Experience Center

Configuring Microsoft AD FS as an External IdP

This guide provides information on how to configure Microsoft Active Directory Federated Services (AD FS) as the SAML Identity Provider (IdP) for ZIdentity to facilitate single sign-on (SSO) to various Zscaler services for admin access management.

If you want to leverage step-up authentication, it is recommended to use OIDC-based integrations as most IdPs only support step-up authentication with the OIDC protocol.

Prerequisites

A Microsoft Windows Server with the following components installed and connected:
- Active Directory
- AD FS
An administrator account for the Window Server
A ZIdentity account with an admin role that allows you to add an IdP configuration

Configuring Microsoft AD FS as IdP for ZIdentity

1. Set up AD FS as an IdP for ZIdentity.
- a. Obtain Federation Metadata from AD FS.
  1. Log in to the Windows Server as an administrator.
  2. Open the Server Manager and go to AD FS > Tools > AD FS Management.
  3. Go to Services > Endpoints and locate the Metadata URL Path. The typical URL path is /FederationMetadata/2007-06/FederationMetadata.xml.
    See image.
    
    Close
  4. To download the metadata, enter the following URL in the browser:
    https://<computer-name.domain><metadata_URL_path>
    For example, if the computer name is zsaid and the domain name is zsidentity, the URL to download the metadata is https://zsad.zsidentity.com/FederationMetadata/2007-06/FederationMetadata.xml.
    The federation metadata is downloaded as an XML file.
  Close
- b. Configure AD FS as an IdP in the Admin Portal
  1. Log in to the Admin Portal.
  2. Go to Administration > Identity > ZIdentity > External Identities.
  3. Click Add Primary IdP (or Add Secondary IdP).
    The Add Primary Identity Provider (or Add Secondary Identity Provider) window appears.
  4. On the Basic tab:
    
    Under the General section:
    Name: Enter a name for the IdP.
    Identity Vendor: Select Active Directory Federated Service from the drop-down menu.
    Domain: Select the domain for which the IdP is responsible for authenticating the users. This allows the Zscaler service to display the correct IdP to authenticate an incoming user.
    Protocol: Select SAML.
    Status: Select Enabled.
    Login ID Attribute: Enter an attribute that you want to map for Login ID attribute.
    If you are using email as the Login ID attribute, ensure that your email domain matches with one of the domains added to ZIdentity for the Primary Email attribute.
    You can use any email domain for your primary email if you are using any attribute other than email as the source for the Login ID attribute.
    Ensure that the attribute that you enter in the Login ID field matches exactly with the attribute received in the SAML assertions.
    See image.
    
    Close
    Under the SAML Configuration section:
    Select Upload Metadata as the Input Method.
    Click Upload IdP Metadata.
    Select the AD FS federation metadata file downloaded in the previous step.
    Click Save.
    See image.
    
    Close
    The AD FS IdP configuration is saved.
  5. Locate the IdP configuration created for AD FS and click the Edit icon.
  6. Under the SAML Configuration section, locate SP Metadata, and click Download SP Metadata.
    See image.
    
    Close
    The SP Metadata file is downloaded as an XML file.
  7. Go to the Advanced tab and enable SAML Request Signing.
    See image.
    
    Close
  8. Click Update.
  Close
  .
Close
2. Configure Relying Party Trust in AD FS.
1. On the Windows Server, open the Server Manager.
2. Go to AD FS > Tools > AD FS Management.
3. Under AD FS > Relying Party Trusts, click Add Relying Party Trust....
  See image.
  
  Close
  The Add Relying Party Trust Wizard window appears.
4. In the Add Relying Party Trust Wizard window:
  1. Select Claims aware and click Start.
    See image.
    
    Close
  2. In the Select Data Source step, select the Import data about the relying party from a file option, and enter the location of the SP Metadata XML file downloaded from the Admin Portal in the previous step.
    See image.
    
    Close
  3. Click Next.
  4. In the Specify Display Name step, enter a name for the relying party (i.e., ZIdentity).
    See image.
    
    Close
  5. Click Next.
  6. Navigate to the Finish step and click Close.
    See image.
    
    Close
  The ZIdentity is added as a Relying Party Trust in AD FS.
Close
3. Provision users for ZIdentity.
1. In the Admin Portal, go to Administration > Identity > ZIdentity > External Identities.
2. Locate the IdP entry created for AD FS under the Primary Identity Provider (or Secondary Identity Providers) tab and click the Edit icon.
3. In the Edit Primary IdP (or Edit Secondary IdP) window:
  1. Go to the Provisioning tab.
  2. Select Enable Just-in-time (JIT) Provisioning.
  3. Just-in-time User Group Attribute: Enter the claim name created for group information retrieval (i.e., Groups). This retrieves the group membership information of the users from AD FS.
  4. Map the ZIdentity user attributes including the custom attributes with the appropriate AD FS attributes as necessary. The mapping of the Primary Email attribute is mandatory as it is required for functionalities, such as password resetting and multi-factor authentication. By default, the following attributes in SAML assertions are mapped with the corresponding user attributes in ZIdentity.
    Attribute in SAML Assertions Default ZIdentity User Attributes
    firstName First Name
    lastName Last Name
    displayName Display Name
    If the external IdP is configured to send different attributes for First Name, Last Name, or Display Name, then you must map those attributes. For example, if the SAML assertion from the external IdP includes Surname instead of lastName, then you must map it with the Last Name user attribute in ZIdentity.
    If you want to map custom user attributes (e.g., Department), make sure they are already configured in the ZIdentity Admin Portal. To learn more about configuring custom user attributes, see Adding User Attributes.
    While mapping attributes, ensure that the attributes that you enter in the Just-in-time Attribute field match exactly with the attributes that would be received in the SAML assertions.
    See image.
    Close
  See image.
  
  Close
4. On the Windows Server, open Server Manager.
5. Go to AD FS > Tools > AD FS Management.
6. Under AD FS, click Relying Party Trusts and locate the relying party trust created for ZIdentity.
7. Right-click the ZIdentity relying party trust and select Edit Claim Issuance Policy.
  The Edit Claim Issuance Policy window appears.
8. In the Edit Claim Issuance Policy window:
  1. Click Add Rule....
    See image.
    
    Close
    The Add Transform Claim Rule Wizard window appears.
  2. In the Add Transform Claim Rule Wizard window:
    1. In the Choose Rule Type step, select the Send LDAP Attributes as Claims option from the Claim rule template drop-down menu.
      See image.
      
      Close
    2. Click Next.
      The Edit Rule window appears.
    3. In the Edit Rule window:
      Claim rule name: Enter a name for the claim rule.
      Map the ZIdentity user attributes including the custom attributes with the appropriate AD FS attributes as configured in the ZIdentity Admin Portal in the previous step.
      Click OK.
      See image.
      
      Close
      The claim rule is added.
  3. Click OK.
  The AD FS users are provisioned for ZIdentity.
Close