How to Configure SAML 2.0 for ZScaler

Contents

• Supported Features
• Configuration Steps
  • Setup Active Directory integration with ZScaler for Auto-Provisioning
• Notes

---

Supported Features

The Okta/Zscaler SAML integration currently supports the following features:

• SP-initiated SSO
• JIT (Just In Time) Provisioning

For more information on the listed features, visit the Okta Glossary.

---

Configuration Steps

1. Log into the ZScaler application.

2. Navigate to Administration > Authentication Settings:

   

3. For Authentication Type, select SAML.

4. Click Configure SAML:

   

5. In the Identity Provider (IDP) Options section of the SAML Configuration screen, enter the following:

   • SAML Portal URL: Copy and paste the following:

     Sign in to the Okta Admin app to have this variable generated for you.

   • Login Name Attribute: Enter NameID.

   • Public SSL Certificate: Download and save the following certificate for upload:

     Sign in to the Okta Admin app to have this variable generated for you.

     Then click Upload to upload it to Zscaler.

   • Sign SAML request: Activate.

   • Select SHA-2 (256-bit).

   • Click Save:

   

6. Done!

View smaller screenshot

Setup Active Directory integration with ZScaler for Auto-Provisioning

To setup a Auto-Provisioning on ZScaler, first setup Okta application integration:

In Okta, on the General tab for ZScaler, click Edit, then enter following:

1. Select Display name mapping to Use. The user's display name, a concatenation of their first name and last name, is mapped to the attribute statement in the SAML Response.

2. Select Department mapping to AD Department.
   The user's AD department is mapped to the attribute statement in the SAML Response

3. Select Group mapping to Use. User's groups is mapped to the attribute statement in the SAML Response.

4. Member of regular expression is used in conjunction with Group mapping.
   The expression is used to filter groups. Groups that match the configured filter are mapped to the attribute statement in the SAML Response.

Setup SAML Auto-Provisioning Options

On the ZScaler Administration page, complete the following steps.

1. Click Manage Users & Authentication.

2. Click Edit, then click Configure SAML Single Sign-On parameters.

3. Click Enable SAML Auto-Provisioning.

4. For Attribute containing User Display Name enter the following:
    
   DisplayName

5. For Attribute containing Group Name enter the following:
    
   memberOf

6. For Attribute containing Department Name enter the following:
   Department

7. Click Save:

   

8. Open a browser window.

9. Set your browser proxy to gateway.[ yourZScalerDomain]:80.

   For example if your ZScaler Domain is zscalerbeta.net; use gateway.zscalerbeta.net:80 proxy.

10. Add your Okta URL host ([yourSubdomain].okta.com) and *.oktacdn.com to the proxy bypass list.

    For example if you log into https://acme.okta.com/; enter acme.okta.com.

    Here is an example, shown in a Firefox browser:

    

Your users are ready to single sign-on to ZScaler.

---

Notes

• Make sure that you entered the correct value in the Your ZScaler Domain field under the General tab in Okta. Using the wrong value will prevent you from authenticating via SAML to ZScaler.

• The following SAML attributes are supported:

  Name	Value
  DisplayName, Department, memberOf	This is configured in the app UI; see Setup Active Directory integration with ZScaler for Auto-Provisioning instructions above.

For SP-initiated SSO

1. Open your site.
2. You will be redirected to https://gateway.[yourZScalerDomain] and prompted for a User Name.

3. Enter your User Name, then click Sign In: