Experience Center

Configuring Auth0 as an External IdP

This guide provides information on how to configure Auth0 as the OpenID Provider (OP) for the ZIdentity to facilitate single sign-on (SSO) to various Zscaler services for admin access management.

Prerequisites

Ensure that you have:

A subscription to Auth0
An existing user directory in Auth0
A ZIdentity account with an admin role that allows you to add an IdP configuration

Configuring Auth0 as OP for ZIdentity

Complete the following steps to set up Auth0 as an OP for ZIdentity:

1. Configure a custom OIDC application in Auth0.
1. Log in to the Auth0 Dashboard.
2. Go to Applications > Applications.
3. Click Create Application.
  See image.
  Close
4. In the Create Application window:
  1. Name: Enter a name for the application.
  2. Application Type: Select the Regular Web Application option.
  3. Click Create.
  See image.
  
  Close
  The application is created.
5. On the application page, go to the Settings tab, and do the following:
  1. Under the Basic Information section, copy the Client ID and Client Secret values.
    See image.
    
    Close
  2. Expand the Advanced Settings section, go to the Endpoints tab, and copy the OpenID Configuration value.
    See image.
    
    Close
Close
2. Set up Auth0 as an OP for ZIdentity.
1. Log in to the Admin Portal.
2. Go to Administration > Identity > ZIdentity > External Identities.
3. Click Add Primary IdP (or Add Secondary IdP).
  The Add Primary Identity Provider or Add Secondary Identity Provider window appears.
4. On the Basic tab:
  1. Under the General section:
    1. Name: Enter a name for the IdP.
    2. Identity Vendor: Select Others from the drop-down menu.
    3. Domain: Select the domain for which the IdP is responsible for authenticating the users. This allows the Zscaler service to display the correct IdP to authenticate an incoming user.
    4. Protocol: Select OIDC.
    5. Status: Select Enabled.
    6. Login ID Attribute: Enter an attribute to map it with the Login ID attribute. You can use any attribute that has the email address format e.g., <user_name>@domain.com>. However, Zscaler recommends using the preferred_username as the Login ID attribute.
      If you are using email as the Login ID attribute, ensure that your email domain matches with one of the domains added to ZIdentity for the Primary Email attribute.
      You can use any email domain for your primary email if you are using any attribute other than email as the source for the Login ID attribute.
      Ensure that the attribute you enter in the Login ID field matches exactly with the attribute received in the ID tokens.
    See image.
    
    Close
  2. Under the OIDC Configuration section:
    1. Paste the Client ID and Client Secret values copied from the Auth0 Dashboard in step 1e to the respective fields.
    2. Paste the OpenID Configuration value copied from the Auth0 Dashboard in step 1e to the Metadata URL field and click Fetch.
    3. Copy the Redirect URI value.
    4. Add email and profile to the Requested Scopes field.
    See image.
    
    Close
5. Click Save.
6. Go to the Auth0 Dashboard, go to Applications > Applications, and click the application created for Auth0 in step 1.
7. On the application page, go the Settings > Application URIs, and do the following:
  1. Paste the Redirect URI value copied from the Admin Portal to the Application Login URI and Allowed Callback URLs fields,
  2. Click Save Changes.
  See image.
  
  Close
Close
3. Provision users for ZIdentity.
1. In the Admin Portal, go to Administration > Identity > ZIdentity > External Identities.
2. Locate the IdP entry created for Auth0 under the Primary Identity Provider (or Secondary Identity Providers) tab and click the Edit icon.
3. In the Edit Primary IdP (or Edit Secondary IdP) window:
  1. Go to the Provisioning tab.
  2. Select Enable Just-in-time (JIT) Provisioning.
  3. Map ZIdentity user attributes with the appropriate Auth0 attributes as necessary. The mapping of the Primary Email attribute is mandatory as it is required for functionalities, such as password resetting and multi-factor authentication. By default, the following attributes in ID tokens are mapped with the corresponding user attributes in ZIdentity.
  Attribute in ID Tokens Default ZIdentity User Attributes
  given_name First Name
  family_name Last Name
  name Display Name
  - If the extenral IdP is configured to send different attributes for First Name, Last Name, or Display Name, then you must map those attributes. For example, if the ID token from the external IdP includes Surname instead of family_name, then you must map it with the Last Name user attribute in ZIdentity.
  - While mapping attributes, ensure that the attributes you enter in the Just-in-time Attribute field match exactly with the attributes that would be received in the ID tokens.
    See image.
    Close
  See image.
  
  Close
4. Click Update.
Close
4. Enabling Step-Up Authentication.
You can configure step-up authentication to extend the existing authentication process by requiring multi-factor authentication (MFA) when needed, ensuring that access to high-risk or sensitive data is protected.
Before configuring step-up authentication, make sure you have configured authentication levels and access policies. To learn more, see Understanding Step-Up Authentication.
To enable step-up authentication:
1. In the Admin Portal, go to Administration > Identity > ZIdentity > External Identities.
2. Locate the IdP entry created for Auth0 under the Primary Identity Provider (or Secondary Identity Providers) tab and click the Edit icon.
3. In the Edit Primary IdP (or Edit Secondary IdP) window:
  1. Go to the Advanced tab.
  2. Under the Levels to Authentication context mapping section, enter the ACR Claim value for each authentication level. To learn more about the supported ACR Claims in Auth0, refer to the Auth0 Technical documentation.
    Ensure that you map proper ACR claims for each level depending on the hierarchy. The highest level of authentication must be mapped to the ACR value for the strongest context.
4. Click Update.
Close