Cloud & Branch Connector
Admin SAML Configuration Guide for Azure Active Directory
This guide demonstrates how to configure Microsoft Azure Active Directory (Azure AD) as the identity provider (IdP) for Zscaler Cloud & Branch Connector and use SAML single-sign-on (SSO) for your organization's admins. To learn more about how to configure SAML within the Azure portal, refer to the Microsoft documentation.
Prerequisites
Ensure that you have the following before you start configuring Azure AD as the IdP:
- Existing Azure AD account
- Zscaler cloud name
- Admin accounts created for your organization's admins
If you are subscribed to ZIdentity, some of the following options are only configurable within the ZIdentity Admin Portal. To learn more, see What Is ZIdentity?
Configuring SAML Admin SSO with Azure AD
To configure Azure AD as the IdP for Cloud & Branch Connector and use SAML SSO for admins:
- Step 1: Add the Zscaler Cloud and Branch Connector Administrator Application
- Sign in to the Azure portal.
Go to Azure Active Directory.
On the left-side navigation, click Enterprise applications.
Click New application.
The Browse Azure AD Gallery page appears.
On the Browse Azure AD Gallery page, click Create your own application.
In the Create your own application window, for What's the name of your app?, enter
Zscaler Cloud and Branch Connector Administrator Application.- Click Create.
- Step 2: Configure the SAML Admin SSO in Azure
To configure SAML admin SSO in Azure:
On the left-side navigation of the Zscaler Cloud and Branch Connector Administrator Application, click Single sign-on.
Click SAML.
In the Basic SAML Configuration section, click the Edit icon.
- In the Basic SAML Configuration window:
- Identifier (Entity ID): Enter
connector.<Zscaler Cloud>.netas the identifier. - Reply URL (Assertion Consumer Service URL): The Zscaler cloud name depends on the URL you use to log in to the Zscaler service. For example, if you log in to https://connector.Zscalerbeta.net, then enter
https://connector.Zscalerbeta.net/bac-adminsso.do. In the Index field, enter 1. - Sign on URL (Optional): Leave this field blank.
- Relay State (Optional): Leave this field blank.
Logout URL (Optional): Leave this field blank.
- Identifier (Entity ID): Enter
- Click Save and exit the window.
When prompted to Test single sign-on with Zscaler Cloud and Branch Connector Administrator Application, click No, I'll test later.
(Optional) In Attributes & Claims, edit the Unique User Identifier if required by your organization.
In SAML Certificates, download the Certificate (Base64). You need this certificate in order to configure SAML admin SSO in the Cloud & Branch Connector Admin Portal.
In Set up Zscaler Cloud and Branch Connector Administrator Application, copy the Azure AD Identifier. You need this certificate in order to configure SAML admin SSO in the Cloud & Branch Connector Admin Portal.
- Step 3: Assign Admins to Zscaler Cloud and Branch Connector Administrator Application
For Azure AD admins to authenticate through the Zscaler service, you must assign Azure AD admins to the Zscaler Cloud and Branch Connector Administrator Application. To assign admins to the Zscaler Cloud and Branch Connector Administrator Application in Azure:
On the left-side navigation of the Zscaler Cloud and Branch Connector Administrator Application, click Users and groups.
Click Add user/group.
In the Add Assignment window, click Users and groups.
In the Users and groups window, select the admins you want to assign to the Zscaler Cloud and Branch Connector Administrator Application, then click Select.
In the Add Assignment window, click Assign.
- Step 4: (Optional) Enable IdP-Initiated SSO
By default, the Zscaler Cloud and Branch Connector Administrator Application is visible to admins in their My Apps portal.
To enable or disable application visibility:
On the left-side navigation for the Zscaler Cloud and Branch Connector Administrator Application, click Properties.
For Visible to users?, select Yes or No.
- Step 5: Configure SAML Admin SSO in the Cloud & Branch Connector Admin Portal
Testing the SAML Configuration
To test the SAML admin SSO, you can initiate the SAML connection from the Zscaler Cloud and Branch Connector Administrator Application. There are two ways to do this:
- Go to Microsoft My Apps Portal
You can use this method if you have enabled application visibility, as demonstrated in the Enable IdP-Initiated SSO step.
- Sign in to the Microsoft My Apps portal.
Click Zscaler Cloud and Branch Connector Administrator Application.
- Browse to the User Access URL
If you have disabled application visibility, demonstrated in Enable IdP-Initiated SSO, you can access the Zscaler Cloud and Branch Connector Administrator Application directly from your browser.
On the left-side navigation for the Zscaler Cloud and Branch Connector Administrator Application, click Properties.
Copy the User access URL.
- Browse to the User Access URL. You are signed in to the Zscaler Cloud & Branch Connector Admin Portal.
