icon-unified.svg
Experience Center

About External Identity Providers

You can configure primary and secondary external identity providers (IdPs) in the Admin Portal based on your organization's requirements. ZIdentity redirects users to different IdPs based on the configured IdP criteria for authenticating users. ZIdentity supports both OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) configurations.

  • ZIdentity allows you to configure a maximum of 64 IdPs per organization.
  • Users and groups from the primary IdP are stored in ZIdentity even if the primary IdP is removed from ZIdentity. This is maintained to enable an easy migration of the primary IdP from one IdP partner to another.
  • Users and groups from the secondary IdP are not retained in ZIdentity if the secondary IdP is removed.

External IdPs provide the following benefits and enable you to:

  • Provide a quick and simple way for admins to assign multiple users to an IdP.
  • Configure IdPs with different protocols, such as OIDC and SAML for authentication and SCIM for user provisioning.
  • Configure multiple IdPs for different user domains.

Zscaler supports various third-party IdP solutions across OIDC and SAML protocols. The following table lists the external IdPs along with the supported protocol:

External IdPOIDC (Recommended)SAML
Microsoft Entra IDSupported (via Gallery App)Supported
OktaSupported (via OIN App and Custom App)Supported
Microsoft AD FSNot supportedSupported
PingOneSupportedSupported
Auth0SupportedSupported
OneLoginSupportedSupported
PingFederateSupportedSupported
  • Zscaler recommends using OIDC-based integration over SAML-based integrations. Use of SAML-based integration is recommended if you do not have an option to use any OIDC-based integration.
  • Zscaler recommends using SCIM-based provisioning over Just-in-Time (JIT)-based provisioning. Zscaler recommends this due to SCIM's ability to proactively synchronize identities via APIs at scheduled or on-demand intervals. In contrast, JIT updates identities reactively, relying on attributes received during user login sessions.

About the External Identities Page

On the External Identities page (Administration > Identity > ZIdentity > External Identities), you can do the following:

  1. View the configured primary IdP. For the primary IdP, you can see:

    • Name: The IdP's name.
    • Type: The type of authentication method used by the IdP.
    • Status: Whether the IdP is enabled or disabled.

    In case you haven't configured a primary IdP, click Add Primary IdP to proceed with the IdP configuration.

  2. View the configured secondary IdPs. For each secondary IdP, you can see:
    • Name: The IdP's name.
    • Type: The type of authentication method used by the IdP.
    • Domain: The domains assigned to the IdP.
    • Status: Whether the IdP is enabled or disabled.
  3. Add Secondary IdP.

    You must configure a primary IdP before you configure secondary IdPs.

  4. Edit or delete an IdP.

Related Articles
About External Identity ProvidersAdding OpenID ProvidersAdding SAML Identity ProvidersConfiguring Okta as an External IdPConfiguring Microsoft Entra ID as an External IdPConfiguring Microsoft AD FS as an External IdPConfiguring PingOne as an External IdPConfiguring Auth0 as an External IdPConfiguring OneLogin as an External IdPConfiguring PingFederate as an External IdP