Experience Center
Adding SaaS Application Tenants
Zscaler Data at Rest Scanning provides visibility and security for sanctioned SaaS applications used in your organization. You can authorize sanctioned SaaS applications with Zscaler by adding them as tenants. Most apps require configuration to provide Zscaler access and enable their full functionality.
To add a SaaS application tenant:
- Go to Policies > Common Configuration > Out-of-band CASB > SaaS Application Tenants.
Click Add SaaS Application Tenant.
The Add SaaS Application Tenant page appears.
Under Choose the SaaS Application Provider, search for or choose from one of the sanctioned SaaS applications.
- Under Name the SaaS Application Tenant, enter a name for the SaaS application tenant. It must be unique. This name is displayed when configuring the Data at Rest Scanning DLP policy, Malware Detection policy, Workflow Automation, or Scan Configuration depending on the functionality available for that specific application.
Under Onboard SaaS Application for, select the checkbox for the functionality you want to enable. You can choose from DLP and Malware scanning SaaS API, SSPM Scan, or Workflow Automation if the app supports the functionality.
- Complete the specific configuration steps for your chosen application:
- Amazon S3
To enable Amazon S3 for your organization, contact your Zscaler Account team.
To configure Amazon S3:
- a. Configure an IAM Role for the Zscaler S3 Connector
- Under Authorize the SaaS Application, copy the Zscaler S3 Connector and Zscaler S3 Connector User ARN.
- Click Go to AWS.
The AWS portal appears.
- Log in to AWS.
- Go to Services > IAM.
- In the left-side navigation, go to Access management > Roles.
- Click Create role.
- In Select type of trusted entity, click Another AWS account.
- In Specify accounts that can use this role:
- Account ID: Enter the Zscaler S3 Connector value you copied in Step i.
- Require external ID (Best practice when a third party assumes this role): Deselect.
- Require MFA: Deselect.
- Click Next: Permissions.
- In Attach permissions policies, enter
AmazonS3FullAccessin the search bar, and select it.
- Click Next: Tags.
- In Add tags (optional), enter a key-value pair.
- Click Next: Review.
- In Review:
- Role name: Enter a role name.
- Description: (Optional) Enter additional notes or information.
- Click Create role.
- b. Edit the Trust Relationship
- Click the Role Name of the IAM role you created in a. Configure an IAM Role for the Zscaler S3 Connector.
- Click the Trust relationships tab.
- Click Edit trust relationship.
- Under Policy Document, delete the existing
AWSvalue, and enter the Zscaler S3 Connector User ARN you copied in Step i of a. Configure an IAM Role for the Zscaler S3 Connector:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/AccountAadmin" }, "Action": "sts:AssumeRole", "Condition": {} } ] }- Click Update Trust Policy.
- Under Summary, copy the Role ARN. You need it for Step vi of d. Create a Quarantine Bucket.
- c. Obtain the CloudTrail Bucket ARN
You can use a single CloudTrail account to onboard multiple tenants. To learn more about CloudTrail, refer to the AWS CloudTrail documentation.
- In the Name column, click s3-log-trail.
To enable S3 data events, click Edit next to Data events. If you have already enabled S3 data events, skip to the Trails step.
Check the Data events box. If Advanced event selectors are not enabled, click Switch to advanced event selectors.
In the Data event type drop-down menu, select S3. Then, make sure the Log selector template is set to Log all events.
- Click Save changes.
- Back on your Trails page, in General details, click the Trail log location.
- In Objects, click CloudTrail/.
- Click the Properties tab.
- Under Amazon Resource Name (ARN), copy the CloudTrail bucket ARN. You need it for Step vi of d. Create a Quarantine Bucket.
- d. Create a Quarantine Bucket
- Click Create bucket.
The Create bucket window appears.
- In the Create bucket window:
- Bucket name: Enter a unique name for the quarantine bucket.
- AWS Region: Use the default region.
- Block all public access: Select.
- Bucket Versioning: Disable.
- Tags: (Optional) Click Add tag to tag your quarantine bucket.
- Default Encryption: Server-side encryption with Amazon S3 managed keys (SSE-S3)
- In the Admin Portal, under Register the SaaS Application:
- AWS Account ID: Enter the ID of the AWS account used to configure the Zscaler S3 Connector.
- IAM Role ARN: Enter the IAM role ARN you copied in b. Edit the Trust Relationship.
- Quarantine Bucket Name: Enter the quarantine bucket name you copied in Step v. If you add a Malware Detection rule with the action Quarantine Malware, the Zscaler servicemoves the malicious files detected to this bucket.
- CloudTrail Bucket ARN: Enter the ARN of the CloudTrail bucket, which stores your S3 data event logs.
To learn more about the steps in AWS, refer to the AWS documentation.
Close - a. Configure an IAM Role for the Zscaler S3 Connector
- Bitbucket
To configure Bitbucket:
- Under Enter Bitbucket Admin Email ID, enter your admin email ID.
- Click Provide Admin Credentials and sign in to your Bitbucket account.
- Click Save.
- Box
To configure Box:
Under Authorize the SaaS Application, select a SaaS Connector option. A Zscaler-defined connector grants the Zscaler service full administrator privileges to the application; whereas, a custom connector grants only necessary permissions.
See image.- Zscaler-Defined
- Under Authorize the SaaS Application, copy the Zscaler SaaS Connector. You need it for Step g when adding a custom application for Box.
- Click Go to Box Settings.
The Box portal appears.
- Log in to Box.
You are redirected to the Box Admin console.
- Go to Apps.
- Click the Custom Apps Manager tab.
- Click Add App.
The App Authorization window appears.
- In the App Authorization window:
- Client ID: Enter Zscaler SaaS Connector value you copied in Step a.
- Click Next.
- Review the required permissions for the Zscaler service to access Box, and click Authorize.
- Click Okay.
- Go to Account & Billing.
- Under Account Information, copy the Enterprise ID.
- In the Admin Portal, under Enter the Box Enterprise ID, enter the Enterprise ID you copied from Box in the previous step.
To learn more about the steps in Box, refer to the Box documentation.
Close - Custom
- Under Authorize the SaaS Application, select Custom.
Sign in to the Box Developer Console, select My Apps, and then click Create new app.
If you don't have any apps yet, Box might directly open the next step after selecting My Apps.
Select Custom App.
Enter an app name with
Zscaleras the prefix, and under Purpose, select Integration. Fill in the rest of the required information based on your app needs and click Next.For the Authentication Method, select Server Authentication (with JWT) and click Create App.
- On the Configuration tab, next to the Application Scopes section, select the following scopes:
- Write all files and folders stored in Box
- Manage users
- Manage groups
- Manage enterprise properties
In the Advanced Features section, select:
- Make API calls using the as-user header
- Generate user access tokens
To learn more about the required API permissions, see the following table:
- API Permissions for BoxClose
In the App Access Level section, select App + Enterprise Access and click Save Changes.
In the Add and Manage Public Keys section, select Generate a Public/Private Keypair and your JSON file is downloaded.
- Next, you need to enable Suppress Notifications by referring to the Box documentation. You need to contact your Box support contact to request the required scopes to be enabled for your application.
In the Admin Portal, under Authorize the SaaS Application, select Custom and then click Upload File to upload the JSON file you generated in a previous step.
- Click Authorize and then click Save.
- Zscaler-Defined
- ChatGPT
- Sign in to the OpenAI API platform with your admin credentials.
- Go to API Keys in the left-side navigation.
- Click Create new secret key.
Enter a Name, under Project select Default project, and under Permissions select All. Click Create secret key.
- Save your key to use during onboarding. It can only be copied and viewed once. If you lose it, you need to generate a new one.
- Log in to ChatGPT and then go to the ChatGPT admin settings.
Copy the Workspace ID and save it.
- To enable the necessary enterprise APIs, write an email to OpenAI support requesting them to be enabled and include your secret key name, secret key, and workspace ID. Wait for confirmation that the APIs are enabled before continuing to onboard the application.
In the Admin Portal under Authorize the SaaS Application, enter your Workspace Name, Workspace ID, and Workspace Secret Key. Click Authorize.
- Confluence
- Enter the Atlassian Domain Address you want to connect with Zscaler.
- Enter your Confluence Organization API Key. For help finding your API Key, follow the instructions on Atlassian Support.
- Click Provide Admin Credentials and sign in to your Confluence account.
- Click Save.
For Confluence, the Data at Rest Scanning DLP rule scans all the blogs, pages, and attachments within a space. The DLP rule does not scan the overview page for any space.
Close - Dropbox
- Under Enter the Dropbox Enterprise ID, enter your Dropbox Enterprise email address.
- Under Authorize the SaaS Application, click Redirect to Dropbox.
The Dropbox portal appears.
- Log in to Dropbox.
- For the Before you connect this app... warning, click Continue.
- Review the required permissions for the Zscaler service to access Dropbox and click Allow.
The Admin Portal refreshes and adds the Dropbox Team ID under Authorize the SaaS Application.
To learn more about the steps in Dropbox, refer to the Dropbox documentation.
Close - Dynamics 365
- Under Enter Organization Domain Address, enter the URL used to log in to your Dynamics 365 instance.
- Under Authorize the SaaS Application you can click Provide Admin Credentials and log in with the Microsoft account associated with your Dynamics 365 instance.
- Click Save.
To learn more about the steps in Dynamics 365, refer to the Microsoft documentation.
Close - GitHub
- Under Enter the GitHub Admin Email ID, enter your admin email ID used to log in to the GitHub portal.
Under Authorize the SaaS Application, click Provide Admin Credentials and then log in to Github.
If you don't have SAML enabled for your organization, the GitHub Permissions page opens. Click Grant for all organizations you would like the scans to run for and then click Authorize.
To learn more about enabling SAML, see About External Identity Providers and Adding SAML Identity Providers.
If you do have SAML enabled, the single sign-on page opens. Click Authorize and then Continue.
Click Grant on all organizations you want to provide Zscaler access to, and click Authorize.
- Click Save.
- GitLab
To configure GitLab:
- Under Enter the GitLab Admin Email ID, enter your admin email ID used to log in to GitLab.
- Under Authorize the SaaS Application, click Provide Admin Credentials and log in with your GitLab information.
- Click Save.
To learn more about the steps in GitLab, refer to the GitLab documentation.
Close - Gmail
- Zscaler Defined
- Enter your Google Admin Email ID.
- Under Authorize the SaaS Application, select Zscaler Defined, copy the Zscaler SaaS Connector and Google Workspace Scope. You need it for a later step when adding an API client for Google Workspace.
- Click Go to Google Workspace.
The Google Workspace portal appears.
- Log in to Google Workspace.
You are redirected to the Google Admin console.
- Go to Security.
- Click API controls.
- Under Domain wide delegation, click MANAGE DOMAIN WIDE DELEGATION.
- Click Add new.
The Add a new client ID window appears.
- In the Add a new client ID window:
- Client ID: Enter Zscaler SaaS Connector value you copied in a previous step.
- Overwrite existing client ID: Deselect.
- OAuth scopes (comma-delimited): Enter the Google Workspace scope you copied in a previous step.
- Click Authorize.
The Zscaler Connector App is added as an API client.
- (Optional) Under (Optional) Configure External Trusted Domains & Users for the Tenant:
- External Trusted Domains: Enter trusted email domains that are outside your organization (i.e., using a different domain). The Zscaler service views any email addresses from the added domains as trusted; internal users for Gmail. For example, if your organization's domain is safemarch.com and your organization recently acquired a company with the domain example.com, you can add example.com to this list, and the service treats any email addresses from example.com (e.g., johnsmith@example.com) as internal users from safemarch.com. You can add up to 1,000 domains.
- External Trusted Users: Enter trusted email addresses that are outside your organization (i.e., using a different email domain). The Zscaler service views the email addresses as trusted, internal users for Gmail. For example, if your organization's email domain is safemarch.com and your organization recently contracted with someone using an external email domain (e.g., johnsmith@example.com), you can add the contractor's email to this list, and the service treats the contractor as an internal user from safemarch.com. You can add up to 1,000 email addresses.
To learn more about the steps in the Google Admin console, refer to the Google documentation.
Close - Custom
To create a custom Gmail Connector, you must first configure permissions in Google so that you can provide the Private Key JSON file for the Gmail account in the Admin Portal. To learn more, see Authorizing a Custom Zscaler Connector for Google Applications.
Close
- Zscaler Defined
- Google Cloud
To enable Google Cloud for your organization, contact your Zscaler Account team.
- Zscaler Defined
- a. Configure Google Cloud
- Enter your Google Cloud Admin Email ID.
- Under Authorize the SaaS Application:
- Click Zscaler Defined.
- Click Go to Google Cloud and sign in with your Google Cloud account credentials.
- Enter the name of your Quarantine Bucket. If you don’t have a Quarantine Bucket configured yet, follow the instructions in Step B.
- Click Save to finish.
- b. Create Quarantine Bucket
- From your Google Cloud Platform console, click on Cloud Storage, and then click Create Bucket.
- Name the bucket and click Continue.
- Continue configuring the bucket as needed and click Create when finished.
- Return to Section a., Step iii.
- c. Authorize Service Account and Add Scope
The following tasks have to be performed by an Organization Administrator of the G Suite domain:
- Copy the Zscaler Saas Connector ID.
- Go to G Suite domain’s Admin console.
- Select Security > Access and data control > API controls.
- Select Manage Domain Wide Delegation.
- If the Zscaler API client isn't listed, select Add new.
- In the Client name field enter the Zscaler Saas Connector ID you copied earlier.
- In the OAuth scopes field, enter the list of scopes that your application should be granted access to (copy from following list):
https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/devstorage.full_control,https://www.googleapis.com/auth/logging.read,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/logging.admin- Click Authorize.
- d. Create and Assign Role to Organization Administrator
- Sign in to the Google Cloud Platform console.
- Navigate into the desired organization using the project selection drop-down menu and select the appropriate domain in the listing.
Organization Administrator should be granted Members permissions for your GCP organization.
- Go to IAM & Admin > IAM on the navigation bar.
- Select Add.
- Paste the Organization Administrator email address in the New principals field.
- Select the following roles necessary for complete cloud storage visibility/harvesting:
- Browser (roles/browser): Read access to browse the hierarchy for a project and IAM policy. This role doesn't include permission to view resources in the project.
- Private Logs Viewer: To view data access logs.
- Storage Admin (roles/storage.admin): Grants full control of objects and buckets.
- Click Save.
- e. Enable Audit Logs
To access audit log configuration options in the Cloud Console, follow these steps:
- Go to the Audit Logs page.
- In the main table on the Audit Logs page, select one or more Google Cloud services from the Title column.
- In the Log Type tab, select the boxes by the Data Access audit log types that you want to enable and then click Save. Where you have successfully enabled audit logs, the table includes a checkmark.
- Select Cloud Logging API and Google Cloud Storage, and enable Admin Read, Data Write, and Data Read audit logs.
Why should you enable the above operations?
- Admin Read: Entries for operations that read the configuration or metadata of a project, bucket, or object.
- Data Read: Entries for operations that read an object.
- Data Write: Entries for operations that create or modify an object.
- f. Confirm Activation of Cloud Storage JSON API for All Older Projects
- From Google Cloud Platform, go to APIs & Services > Enabled APIs & services. Ensure that for all the projects for the organization the Cloud Storage JSON API is activated. The JSON API is activated by default, and it can be used immediately.
- To enable the JSON API in an existing project, go to the Google Cloud Storage JSON API page in the Cloud Console API Library, and click the Enable button.
- a. Configure Google Cloud
- Custom
To create a custom Google Cloud Connector, you must first configure permissions in Google so that you can provide the Organization ID, Quarantine Bucket name, and Private Key JSON file for the Google Cloud Platform account in the Admin Portal. To learn more, see Authorizing a Custom Zscaler Connector for Google Applications.
Close
- Zscaler Defined
- Google Drive
- Zscaler Defined
- Enter your Google Admin Email ID.
- Under Authorize the SaaS Application, click Zscaler Defined, and copy the Zscaler SaaS Connector and Google Workspace Scope. You need it for a later step when adding an API client for Google Workspace.
- Click Go to Google Workspace.
The Google Workspace portal appears.
- Log in to Google Workspace.
You are redirected to the Google Admin console.
- Go to Security.
- Click API controls.
- Under Domain wide delegation, click MANAGE DOMAIN WIDE DELEGATION.
- Click Add new.
The Add a new client ID window appears.
- In the Add a new client ID window:
- Client ID: Enter Zscaler SaaS Connector value you copied in a previous step.
- Overwrite existing client ID: Deselect.
- OAuth scopes (comma-delimited): Enter the Google Workspace scope you copied in a previous step.
- Click Authorize.
The Zscaler Connector App is added as an API client.
To learn more about the steps in the Google Admin console, refer to the Google documentation.
Close - Custom
To create a custom Google Drive Connector, you must first configure permissions in Google so that you can provide the Private Key JSON file for the Google Drive account in the Admin Portal. To learn more, see Authorizing a Custom Zscaler Connector for Google Applications.
Close
- Zscaler Defined
- Google Workspace
To configure Google Workspace:
- Zscaler Defined
- Enter the Google Admin Email ID.
- Under Authorize the SaaS Application, click Zscaler Defined, and copy the Zscaler SaaS Connector and Google Workspace Scope. You need it for a later step when adding an API client for Google Workspace.
- Click Go to Google Workspace.
The Google Workspace portal appears.
- Log in to Google Workspace.
You are redirected to the Google Admin console.
- Go to Security.
- Click API controls.
- Under Domain wide delegation, click MANAGE DOMAIN WIDE DELEGATION.
- Click Add new.
The Add a new client ID window appears.
- In the Add a new client ID window:
- Client ID: Enter Zscaler SaaS Connector value you copied in a previous step.
- Overwrite existing client ID: Deselect.
- OAuth scopes (comma-delimited): Enter the Google Workspace scope you copied in a previous step.
- Click Authorize.
The Zscaler Connector App is added as an API client.
To learn more about the steps in the Google Admin console, refer to the Google documentation.
Close - Custom
To create a custom Google Workspace Connector, you must first configure permissions in Google so that you can provide the Private Key JSON file for the Google Drive account in the Admin Portal. To learn more, see Authorizing a Custom Zscaler Connector for Google Applications.
Close
- Zscaler Defined
- Google Workspace Marketplace
To configure Google Workspace Marketplace:
- Under Authorize the SaaS Application, copy the Zscaler SaaS Connector and Google Workspace Scope. You need it for a later step when adding an API client for Google Workspace.
- Click Go to Google Workspace.
The Google Workspace portal appears.
- Log in to Google Workspace.
You are redirected to the Google Admin console.
- Go to Security.
- Click API controls.
- Under Domain wide delegation, click MANAGE DOMAIN WIDE DELEGATION.
- Click Add new.
The Add a new client ID window appears.
- In the Add a new client ID window:
- Client ID: Enter Zscaler SaaS Connector value you copied in a previous step.
- Overwrite existing client ID: Deselect.
- OAuth scopes (comma-delimited): Enter the Google Workspace scope you copied in a previous step.
- Click Authorize.
The Zscaler Connector App is added as an API client.
- In the Admin Portal, under Enter the Google Admin Email ID, enter your admin email ID used to log in to the Google Admin console.
To learn more about the steps in the Google Admin console, refer to the Google documentation.
Close - Jira Software
- Enter the Atlassian Domain Address you want to connect with Zscaler.
- Enter your Jira Organization API Key. For help finding your API Key, follow the instructions on Atlassian Support.
- Click Provide Admin Credentials and sign in to your Jira account.
- Click Save.
- Microsoft 365
Under Authorize the SaaS Application, copy the SaaS connector ID.
- On a new browser tab, log in to the Azure Portal with your Global Administrator account.
On the Azure Portal home page, search for the Microsoft Entra roles and administrators service and click that entry in the drop-down list.
On the All Roles page, search for Exchange Administrator, then click that entry to open it.
On the Exchange Administrator | Assignments page, click Add assignments.
On the Add Assignments page, click the No member selected link.
On the Select a member page, paste the SaaS connector ID you copied in step c. Select the SaaS connector ID in the list below and click Select at the bottom of the screen.
The Add Assignments page appears for the selected SaaS connector ID. Click Next at the bottom of the screen. On the following screen, provide a justification for this assignment and click Assign.
On the Exchange Administrator | Assignments page, verify that the SaaS connector ID you just added appears in the list of active assignments.
Return to the Add SaaS Application Tenant page in the Admin Portal and click Provide Admin Credentials to add the tenant ID.
- Microsoft Azure
To enable Microsoft Azure for your organization, contact your Zscaler Account team. To learn more about configuring Azure or for help finding your enterprise ID or storage account name, refer to the Microsoft documentation.
- Zscaler Defined
- Configure Microsoft Azure
Under Authorize the SaaS Application, select the checkbox for the functionality you want to enable.
- Click Provide Admin Credentials, and sign in with your Microsoft Azure account credentials.
- Under Register the SaaS Application:
- Enter your Microsoft Azure Enterprise ID.
- Enter the name of your Quarantine Storage Account.
- Click Save to finish.
- Create and Assign Roles
- Log in to the Azure Portal with your Global Administrator account. Go to Azure Active Directory > Enterprise Application.
- Copy the Application name matching the ID in Step a.
- Go back to the Azure Portal home page, then go to Subscriptions and select your subscription. You must do this for each of your subscriptions.
- Select Access Control (IAM) > Role Assignments > Add > Add role assignment.
- Search "Storage Contributor". Select Storage Blob Data Contributor and Storage Account Contributor and then click Next (this must be done separately for each role).
- Click Select members and add the application name from Step c as a member to Storage Blob Data Contributor and Storage Account Contributor, then select Review + assign.
Steps f and g must be done separately for both the Storage Blob Data Contributor and Storage Account Contributor roles. Steps d to g must be repeated for all subscriptions.
Close
- Configure Microsoft Azure
- Custom
To create a custom Microsoft Azure Blob Storage Connector, you must first configure permissions in Azure so that you can provide the Client ID, Client Secret, and Tenant ID, and add Role Assignments for the Microsoft Azure Blob Storage account in the Admin Portal. To learn more, see Authorizing a Custom Zscaler Connector for Microsoft Applications.
Close
- Zscaler Defined
- Microsoft Exchange
To configure Microsoft Exchange:
- Under Authorize the SaaS Application, select a SaaS Connector option. A Zscaler-defined connector grants the Zscaler service full administrator privileges to the application; whereas, a custom connector grants only necessary permissions.
See image.- Zscaler Defined
- Click Provide Admin Credentials.
The Exchange Portal appears.
- Log in to Exchange.
- Review the required permissions for the Internet & SaaS service to access the Exchange account and click Accept.
- Custom
To create a custom Exchange connector, you must first configure permissions in Azure so that you can provide the Client ID, Client Secret, and Tenant ID for the Exchange account in the Admin Portal. To learn more, see Authorizing a Custom Zscaler Connector for Microsoft Applications.
Close
- Zscaler Defined
(Optional) In the Admin Portal, under (Optional) Configure External Trusted Domains & Users for the Tenant:
- External Trusted Domains: Enter trusted email domains that are outside your organization (i.e., using a different domain). The Zscaler service views any email addresses from the added domains as trusted, internal users for Exchange. For example, if your organization's domain is safemarch.com and your organization recently acquired a company with the domain example.com, you can add example.com to this list, and the service treats any email addresses from example.com (e.g., johnsmith@example.com) as internal users from safemarch.com. You can add up to 1,000 domains.
- External Trusted Users: Enter trusted email addresses that are outside your organization (i.e., using a different email domain). The Zscaler service views the email addresses as trusted, internal users for Exchange. For example, if your organization's email domain is safemarch.com and your organization recently contracted with someone using an external email domain (e.g., johnsmith@example.com), you can add the contractor's email to this list, and the service treats the contractor as an internal user from safemarch.com. You can add up to 1,000 email addresses.
- Under Authorize the SaaS Application, select a SaaS Connector option. A Zscaler-defined connector grants the Zscaler service full administrator privileges to the application; whereas, a custom connector grants only necessary permissions.
- Microsoft OneDrive
To configure Microsoft OneDrive:
Under Authorize the SaaS Application, select a SaaS Connector option. A Zscaler-defined connector grants the Zscaler service full administrator privileges to the application; whereas, a custom connector grants only necessary permissions.
See image.- Zscaler Defined
- Click Provide Admin Credentials.
The OneDrive portal appears.
- Log in to OneDrive.
- Review the required permissions for the Zscaler service to access OneDrive, and click Accept.
- Custom
To create a custom OneDrive connector, you must first configure permissions in Azure so that you can provide the Client ID, Client Secret, and Tenant ID for the OneDrive account in the Admin Portal. To learn more, see Authorizing a Custom Zscaler Connector for Microsoft Applications.
Close
- Zscaler Defined
- Microsoft SharePoint
To configure Microsoft SharePoint:
Under Authorize the SaaS Application, select a SaaS Connector option. A Zscaler-defined connector grants the Zscaler service full administrator privileges to the application; whereas, a custom connector grants only necessary permissions.
Close
See image. - Microsoft Teams
- If you select Workflow Automation, an additional step appears to Configure Microsoft Teams Bot.
Click Download Zip File to download the bot’s AppBundle ZIP file, and then name the bot. The name must be identical to its name in the Teams App overview after the upload. By default, the name is
ZCN. All other names lead to a 401 error while validating.In the ZIP file, open the manifest.json file in a text editor and replace the three
idvalues with your Zscaler Connector ID found under the next step in the UI: Authorize the SaaS Application. Save the changes to the manifest.json file.Go to Microsoft Teams and navigate to Apps > Manage your apps > Upload an app.
- Click Upload a custom app, select your AppBundle ZIP file, then return to the Add SaaS Application Tenant page in the Admin Portal. To learn more about packaging or uploading your Microsoft Teams Bot, refer to the Microsoft documentation.
- Under Authorize the SaaS Application, select a SaaS Connector option. A Zscaler-defined connector grants the Zscaler service full administrator privileges to the application; whereas, a custom connector grants only necessary permissions.
See image.- Zscaler Defined
- Click Provide Admin Credentials.
The Teams Portal appears.
- Log in to Teams.
- Review the required permissions for the Internet & SaaS service to access the Microsoft account and click Accept.
- Custom
To create a custom Teams connector, you must first configure permissions in Azure so that you can provide the Client ID, Client Secret, and Tenant ID for the Teams account in the Admin Portal. To learn more, see Authorizing a Custom Zscaler Connector for Microsoft Applications.
Close
- Zscaler Defined
- If you select Workflow Automation, an additional step appears to Configure Microsoft Teams Bot.
- Okta
To configure Okta:
- Under Register the OAuth Application, enter your Okta client ID and client secret that you copied (learn more in Step f), as well as the URL used to login to your admin account in Okta.
- Under Enter Okta Admin Email ID, enter your admin email ID used to log in to Okta portal.
- Under Authorize the SaaS Application, click Provide Admin Credentials.
- Click Save.
Create and configure an Okta App Integration:
- From the Okta admin console, go to Applications > Applications and then select Create App Integration.
- Select OIDC - OpenID Connect for the sign-in method and Web Application for the application type.
- Click Next.
- Enter a name for the app integration, select Authorization Code and Refresh Token for grant types, and enter
https://admin.<Zscaler Cloud Name>.netfor the sign-in and sign-out URIs, where the cloud name is the Zscaler cloud where you are hosted. In the following example we are usinghttps://admin.zscaler.net.
- Under Assignments, select Allow everyone in your organization to access for controlled access and click Save.
- In the General tab of the application you created, copy the Client ID and Secret for use in the previous section's Step b.
- In the Okta API Scopes, grant access to the following scopes:
- okta.apiTokens.read
- okta.apps.read
- okta.behaviors.read
- okta.clients.read
- okta.domains.read
- okta.events.read
- okta.factors.read
- okta.groups.read
- okta.linkedObjects.read
- okta.logs.read
- okta.networkZones.read
- okta.policies.manage
- okta.policies.read
- okta.reports.read
- okta.riskProviders.read
- okta.roles.manage
- okta.roles.read
- okta.sessions.read
- okta.threatInsights.manage
- okta.threatInsights.read
- okta.trustedOrigins.read
- okta.userTypes.read
- okta.users.read
To learn more about the steps in Okta, refer to the Okta documentation.
Close - Salesforce
To configure Salesforce:
To view the activity report logs for Salesforce, ensure that you have access to the Event Monitoring add-on on your Enterprise or Unlimited Salesforce license.
- a. Install the zscalerPackage
You must install the zscalerPackage, which contains the contents for the Zscaler SaaS Connector application.
- Under Select Tenant Type, choose the appropriate tenant type based on your deployment:
- Sandbox Account: This option allows you to access Salesforce from the test.salesforce.com URL where you can test your changes without having them affecting your customers until you move it to your production environment.
- Production Account: This option allows you to access Salesforce from the login.salesforce.com URL where your changes affect your customers directly as they are applied to your production environment.
You can add both tenant types separately, but you can't change from a sandbox tenant type to production, or from production to sandbox.
- Under Authorize the SaaS Application, click Go to Salesforce.
The Salesforce portal appears.
- Log in to Salesforce.
The Install zscalerPackage page appears.
- On the Install zscalerPackage page:
- Ensure Install for Admins Only is selected.
- Select I acknowledge that I’m installing a Non-Salesforce Application that is not authorized for distribution as part of Salesforce’s AppExchange Partner Program.
- Click Install.
- After installation is complete, click Done.
You are redirected to the Installed Packages page.
Close - Under Select Tenant Type, choose the appropriate tenant type based on your deployment:
- b. Create a Permission Set
You must create a permission set to assign to your user account and the Zscaler SaaS Connector application.
To create a permission set:
- In the left-side navigation, go to Users > Permission Sets.
- Click New.
The Permission Set Create window appears.
- In the Permission Set Create window:
- Label: Enter a label for the permission set. In this example, it's Zscaler SaaS Connector User.
- API Name: This field populates based on the label you entered.
- License: Choose Salesforce.
- Click Save.
- In the Apps section, click App Permissions.
- Click Edit.
- In the Content section, select the following permissions:
- Manage record types and layouts for Files
- Manage Salesforce CRM Content
- Query All Files
- Click Save and then Save again to confirm.
- c. Assign the Permission Set
You must assign the permission set you created to your Salesforce user account.
To assign the permission set to your user account:
- In the left-side navigation, go to Users > Users.
- In the Full Name column, click your name.
- In the User Details section, select Salesforce CRM Content User.
- In the Permission Set Assignments section, click Edit Assignments.
The Permission Sets window appears.
- In the Permission Sets window, under Available Permission Sets, select the permission set you configured in Step b, and click Add. In this example, it's Zscaler SaaS Connector User.
- Click Save.
- d. Configure the Salesforce CRM Content Settings
To configure the Salesforce CRM Content settings:
- In the left-side navigation, go to Feature Settings > Salesforce Files > Salesforce CRM Content.
- Select the following Salesforce CRM Content settings:
- Enable Salesforce CRM Content
- Autoassign feature licenses to existing and new users
- Files user interface allows sharing files with libraries
- Click Save.
- e. Configure the Zscaler SaaS Connector Application
To configure the Zscaler SaaS Connector application:
- In the left-side navigation, go to Apps > App Manager.
- Click the down arrow icon for the Zscaler SaaS Connector application. The name of the Zscaler SaaS Connector application varies depending on the URL you use to log in to the Zscaler service. For example, if you log in to https://admin.zscalerbeta.net, then your Zscaler SaaS Connector application name is similar to ZscalerSaaSConnectorZSBeta01. This guide uses the ZscalerSaaSConnectorZSBeta01 application as an example.
- Click Manage.
- Click Edit Policies.
The Connected App Edit window appears.
- In the Connected App Edit window:
- Permitted Users: Choose Admin approved users are pre-authorized.
- IP Relaxation: Choose Relax IP restrictions.
- Refresh Token Policy: Ensure Refresh token is valid until revoked is chosen.
- Click Save.
- In the Profiles section, click Manage Profiles.
The Application Profile Assignment window appears.
- In the Application Profile Assignment window, select System Administrator.
- Click Save.
- In the Permission Sets section, click Manage Permission Sets.
The Application Permission Set Assignment window appears.
- In the Application Permission Set Assignment window, select the permission set you configured in Step b. In this example, it's Zscaler SaaS Connector User.
- Click Save.
- In the Admin Portal, under Enter the Salesforce Admin Username, enter your admin username used to log in to the Salesforce portal.
To learn more about the steps in Salesforce, refer to the Salesforce documentation.
Close - a. Install the zscalerPackage
- ServiceNow
To configure ServiceNow as a tenant, you must have a ServiceNow user account with an admin role.
To configure ServiceNow:
- a. Verify the OAuth 2.0 Plugin is Active
To verify the the OAuth 2.0 plugin is installed and active:
- Log in to your ServiceNow instance.
Go to System Application > All Available Applications > All.
Enter
OAuth 2.0in the search bar. The OAuth 2.0 plugin appears. Ensure it's Installed.If the plugin isn't installed, click Install and then Activate.
- b. Verify the OAuth Property is Active
To verify that the OAuth property is active:
In the Filter navigator, enter
sys_properties.listand press Enter on your keyboard.- On the System Properties page, enter the following property in the search bar and press Enter on your keyboard:
com.snc.platform.security.oauth.is.activeEnsure that the Value column for the com.snc.platform.security.oauth.is.active property is true.
If it's not, in the Name column, click com.snc.platform.security.oauth.is.active, enter
truefor the Value, and then click Update.
- c. Configure an OAuth Client Application
To configure an OAuth client application:
Go to System OAuth > Application Registry.
Click New.
Click Create an OAuth API endpoint for external clients.
The Application Registries New Record window appears.
In the Application Registries New Record window:
- Name: Enter a name for the OAuth client application. In this example, it's Zscaler SaaS Application Tenant.
- Client ID: Copy the client ID of the application. You need it for Step ii of d. Add ServiceNow as a Tenant.
- Client Secret: The shared secret of the application, which the ServiceNow instance and the OAuth client application use to authorize their communication. The secret generates after you submit this application registry.
- Refresh Token Lifespan: The default lifespan is 8,640,000 seconds (100 days). Zscaler recommends changing it to a larger value, such as 157,700,000 seconds (5 years) because you'll need to configure ServiceNow as a new tenant after the refresh token expires.
- Access Token Lifespan: The default value is 1,800 seconds (30 minutes). Zscaler recommends changing it to a larger value, such as 86,400 seconds (24 hours).
- Click Submit.
On the Application Registries page, in the Name column, click the name of the configured OAuth client application. In this example, it's Zscaler SaaS Application Tenant.
The Application Registries window appears.
In the Application Registries window, click the Lock icon for Client Secret.
Copy the client secret. You need it for Step ii of d. Add ServiceNow as a Tenant.
- d. Add ServiceNow as a Tenant
To add ServiceNow as a SaaS application tenant:
Under Register the OAuth Application:
- Client ID: Enter the client ID you copied in c. Configure an OAuth Client Application.
- Client Secret: Enter the Client Secret you copied in c. Configure an OAuth Client Application.
- Instance URL: Enter the URL used to log in to your ServiceNow instance.
- User ID: Enter the user ID of the user account used to configure the OAuth client application.
- User Password: Enter the password of the user account used to configure the OAuth client application.
Under Enter the ServiceNow Admin Email ID, enter your admin email ID used to log in to your ServiceNow instance.
Under Authorize the SaaS Application, click Authorize.
To learn more about the steps in ServiceNow, refer to the ServiceNow documentation.
To learn more about adding additional object types for ServiceNow tenants, see Adding Object Types for ServiceNow Tenants.
Close - a. Verify the OAuth 2.0 Plugin is Active
- ShareFile
- Under Enter the ShareFile Admin Email ID, enter your admin email ID used to log in to the ShareFile portal.
- Under Authorize the SaaS Application, click Provide Admin Credentials.
The ShareFile portal appears.
- Log in to ShareFile.
- Slack
To configure Slack:
- Under Enter the Slack Admin Email ID, enter your admin email ID used to log in to the Slack portal.
- Under Authorize the SaaS Application, click Provide Admin Credentials.
The Slack portal appears.
- Log in to Slack.
- Review the required permissions for the Zscaler service to access Slack, click Allow.
- In the Admin Portal, under Authorize Access to a Slack Bot, click Provide Admin Credentials.
The Slack portal appears.
- Review the required permissions for the Zscaler service to send notifications to users through a custom Slack bot, and click Allow.
- Smartsheet
- a. Generate the Smartsheet API Access Token
To configure Smartsheet as a SaaS tenant, you must have a Smartsheet admin account with an Event Reporting license.
Log in to Smartsheet using a valid Smartsheet admin account.
In the left-side navigation, click the Account icon, then select Personal Settings.
In the Personal Settings dialog box, select API Access.
In the Manage API Access Tokens panel, click the Generate new access token button, then enter a name for the token and click OK. Zscaler recommends that you add Zscaler to the token name to make it easier to find later.
Copy the token to your computer's clipboard. You need it when you add Smartsheet as a tenant in Zscaler.
- b. Add Smartsheet as a Tenant
Under Authorize the SaaS Application, add the Smartsheet API access token you generated and copied to your clipboard.
- a. Generate the Smartsheet API Access Token
- Trello
Trello can only be configured for SSPM scan which requires an Advanced SSPM license. If you don't have the correct license, you will see a message to upgrade your license next to the SSPM Scan checkbox.
- Log in to the Trello Power-Ups and Integrations with your admin credentials.
Click New.
- Enter your information in the New Power-Up or Integration fields. Click Create when done.
- Under API key, click Generate a new API key.
In the Generate API key window, click Generate API key.
Copy the API key and Secret for use later and add the Internet & SaaS URL in the Allowed origins field.
Required API scopes are as follows:
- read: Reading of boards, organizations, etc. on behalf of the user
- write: Writing of boards, organizations, etc. on behalf of the user
- account: Read member email, writing of member info, and marking notifications read
To learn more, refer to Authorizing with Trello's REST API.
- In the Admin Portal under Enter the Trello Admin Email ID, enter your admin email ID used to log in to Trello.
Under Authorize the SaaS Application, enter your Trello API Key and Organization ID.
You should have copied your API key earlier, and the Organization ID can be found in the address bar of your Trello workspace page.
- Click Provide Admin Credentials. Log in with your Trello admin information and click Allow to give Zscaler access to the application.
- Twilio
Twilio can only be configured for SSPM scan which requires an Advanced SSPM license. If you don't have the correct license, you will see a message to upgrade your license next to the SSPM Scan checkbox.
- Log in to the Twilio Portal with your admin credentials.
Go to Account-Management from the top-right corner.
In the left-side navigation, click API keys & tokens.
- Click Create API Key. Enter the name, region, and set Key Type as Main. Click Create.
Copy the SID and Secret for use later.
- In the Admin Portal, under Enter the Twilio Admin Email ID, enter your admin email ID used to log in to Twilio.
Under Authorize the SaaS Application, enter the Account SID and Secret you copied earlier and click Provide Admin Credentials to grant Zscaler access to the application.
- Webex Teams
- Both onboarding options for Webex Teams allow you to configure rules for messages, but for file attachments you need to onboard the tenant for Real-time DLP. To learn more about rules and in-line DLP configuration, see Adding a Collaboration & Online Meetings Rule for Cloud App Control and Configuring DLP Policy Rules.
- DLP and Malware scanning SaaS API and Real-time DLP cannot be enabled at the same time. You have the ability to easily switch between the two when editing the tenant.
- DLP and Malware Scanning SaaS API and SSPM Scan
- Under Enter the Webex Teams Admin Email ID, enter your admin email ID used to log in to the Webex portal.
- Under Authorize the SaaS Application, click Provide Admin Credentials.
The Webex portal appears.
- Log in to Webex.
- Review the required permissions for the Zscaler service to access Webex Teams, follow the on-screen instructions, and click Allow.
- In the Admin Portal, click Authorize if you already have a Cisco connection, or click Create a Bot if you don't.
The Webex portal appears.
- Sign in and review the required permissions for the Zscaler service to send notifications to users through a custom bot, and click Allow.
- Real-time DLP
Under Enter the Webex Teams Admin Email ID, enter your admin email ID used to log in to the Webex portal.
- Under Authorize the SaaS Application, click Provide Admin Credentials.
- Log in to Webex.
- Review the required permissions for the Zscaler service to access Webex Teams, follow the on-screen instructions, and click Allow.
- In the Admin Portal, click Authorize.
- Zoom
- Sign in to Zoom with your admin account.
- Go to the Zoom Marketplace.
Go to Develop > Build App.
- Select General App and click Create.
Go to the Production tab and choose Admin-managed for the app type. Click Save.
Go to the App Credentials tab in the left-side navigation and note down your Client ID and Client Secret for use later.
Under OAuth Redirect URL and OAuth Allow Lists, enter the URL of your Zscaler server.
List of Zscaler URLs:
https://admin.zscalerbeta.nethttps://admin.zscalertwo.nethttps://admin.zscalerthree.nethttps://admin.zscaler.nethttps://admin.zscloud.net
- Go to the App Listing tab and add Short Description, Long Description, Developer Contact Information, and any other mandatory fields.
Go to the Scopes tab and add the following scopes:
- account:read:settings:admin
- account:update:settings:admin
- After adding the scopes, add a Scope Description and click Continue.
Go to Beta Test in the left-side navigation. If everything has been set up correctly, you will see an Add App Now button. Don't select the button, it just indicates you have configured everything. If any required information is missing, this page will show you what is still missing before the Add App Now button appears.
In the Admin Portal, under Authorize the SaaS Application, enter your Client ID and Client Secret noted down earlier.
In the Admin Email ID field, enter the email address of the Zoom user assigned the Owner role, and click Authorize. For information on Zoom user roles, refer to the Zoom documentation.
- Amazon S3
- Click Save and activate the change.
After adding the tenants, you can configure the Data at Rest Scanning DLP policy, Malware Detection policy, and Scan Configuration. You can also view reports and data for the tenants in the SaaS Security Report, Insights, and Logs.
You can add up to 16 tenants per SaaS application. Contact Zscaler Support for a possible increase in this limit.