Enabling authentication allows the Zscaler service to identify the traffic that it receives so it can enforce the configured location, department, group and user policies, as well as provide user and department logging and reporting
Zscaler dived request into two type of location –
1- Know location
2- Unknow location
1–>> know location is location which we have defined on zscaler and user is trying to access website into that location only , this types of traffic come from know location.
2- unknow location – that location which we have not defined on zscaler for our company.
Note –>> Based on Location only Zscaler Push the policy.
if still we want user to push the policy based from unknow location , we can use Surrogate method.
What is Surrogate –>> by mapping a user to a private IP address, Zscaler
Some deployments from known locations, by mapping a user to a private IP address, Zscaler can apply the user’s policies instead of the location’s policies to traffic that it cannot authenticate. This is known as a Surrogate IP.
Zscaler service receives traffic from a location that it cannot identify, it automatically requires users to authenticate themselves because it cannot associate the traffic with a location
five supported provisioning methods –
1- Identity Federation Using SAML
2- SCIM
3- Hosted User Database
4- Directory Server Synchronization
5- Zscaler Authentication Bridge
i recommend to use SAML method for authentication , i also using same method.
Benefit of SAML –
- No changes to existing firewall.
- First time authentication can be totally transparent to the user.
- Can be obtained for free through Zscaler partners.
Requirement–
Need to obtain the SAML service and implement it
STEP 1 –
Obtain the SAML SSL certificate from your identity provider (IdP). You will upload this certificate to the ZIA Admin Portal when you configure the service to use SAML
STEP 2-
Export the XML metadata from your IdP. You will use information from the metadata when you configure the service to use SAML
STEP 3-
If you are using PAC file to forward traffic to the Zscaler service, add the redirected URL to the authentication exemption list in the PAC files. Otherwise, the authentication will fail
STEP 4-
If you are transparently forwarding traffic to the Zscaler service, you must exempt the SAML IdP traffic from the GRE or IPSEC tunnel
Use SAML Configuration to AD FS 2.0 —
Pre-requisites —
1–> An AD FS account with admin privileges
2 –> Existing Active Directory (AD)
3–> Zscaler cloud name
4–> The Zscaler SP SAML certificate
Configuring AD FS as the IdP for the Zscaler Service —
1- Add a replying Party Trust
2- Upload the Zscaler SAML SSL Certificate –
In the AD FS 2.0 window, open the Trust Relationships > Relying Party Trusts folder
3 — Download the AD FS SAML Certificate
AD FS 2.0 window, open the Service > Certificates folder, right-click the Token-signing certificate, and click View Certificate
4- SAML SSO in the ZIA Admin Portal:
Go to Administration > Authentication Settings
5- Zscaler Authentication Exemptions list and enable users access to AD FS:
Go to Administration > Advanced Settings.
In the Authentication Exemptions section, enter your organization’s AD FS URL in Exempted URLs
Please note – If you are using PAC files, enter the AD FS URL in the PAC file exemption list. Otherwise, the authentication will fail
Testing the SAML Configuration —
Note ;– This testing method only applies if you’re forwarding traffic using PAC files, GRE tunnels, or IPSec tunnels, and you’ve enabled Enforce Authentication
If you’re already logged in to the Zscaler service, browse to https://login..net/zscaler.portal, and click Logout. Replace with your Zscaler cloud name.
Browse to a website. You will be redirected to AD FS and prompted to log in.
Enter your AD FS credentials, and you will automatically be redirected to the original URL request.
Browse to ip.zscaler.com, and the status window will show the username indicating the authentication was successful.
Troubleshoot browser settings and SAML error codes