This guide demonstrates how to configure a Windows Server 2012 R2 running Active Directory Federation Services (AD FS) 3.0 as the identity provider (IdP) for the Zscaler service and use SAML single sign-on (SSO) for your organization's admins. To learn more about the steps in the Windows Server 2012 R2, refer to the Microsoft documentation.

Prerequisites

Ensure that you have the following before configuring AD FS:

• AD FS account with admin privileges
• Admin accounts created for your organization's admins
• Zscaler Admin XML Metadata

Configuring Admin SAML SSO in AD FS

To configure AD FS as the IdP for Zscaler Cloud & Branch Connector and use SAML SSO for admins:

• Step 1: Add a Relying Party Trust and Claim Rule

  In AD FS, a relying party is a Federation Service or application that requests and processes claims from a provider in a particular transaction. To add Cloud & Branch Connector as a relying party trust and to add a claim rule:

  1. In the left-side navigation of the AD FS window, expand the AD FS folder, then expand the Trust Relationships folder.

  2. Right-click Relying Party Trusts and click Add Relying Party Trust... Alternatively, in the right-side navigation of the AD FS window, in Relying Party Trusts, click Add Relying Party Trust...

     See image.

     

     Close

  3. In the Add Relying Party Trust Wizard window:

     1. On the Welcome step, click Start.

        See image.

        

        Close

     2. On the Select Data Source step, select Import data about the relying party from a file, then click Browse.

        See image.

        

        Close

     3. Import your XML Metadata file, then click Next.

     4. On the Specify Display Name step, under Display name, enter Zscaler Cloud and Branch Connector Administrator Application, then click Next.

        See image.

        

        Close

     5. On the Configure Multi-factor Authentication Now? step, select I do not want to configure multi-factor authentication settings for this relying party trust at this time, then click Next.

        See image.

        

        Close

     6. On the Choose Issuance Authorization Rules step, select Permit all users to access this relying party, then click Next.

        See image.

        

        Close

     7. On the Ready to Add Trust step, review your settings, then click Next.

        See image.

        

        Close

     8. On the Finish step, select the checkbox Open the Edit Claim Rules dialog for this relying party trust when the wizard closes, then click Close.

        See image.

        

        Close

  4. In the Edit Claim Rules for Zscaler Cloud and Branch Connector Administrator Application window, click Add Rule. The Add Transform Claim Rule Wizard window appears.

     See image.

     

     Close

  5. In the Add Transform Claim Rule Wizard window:

     1. On the Choose Rule Type step, under Claim rule template, select Send LDAP Attributes as Claims, then click Next.

        See image.

        

        Close

     2. On the Configure Claim Rule step, under Claim rule name, enter Zscaler Cloud and Branch Connector Administrator Application.

        See image.

        

        Close

     3. Under Attribute store, select Active Directory.

        See image.

        

        Close

     4. Under Mapping of LDAP attributes to outgoing claim types, in LDAP Attribute, select User-Principal-Name.

        See image.

        

        Close

     5. Under Outgoing Claim Type, select Name ID, then click Finish.

        See image.

        

        Close

  6. When the Edit Claim Rules for Zscaler Cloud and Branch Connector Administrator Application window displays the newly added claim rule in the list, click Apply, then click OK.

     See image.

     

     Close

  Close
• Step 2: Export the IdP SAML SSL Certificate

  To export the AD FS token-signing certificate that uploads to Cloud & Branch Connector:

  1. In the left-side navigation of the AD FS window, expand the Service folder, then click the Certificates folder.

     See image.

     

     Close

  2. In the Certificates panel, under Token-signing, right-click the primary certificate, then click View Certificate...

     See image.

     

     Close

  3. In the Certificate window, click the Details tab, and click Copy to File…

     See image.

     

     Close

  4. When the Certificate Export Wizard window appears, click Next.

     See image.

     

     Close

  5. In Export File Format, select Base-64 encoded X.509 (.CER), then click Next.

     See image.

     

     Close

  6. In File to Export, under File name, click Browse, enter adfs-token-signing as the certificate name, then click Next.

     See image.

     

     Close

  7. In Completing the Certificate Export Wizard, click Finish.

     See image.

     

     Close

  8. In the Certificate Export Wizard window, click OK.

  Close
• Step 3: Configure SAML Admin SSO in the Admin Portal

Verifying Admin Portal Access via SSO

To verify the Admin Portal access via SSO:

1. Browse to the following URL:

https://<AD FS Server>/adfs/ls/idpinitiatedSignOn.aspx

where <AD FS Server> is the exact AD FS server name. For example, if your server name is adfs.safemarch.com, enter https://adfs.safemarch.com/adfs/ls/idpinitiatedSignOn.aspx.

2. Verify that you are directed to the AD FS login screen.
3. Log in using your SAML admin login credentials to authenticate.