icon-unified.svg
Experience Center

Admin SAML Configuration Guide for AD FS 3.0

This example illustrates how to configure a Windows Server 2012 R2 running Active Directory Federation Services 3.0 (AD FS) as the identity provider (IdP) for the Zscaler service and use SAML single sign-on (SSO) for your organization's admins. To learn more about the steps in the Windows Server 2012 R2, refer to the Microsoft AD FS documentation.

Prerequisites

Ensure you have the following before configuring AD FS:

  • AD FS account with admin privileges
  • Admin accounts created for your organization's admins
  • Zscaler Admin XML Metadata

Configuring Admin SAML SSO in AD FS

To configure AD FS as the IdP for the Zscaler service and use SAML SSO for admins:

  1. In AD FS, a relying party is a Federation Service or application that requests and processes claims from a claims provider in a particular transaction. Configure the Zscaler service as a relying party trust. After, add a claim rule, which is a statement that provides information about a user. It is used by the Zscaler service to determine if the user is allowed access.

    To add Zscaler as a relying party trust and to add a claim rule:

    1. On the Server Manager, go to Tools > AD FS Management.
    2. In the left navigation panel of the AD FS window, expand the AD FS folder, then expand the Trust Relationships folder, and click the Relying Party Trusts folder.

    1. In the Actions panel on the right, under Relying Party Trusts, click Add Relying Party Trust….

    1. When the Add Relying Party Trust Wizard appears, click Start. The wizard sections are listed on the left pane.

    1. In Select Data Source, do the following:
      1. Select Import data about the relying party from a file.
      2. Under Federation metadata file location, click Browse, navigate to the Admin SP XML metadata file, and then click Open.
      3. When the location of the Admin SP XML metadata file displays, click Next.

    1. In Specify Display Name, enter a display name for the Zscaler service, such as Zscaler Admin SAML, and then click Next.

    1. In Configure Multi-factor Authentication Now?, select I do not want to configure multi-factor authentication settings for this relying party trust at this time, and then click Next.

    1. In Choose Issuance Authorization Rules, select Permit all users to access this relying party, and then click Next.

    1. In Ready to Add Trust, review your settings, and click Next.

    1. In Finish, select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes, and then click Finish to add the relying party trust to the database.

    1. When the Edit Claim Rules window appears, click Add Rule.

    1. In Choose Rule Type of the Add Transform Claim Rule Wizard, choose Send LDAP Attributes as Claims from the dropdown menu, and then click Next.

    1. In Configure Claim Rule, do the following:
      1. Enter a name for the claim rule, such as zsbeta claims.
      2. Choose Active Directory from the Attribute Store dropdown menu.
      3. Map the LDAP attributes that represent the admin's login name, full name, department, group to fields in the outgoing claim type.
        • Map the LDAP attribute for login name to an outgoing claim type. In the LDAP Attribute column, choose User-Principal-Name. In the Outgoing Claim Type column, choose Name ID. The email address is sent as the Name ID.
        • Map the LDAP attribute for full name to an outgoing claim type. In the LDAP Attribute column, choose Display-Name. In the Outgoing Claim Type column, enter displayName.
      4. Click Finish to add the claim rule.

    1. When the Edit Claim Rules window displays the newly added claim rule in the list, click Apply, and then click OK.

    Close

  2. To export the AD FS token-signing certificate that you will upload to the Zscaler service:

    1. In the left navigation panel of the AD FS window, expand the Service folder, and then click the Certificates folder.

    1. In the Certificates panel, right-click the certificate under Token-signing, and click View Certificate....

    1. In the Certificate window, select the Details tab, and click Copy to File….

    1. When the Certificate Export Wizard appears, click Next.

    1. In Export File Format, select Base-64 encoded X.509 (.CER), and click Next.

    1. In File to Export, click Browse to navigate to the location where you want to export the certificate, enter a certificate name, and then click Next. In this example, the certificate is called adfsadmin.

    1. When the export is complete, click Finish, and then click OK to close the Certificate Export Wizard.

    1. Click OK to close the Certificate window.
    2. Go to the exported certificate, and ensure the following:
      • The certificate file name has a .pem extension. (For example, rename adfsadmin.cer to adfsadmin.pem.) TheZscaler service accepts certificates with the .pem extension only.
      • The file name contains one dot (".") only.

    By default, Windows hides extensions for known file types.

    You will upload this IdP SAML SSL certificate to the Admin Portal.

    Close
  3. Make sure that the External Identities (IdP) and SAML Attributes are configured in the Admin Portal.

Verifying Admin Portal Access via SSO

To verify the Admin Portal access via SSO:

  1. On the Windows device, browse to the following URL:
https://<AD FS Server>/adfs/ls/idpinitiatedSignOn.aspx

The <AD FS Server> depends on your AD FS server name. For example, if your AD FS server name is adfs.safemarch.com, you enter https://adfs.safemarch.com/adfs/ls/idpinitiatedSignOn.aspx.

  1. Verify that you are directed to the AD FS login screen.
  2. Log in using your SAML admin login credentials to authenticate.
Related Articles
Configuring SAML for AdminsAdmin SAML Configuration Guide for AD FS 3.0Admin SAML Configuration Guide for OktaAdmin SAML Configuration Guide for Microsoft Entra ID