icon-unified.svg
Experience Center

About IdP Configuration

For users to access your applications, they must first authenticate into Zscaler Client Connector using any SAML 2.0-compliant identity provider (IdP) with the service provider-initiated (SP-initiated) model. User SSO is SP-initiated, but admin SSO can be SP-initiated or IdP-initiated. When an admin selects Single Sign-On Using IdP on the Admin Portal's Sign In page, the login is SP-initiated. If the admin logs directly into their IdP, it's IdP-initiated.

Prior to configuring your IdP, Zscaler recommends reading IdP Configuration Best Practices.

The IdP must be configured to recognize Zscaler as a valid SP, and you must configure the full details for the IdP within the Admin Portal. To learn more, see Configuring an IdP for Single Sign-On.

IdP configuration provides the following benefits and enables you to:

  • Authenticate and access applications.
  • Use SCIM, a standard protocol for automating the exchange of identity information, so that you can provision users and groups.

About the IdP Configuration Page

The IdP Configuration page is read-only if you are subscribed to ZIdentity for users. To learn more, see What Is ZIdentity?

On the IdP Configuration page (Administration > Identity > Private Access > IDP Configuration), you can do the following:

  1. Add a new IdP configuration.

    The Add icon is hidden if you are subscribed to ZIdentity for users. To learn more, see What Is ZIdentity?

  2. View a list of the names of all IdPs that were configured for your organization. For each IdP configuration, you can see:

    • Name: The name of the IdP configuration. An icon shows next to the name of the IdP if the IdP certificate is close to expiring or has expired:

      • If the IdP certificate has expired, a red warning icon (Red warning icon in the ZPA Admin Portal) is displayed.
      • If the IdP certificate has less than 7 days before expiration, a yellow caution icon (Yellow caution icon in the ZPA Admin Portal) is displayed.
      • If the IdP certificate has less than 30 days before expiration, an orange info icon (Orange info icon in the ZPA Admin Portal) is displayed.

      If the IdP certificate is part of a certificate chain instead of a single certificate, the certificate expiring the earliest is considered to reflect the expiration icons.

  • Status: The status of the IdP configuration (i.e., enabled, disabled, or resume if the configuration was paused during set up).
  • IdP Entity ID: The entity ID URL for the IdP.
  • Single Sign-On: Indicates whether the IdP is set up for Admin or User SSO.

You can expand the row to view details regarding the configuration, import SAML attributes, or verify that SSO was configured correctly for the IdP.

  1. Edit an existing IdP configuration.
  2. Delete an IdP configuration.

An IdP cannot be deleted if it is used for emergency access.

Viewing the IdP Configuration page
Related Articles
About IdP ConfigurationIdP Configuration Best PracticesConfiguring an IdP for Single Sign-OnEditing an IdP ConfigurationManaging a Service Provider Certificate Rotation