant is provisioned on. Assuming you are a customer , partner, or working with your Zscaler team on setting up a PoV test, use the link provided to you.

On the Admin page, go to Administration> Authentication

Then on the “Identity Providers” tab, we’ll select the “+ Add IdP” , if you already happen to have one setup, and are prompted with another option, just select “Add another…” and Next.

On the Add IdP page we’ll need some of the info we saved from Azure before, if you didn’t save it you’ll need to go back into your Azure Tenant and get it.

Enter the following required details:

  • Name: Azure (or whatever you want)
  • Status: Enabled
  • SAML Portal URL: <Paste in Login URL link you saved.>
  • Login Name Attribute: NameID <– This is case-sensitive.
  • IdP SAML Certificate: Upload .pem file you saved from before
  • Vendor: Microsoft Azure Active Directory

You should end up with an IdP profile that looks something like the following.

Now that we’ve connected our Azure IdP, we need to set Zscaler to use it. Navigate back to Administration>Authentication , then just select the SAML Authentication Type. Select Save at the bottom of the page, then be sure to “Activate” your changes.

That’s really it for enabling an authentication source. Next Post I’ll cover off enabling SCIM for updates and changes.

Building a Zscaler Lab Part 1 (Identity Provider)

Everything in the world of Zero Trust comes down to a few basic ideas. The first and probably most important is Identity. Network and Application access in Clouds has long been primarily controlled strictly based on WHERE a given connection is coming from not WHO is initiating it.

I won’t detail the creation of an M365 Tenant here, but for detail sake here’s what I have. It’s just a Trial Licensed M365 Business Standard tenant. It comes with everything we need to get the ball rolling. I’ve activated a custom domain name inside it already. I’ve also installed and connected the Entra ID Sync tool from my on prem AD Controller and am syncing user accounts.

SAML

Zscaler’s preferred method for user authentication uses Security Assertion Markup Language (SAML). Though ZIA allows other authentication methods, ZPA only supports SAML. Zscaler supports any SAML 2.0+ (POST Binding) compliant Identity Provider (IdP).

There are many IdPs, however the ones Zscaler sees most often are Azure AD, ADFS, and Okta. This post will focus on integrating authentication with Azure and what it takes to setup Azure as your IdP inside Zscaler.

In your Azure Tenant, view the Entra ID Overview page, then begin the process of adding your custom domain name. Microsoft Instructions here.

Once your custom domain is active and if you are syncing AD resources to Azure , make sure the users and groups are all populated in Entra ID.

Now the fun part begins, building the actual SAML connections to your Zscaler Tenant.

Back on the Entra ID Overview page select the Enterprise Applications option.

Then select + New Application

At the search box for the Catalog of applications, enter “zscaler”, then select the correct Zscaler Cloud for your Instance. Click the “Create” button to add it. For Zscaler Internet Access on zscalertwo.net select Zscaler Two.

After the Zscaler application is created, select the “Single Sign-On” option. Then click the SAML box.

On the Basic SAML Configuration click Edit.

This is where things get a bit more specific. On the Basic SAML Config page, you’ll need to copy down a few bits of information as you’ll be copying and pasting information between Azure and your Zscaler Tenant. It’s a good idea to have a Secure Notepad document that can hold some of this information.

First update the Reply URL (Assertion Consumer Service URL) it’s conveniently listed where it says “Patterns”.

Copy the Patterns URL, then select “Add reply URL” and paste it there. As well as in the Sign on URL area below. Click “Save” at the top, then click the X to close the window. When prompted to Test single sign-on, click “No, I’ll test later”.

Scroll down to the SAML Certificates section. Click the Download link for the Certificate (Base64) and save that in your Secure Storage with your other setup information.

IMPORTANT NOTE: Zscaler only supports certificates that end with the .pem extension. So we’ll need to modify the Base64 certificate from Azure before we can use it in the Zscaler Admin portal. Simply enough, just change the file extension to .pem from .cer

Back on the SAML page, scroll down again, and copy the Login URL, save it in your Notepad for later.

That’s the Azure side for enabling SAML for Zscaler, next post I will walk through the Zscaler side, which is detailed here in the very useful Zscaler Help site.