Experience Center
About External Identity Providers
You can configure primary and secondary external identity providers (IdPs) in the Admin Portal based on your organization's requirements. ZIdentity redirects users to different IdPs based on the configured IdP criteria for authenticating users. ZIdentity supports both OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) configurations.
- ZIdentity allows you to configure a maximum of 64 IdPs per organization.
- Users and groups from the primary IdP are stored in ZIdentity even if the primary IdP is removed from ZIdentity. This is maintained to enable an easy migration of the primary IdP from one IdP partner to another.
- Users and groups from the secondary IdP are not retained in ZIdentity if the secondary IdP is removed.
External IdPs provide the following benefits and enable you to:
- Provide a quick and simple way for admins to assign multiple users to an IdP.
- Configure IdPs with different protocols, such as OIDC and SAML for authentication and SCIM for user provisioning.
- Configure multiple IdPs for different user domains.
Zscaler supports various third-party IdP solutions across OIDC and SAML protocols. The following table lists the external IdPs along with the supported protocol:
| External IdP | OIDC (Recommended) | SAML |
|---|---|---|
| Microsoft Entra ID | Supported (via Gallery App) | Supported |
| Okta | Supported (via OIN App and Custom App) | Supported |
| Microsoft AD FS | Not supported | Supported |
| PingOne | Supported | Supported |
| Auth0 | Supported | Supported |
| OneLogin | Supported | Supported |
| PingFederate | Supported | Supported |
- Zscaler recommends using OIDC-based integration over SAML-based integrations. Use of SAML-based integration is recommended if you do not have an option to use any OIDC-based integration.
- Zscaler recommends using SCIM-based provisioning over Just-in-Time (JIT)-based provisioning. Zscaler recommends this due to SCIM's ability to proactively synchronize identities via APIs at scheduled or on-demand intervals. In contrast, JIT updates identities reactively, relying on attributes received during user login sessions.
About the External Identities Page
On the External Identities page (Administration > Identity > ZIdentity > External Identities), you can do the following:
View the configured primary IdP. For the primary IdP, you can see:
- Name: The IdP's name.
- Type: The type of authentication method used by the IdP.
- Status: Whether the IdP is enabled or disabled.
In case you haven't configured a primary IdP, click Add Primary IdP to proceed with the IdP configuration. See image.
- View the configured secondary IdPs. For each secondary IdP, you can see:
- Name: The IdP's name.
- Type: The type of authentication method used by the IdP.
- Domain: The domains assigned to the IdP.
- Status: Whether the IdP is enabled or disabled.
Add Secondary IdP.
You must configure a primary IdP before you configure secondary IdPs.
- Edit or delete an IdP.
