icon-bi.svg
Business Insights

Onboarding SaaS Apps for Business Insights

Business Insights receives signals and data from 4 data sources: the Zscaler Internet Access (ZIA) service, identity providers (IdPs), direct SaaS application connector integrations, and custom application signatures. To pull usage information directly from the app and view accurate insights that overextend other data sources, Zscaler recommends configuring a direct SaaS application connector (requires admin access to the app) for the supported apps. However, you can view Business Insights metrics even when you're unable to configure a connector for a specific app with the help of ZIA and IdP-sourced data by simply specifying the plan information. This article explains how to configure discovered and connector-supported apps for Business Insights computation.

To onboard a SaaS application:

  1. Add the application using one of the following options:

    • Go to Application > Application Insights > Add App.

      The Configuration page appears.

      The page shows the list of applications for which the Business Insights service supports connector integration. Hence, the Business Insights service assumes that you want to configure an application connector from one of the connector-supported apps and doesn't show the second choice in Step 3.

      If you want to skip the connector configuration for a connector-supported app and set up a ZIA or IdP gathered insights mechanism, click the Add icon for the application from the All Applications page or the Top 10 Discovered Applications table.

    • Go to Application > Application Insights > Discovered Apps. Click the Add icon for an application from the Top 10 Discovered Applications table.

    • Go to Application > All Applications. Click the Add icon for an application.

    • Go to Application > Application Insights > Cost Savings. Click the Add icon for an application.

      If you click the Add icon for an application that has connector integration support, the Business Insights service skips Step 2. If you click the Add icon for an application that doesn't have connector integration support, the Business Insights service skips the first choice in Step 3.

  2. Under Choose SaaS Application, select the SaaS applications you want to configure.

  3. Configure a connector for the app and then provide the licensing information. You can also skip the connector configuration and just provide the licensing information if you don't have admin access to the app, or don't want to configure the connector.

    • Follow the steps for the application that you selected to set up a connector configuration:

      • To configure Box:

        1. Under Tenant Name, enter a name for the application tenant.
        2. Click Next.

        3. Copy the information from the Zscaler SaaS Connector field. You need it for Step i when adding a custom application for Box.

        4. Click Provide Admin Credentials.

          The Box portal appears.

        5. Log in to Box with your admin credentials.

          You are redirected to the Box Admin console.

        6. Go to Apps.

        7. Click the Custom Apps Manager tab.

        8. Click Add App.

          The Add App window appears.

        9. In the Add App window:

          1. Client ID: Enter the Zscaler SaaS Connector value you copied in Step c.

          2. Click Next.

          3. Review the permissions requested by the Business Insights service to access Box, then click Authorize and Okay.

        10. In the Box Admin console, go to Account & Billing.

        11. Under Account Information, copy the Enterprise ID.

        12. In the Business Insights Admin Portal, under Box Enterprise ID, enter the enterprise ID you copied from the Box portal in the previous step. This ID is used to identify the tenant.

        13. Click Next.

          The Business Insights service begins to retrieve your subscription details and establish an API connection. This might take a few minutes or hours. After the connector is configured successfully for the application, you can enter the subscription details.

          You can navigate away from the page while the Business Insights service establishes the connection; you're notified after the connector is configured successfully.

        14. Complete the following subscription fields:
          • Purchased Seats: The number of seats purchased as part of the subscription.
          • Assigned Seats: The number of seats assigned to the users from the purchased seats.
          • Per User License Cost: The cost incurred to buy one seat per month.
          • Contract Start Date: The start date of the subscription.
          • Contract End Date: The end date of the subscription.
        15. Click Complete.

        The application is successfully onboarded.

        Close

      • To configure GitHub:

        1. Under Tenant Name, enter a name for the application tenant.

        2. Click Next, then Provide Admin Credentials.

          The GitHub portal appears.

        3. Log in to GitHub with an admin account.
        4. A confirmation page appears with the permissions that the connector requires. Click Allow.

        5. In the Business Insights Admin Portal, under GitHub Admin Email ID, enter your GitHub admin email ID.

        6. Click Next.

          The Business Insights service begins to retrieve your subscription details and establish an API connection. This might take a few minutes or hours. After the connector is configured successfully for the application, you can enter the subscription details.

          You can navigate away from the page while the Business Insights service establishes the connection; you're notified after the connector is configured successfully.

        7. Complete the following subscription fields:
          • Purchased Seats: The number of seats purchased as part of the subscription.
          • Assigned Seats: The number of seats assigned to the users from the purchased seats.
          • Per User License Cost: The cost incurred to buy one seat per month.
          • Contract Start Date: The start date of the subscription.
          • Contract End Date: The end date of the subscription.
        8. Click Complete.

        The application is successfully onboarded.

        Close

      • To configure Google Workspace:

        1. Under Tenant Name, enter a name for the application tenant.
        2. Click Next.

        3. Copy the information from the Zscaler SaaS Connector and Google Workspace Scope fields. You need it for Step i when adding an API client for Google Workspace.

        4. Click Provide Admin Credentials.

          The Google Workspace portal appears.

        5. Log in to Google Workspace with your admin credentials.

          You're redirected to the Google Admin console.

        6. Go to Security > Access and data control > API controls.

        7. Under Domain wide delegation, click MANAGE DOMAIN WIDE DELEGATION.

        8. Click Add new.

          The Add a new client ID window appears.

        9. In the Add a new client ID window:
          • Client ID: Enter the Zscaler SaaS Connector value you copied in Step c.
          • Overwrite existing client ID: Deselect this checkbox.

          • OAuth scopes (comma-delimited): Enter the Google Workspace scope you copied in Step c. This OAuth scope grants read-only access to the usage reporting API.

        10. Click Authorize.

          The Zscaler Connector App is added as an API client.

        11. In the Business Insights Admin Portal, under Google Admin Email ID, enter your admin email ID used to log in to the Google Admin console.

        12. Click Next.

          The Business Insights service begins to retrieve your subscription details and establish an API connection. This might take a few minutes or hours. After the connector is configured successfully for the application, you can enter the subscription details.

          You can navigate away from the page while the Business Insights service establishes the connection; you're notified after the connector is configured successfully.

        13. Click Next.
        14. Complete the following subscription fields:
          • Purchased Seats: The number of seats purchased as part of the subscription.
          • Assigned Seats: The number of seats assigned to the users from the purchased seats.
          • Per User License Cost: The cost incurred to buy one seat per month.
          • Contract Start Date: The start date of the subscription.
          • Contract End Date: The end date of the subscription.
        15. Click Complete.

        The application is successfully onboarded.

        Close

      • To configure Microsoft 365:

        1. Under Tenant Name, enter a name for the application tenant.

        2. Click Next, then Provide Admin Credentials.

          The Microsoft 365 portal appears.

        3. Log in to Microsoft 365 with your admin credentials.

          A confirmation page appears requesting the permissions required to configure the connector.

        4. Review the permissions for the Business Insights service to access the Microsoft account, and click Accept.

          The Business Insights service begins to retrieve your subscription details and establish an API connection. This might take a few minutes or hours. After the connector is configured successfully for the application, you can enter the subscription details.

          You can navigate away from the page while the Business Insights service establishes the connection; you're notified after the connector is configured successfully.

        5. Click Next.
        6. Complete the following subscription fields:
          • Purchased Seats: The number of seats purchased as part of the subscription.
          • Assigned Seats: The number of seats assigned to the users from the purchased seats.
          • Per User License Cost: The cost incurred to buy one seat per month.
          • Contract Start Date: The start date of the subscription.
          • Contract End Date: The end date of the subscription.
        7. Click Complete.

        The application is successfully onboarded.

        Close

      • To configure Okta:

        • Register Business Insights with Okta by creating an app integration in the Okta Admin console.

          To integrate the application:

          1. Log in to the Okta Admin console.
          2. From the Okta Admin console, go to Applications > Applications.

          3. Click Create App Integration.

            The Create a new app integration window appears

          4. In the Create a new app integration window:
            1. Select OIDC - OpenID Connect as the Sign-in method.

            2. Select Web Application as Application type.

          5. Click Next.

            The New Web App Integration window appears.

          6. In the New Web App Integration window:

            • App integration name: Enter Business Insights. In this article, we use okta-connector-test as an example.
            • Grant type: Select the Authorization Code and Refresh Token checkboxes.

            • Sign-in redirect URIs: Enter https://admin.zscaleranalytics.net/admin/onboarding-wizard

            • Controlled access: Select Skip group assignment for now.

            • Skip the other fields and click Save.

            You're redirected to the Business Insights app configuration page in Okta.

          7. On the app configuration page, click the Okta API Scopes tab.

          8. Click Grant for the following API Scopes:

            • okta.apps.read
            • okta.logs.read
            • okta.userTypes.read
            • okta.users.read

            The app is successfully integrated with Business Insights.

          Close

        • After the app is successfully integrated, assign your Okta Admin account to the Business Insights app.

          To assign the admin account:

          1. From the Okta Admin console, go to the Applications > Applications.
          2. Search and click on the Business Insights app integration.
          3. Go to the Assignments tab.
          4. Click Assign > Assign to People.
          5. Search for your Okta Admin account.

          6. Click Assign, then Save and Go Back.

          7. Click Done.
          Close

        • Copy the following information from the General tab of the Business Insights app configuration page in your Okta Admin console:

          • Client ID
          • Client Secret

          Close

        • In the Business Insights Admin Portal:

          1. Under Tenant Name, enter a name for the application tenant.
          2. Click Next.

          3. Under Register the Oauth Application:

            • Client ID: Paste the Client ID that you copied from Okta Admin console.
            • Client Secret: Paste the Client ID that you copied from Okta Admin console.
            • Okta Domain: Enter your organization's Okta domain URL.

          4. Click Authorize.

            The Okta authentication page appears.

          5. Authenticate with your Okta Admin credentials and click Next.

            The Business Insights service begins to retrieve your subscription details and establish an API connection. This might take a few minutes or hours. After the connector is configured successfully for the application, you can enter the subscription details.

            You can navigate away from the page while the Business Insights service establishes the connection; you're notified after the connector is configured successfully.

          6. Complete the following subscription fields:
            • Purchased Seats: The number of seats purchased as part of the subscription.
            • Assigned Seats: The number of seats assigned to the users from the purchased seats.
            • Per User License Cost: The cost incurred to buy one seat per month.
            • Contract Start Date: The start date of the subscription.
            • Contract End Date: The end date of the subscription.
          7. Click Complete.

          The application is successfully onboarded.

          Close
        Close

      • To configure Salesforce:

        • You must install the ZscalerBIPackage, which contains the information for the connector configuration.

          To install the ZscalerBIPackage for Salesforce:

          1. Click the URL in the email from the Salesforce team.

            You're redirected to the Install ZscalerBIPackage page.

          2. On the Install ZscalerBIPackage page:
            1. Ensure the Install for Admins Only checkbox is selected.
            2. Select the I acknowledge that I’m installing a Non-Salesforce Application that is not authorized for distribution as part of Salesforce’s AppExchange Partner Program checkbox.
            3. Click Install.

          3. After installation is complete, click Done.

          Close

        • Create a permission set to assign to your user account and the application connector.

          To create a permission set:

          1. Log in to the Salesforce portal.

          2. From the left-side navigation, go to Users > Permission Sets.

          3. Click New.

            The Permission Set Create window appears.

          4. In the Permission Set Create window:

            • Label: Enter a label for the permission set. In this example, it's Zscaler SaaS Connector User.
            • API Name: This field populates based on the label you enter.
            • License: Select Salesforce.

          5. Click Save.

          6. In the Apps section, click App Permissions.

          7. Click Edit.

          8. In the Content section, select the following Permission Name checkboxes:

            • Manage record types and layouts for Files
            • Manage Salesforce CRM Content
            • Query All Files

          9. Click Save and then Save again to confirm.
          Close

        • Assign the permission set you created to your Salesforce user account.

          To assign the permission set to your user account:

          1. In the left-side navigation, go to Users > Users.

          2. In the Full Name column, click on your admin name.

          3. In the User Details section, select the Salesforce CRM Content User checkbox.

          4. In the Permission Set Assignments section, click Edit Assignments.

            The Permission Sets window appears.

          5. In the Permission Sets window, under Available Permission Sets, select the permission set you configured in Step b, and click Add. In this example, it's Zscaler SaaS Connector User.

          6. Click Save.
          Close

        • To configure the Salesforce CRM Content settings:

          1. In the left-side navigation, go to Feature Settings > Salesforce Files > Salesforce CRM Content.

          2. Select the following Salesforce CRM Content checkboxes:

            • Enable Salesforce CRM Content
            • Autoassign feature licenses to existing and new users
            • Files user interface allows sharing files with libraries

          3. Click Save.
          Close

        • To configure the application connector:

          1. In the left-side navigation, go to Apps > App Manager.

          2. Click the down arrow icon for the Zscaler SaaS Connector application.

          3. Click Manage.

          4. Click Edit Policies.

            The Connected App Edit window appears.

          5. In the Connected App Edit window:

            • Permitted Users: Select Admin approved users are pre-authorized.
            • IP Relaxation: Select Relax IP restrictions.
            • Refresh Token Policy: Ensure Refresh token is valid until revoked is selected.

          6. Click Save.

          7. In the Profiles section, click Manage Profiles.

            The Application Profile Assignment window appears.

          8. In the Application Profile Assignment window, select the System Administrator checkbox.

          9. Click Save.

          10. In the Permission Sets section, click Manage Permission Sets.

            The Application Permission Set Assignment window appears.

          11. In the Application Permission Set Assignment window, select the permission set you configured in Step b. In this example, it's Zscaler SaaS Connector User.

          12. Click Save.
          13. In the Business Insights Admin Portal, under Tenant Name, enter a name for the application tenant.
          14. Click Next.

          15. Under Tenant Type, select the appropriate tenant type based on your deployment:

            • Sandbox Account: This option allows you to access Salesforce from the test.salesforce.com URL, where you can test your changes without affecting your customers until you move it to your production environment.
            • Production Account: This option allows you to access Salesforce from the login.salesforce.com URL, where your changes affect your customers directly as they are applied to your production environment.

            You can add both tenant types separately, but you can't change from a sandbox tenant type to production, or vice versa.

          16. Under Salesforce Admin Email ID, enter your admin email ID used to log in to the Salesforce portal.

          17. Click Next.

            The Business Insights service begins to retrieve your subscription details and establish an API connection. This might take a few minutes or hours. After the connector is configured successfully for the application, you can enter the subscription details.

            You can navigate away from the page while the Business Insights service establishes the connection; you're notified after the connector is configured successfully.

          18. Complete the following subscription fields:
            • Purchased Seats: The number of seats purchased as part of the subscription.
            • Assigned Seats: The number of seats assigned to the users from the purchased seats.
            • Per User License Cost: The cost incurred to buy one seat per month.
            • Contract Start Date: The start date of the subscription.
            • Contract End Date: The end date of the subscription.
          19. Click Complete.
          Close
        Close

      • To configure ServiceNow:

        • To verify the the OAuth 2.0 plugin is installed and active:

          1. Log in to your ServiceNow instance.

          2. Go to System Applications > All Available Applications > All.

          3. Enter OAuth 2.0 in the search field. The OAuth 2.0 plugin appears. Ensure it's installed.

            If the plugin isn't installed, click Install and then Activate.

          Close

        • To verify that the OAuth property is active:

          1. In the Filter navigator, search for sys_properties.list and press Enter on your keyboard.

          2. On the System Properties page, enter com.snc.platform.security.oauth.is.active in the search bar and press Enter on your keyboard.

          3. Ensure that the Value column for the com.snc.platform.security.oauth.is.active property is true.

            If it's not, in the Name column, click com.snc.platform.security.oauth.is.active, enter true in the Value field, and then click Update.

          Close

        • To configure an OAuth client application:

          1. Go to System OAuth > Application Registry.

          2. Click New.

          3. Click Create an OAuth API endpoint for external clients.

            The Application Registries New Record window appears.

          4. In the Application Registries New Record window:

            • Name: Enter a name for the OAuth client application. In this example, it's Zscaler SaaS Application Tenant.
            • Client ID: Copy the client ID of the application. You need it for Step ii of d. Add ServiceNow as a Tenant.
            • Client Secret: The shared secret of the application, which the ServiceNow instance and the OAuth client application use to authorize their communication. The secret generates after you submit this application registry.
            • Refresh Token Lifespan: The default lifespan is 8,640,000 seconds (100 days). Zscaler recommends changing it to a larger value, such as 157,700,000 seconds (5 years) because you'll need to configure ServiceNow as a new tenant after the refresh token expires.
            • Access Token Lifespan: The default value is 1,800 seconds (30 minutes). Zscaler recommends changing it to a larger value, such as 86,400 seconds (24 hours).

          5. Click Submit.

          6. On the Application Registries page, in the Name column, click the name of the configured OAuth client application. In this example, it's Zscaler SaaS Application Tenant.

            The Application Registries window appears.

          7. In the Application Registries window, click the Lock icon for Client Secret.

          8. Copy the value from the Client Secret field. You need it for Step iii of d. Add ServiceNow as a Tenant.

          Close

        • To configure ServiceNow:

          1. In the Business Insights Admin Portal, under Tenant Name, enter a name for the SaaS application tenant.
          2. Click Next.
          3. Complete the following fields:
            • Client ID: Enter the client ID you copied in c. Configure an OAuth Client Application.
            • Client Secret: Enter the client secret you copied in c. Configure an OAuth Client Application.
            • Instance URL: Enter the URL used to log in to your ServiceNow instance.
            • User ID: Enter the user ID of the user account used to configure the OAuth client application.
            • User Password: Enter the password of the user account used to configure the OAuth client application.

            • ServiceNow Admin Email ID: Enter the admin email ID used to log in to your ServiceNow instance.

          4. Click Authorize.

            The Business Insights service begins to retrieve your subscription details and establish an API connection. This might take a few minutes or hours. After the connector is configured successfully for the application, you can enter the subscription details.

            You can navigate away from the page while the Business Insights service establishes the connection; you're notified after the connector is configured successfully.

          5. Complete the following subscription fields:
            • Purchased Seats: The number of seats purchased as part of the subscription.
            • Assigned Seats: The number of seats assigned to the users from the purchased seats.
            • Per User License Cost: The cost incurred to buy one seat per month.
            • Contract Start Date: The start date of the subscription.
            • Contract End Date: The end date of the subscription.
          6. Click Complete.
          Close

        The application is successfully onboarded. To learn more about the steps in ServiceNow, refer to the ServiceNow documentation.

        Close

      • To configure Slack:

        1. Under Tenant Name, enter a name for the application tenant.

        2. Click Next, then Provide Admin Credentials.

          The Slack portal appears.

        3. Log in to Slack.

          You are redirected to a permissions page.

        4. From the top right drop-down menu, select the workspace of your organization. Ensure you are not selecting the workspace under the Your organizations section, and instead select from the Other workspaces section.

        5. Review the required permissions for the Business Insights service to access Slack, then click Allow.

        6. In the Business Insights Admin Portal, under Slack Admin Email ID, enter the admin email ID used to log in to the Slack portal.

        7. Click Next.

          The Business Insights service begins to retrieve your subscription details and establish an API connection. This might take a few minutes or hours. After the connector is configured successfully for the application, you can enter the subscription details.

          You can navigate away from the page while the Business Insights service establishes the connection; you're notified after the connector is configured successfully.

        8. Complete the following subscription fields:
          • Purchased Seats: The number of seats purchased as part of the subscription.
          • Assigned Seats: The number of seats assigned to the users from the purchased seats.
          • Per User License Cost: The cost incurred to buy one seat per month.
          • Contract Start Date: The start date of the subscription.
          • Contract End Date: The end date of the subscription.
        9. Click Complete.

        The application is successfully onboarded.

        Close
      Close

    • Follow the steps if you want to skip the connector configuration for a supported app and set up a ZIA or IdP gathered insights mechanism, or if you don't have the admin access to set up the connector:

      1. Under Tenant Name, enter a name for the SaaS application tenant.
      2. Click Next.
      3. Complete the following fields:
        • Purchased Seats: The number of seats purchased as part of the subscription.
        • Assigned Seats: The number of seats assigned to the users from the purchased seats.
        • Per User License Cost: The cost incurred to buy one seat per month.
        • Contract Start Date: The start date of the subscription.
        • Contract End Date: The end date of the subscription.
      4. Click Complete.

      The application is successfully onboarded.

      Close

Related Articles
About Application ConfigurationOnboarding SaaS Apps for Business InsightsCreating Custom Application SignaturesUploading Application ContractsAbout the Processing QueueManaging Queued ContractsContract Settings