Experience Center Help
Administration
Internet & SaaS
Identity
Identity Proxy Settings
Configuring the Zscaler Identity Proxy for Cloud Apps

Experience Center

Configuring the Zscaler Identity Proxy for Cloud Apps

The Zscaler Identity Proxy forces users to access cloud applications through Zscaler. You can configure Zscaler as an Identity Provider (IdP) for the following cloud apps:

Box
GitHub
Google Apps
Microsoft Office 365
Salesforce
ServiceNow
ShareFile
Slack

When users try to access the cloud apps using their corporate accounts, but without going through the Zscaler service, authentication fails, and the users aren't able to log in.

To configure Identity Proxy settings for cloud applications in the Admin Portal, see Configure Identity Proxy Settings for each Cloud App.

Zscaler provides secure access to SaaS applications from unmanaged endpoints to ensure users can access SaaS applications securely, with all the defined Internet & SaaS policies being applied and transactions being logged.

The following diagram shows how the authentication process works when the Zscaler service is set up as the IdP for the cloud apps. The cloud app used in this example is Salesforce:

The user accesses a SaaS application (e.g., Salesforce) from an unmanaged device.
The customer's SaaS application tenant is configured with a Zscaler Identity Proxy as the IdP. The Zscaler ID works as a proxy between the SaaS application and the customer's IdP (e.g., Okta, PingFederate, Azure, etc.).
When the end user tries to authenticate to the SaaS application, the user is redirected to the Zscaler ID proxy. The ID proxy component then authenticates the user against the customer's IdP to ascertain the identity of the user.
If the customer's IdP indicates the authentication request is originating from an unmanaged endpoint (based on the device identity attribute) and if the original request was not made via the Internet & SaaS Public Service Edge, the ID proxy evaluates how the traffic is handled based on the action configured in the identity proxy configuration.
If the Action is set to Block: Traffic is blocked, ensuring that the user is unable to access the SaaS application from an unmanaged device.
If the Action is set to Browser Isolate: User is redirected to an isolated browser.
The isolated browser then makes a request to a SaaS application via Internet & SaaS Service Edge.
The isolated browser is always proxied to send the traffic via the Internet & SaaS Service Edge. All the traffic from the isolated browser is enforced by the policies defined and all the transactions from the isolated browser are logged.

Zia-Isolated-identity-proxy

Prerequisite

Ensure SSL Inspection is enabled for the organization location before configuring the Zscaler service as an IdP for the following cloud apps:

Box
GitHub
Google Apps
Microsoft Office 365
Salesforce
ServiceNow
ShareFile
Slack

Configuring the Zscaler service as an IdP Proxy

To configure the Zscaler service as an IdP Proxy:

1. Configure Identity Proxy Settings for the Cloud App in the Admin Portal
To configure Identity Proxy settings for the cloud app:
1. Log in to the Admin Portal.
2. Go to Administration > Identity > Internet & SaaS > Identity Proxy Settings.
3. Click Add Cloud Application to add a new cloud app instance. You can also click the Edit icon to edit a cloud app instance that is already configured. Click Add Cloud Application to add a new cloud app instance. To edit a cloud app instance that is already configured, click the Edit icon.
  You can select Other Cloud Apps for other cloud apps that support standard SAML-based authentication.
4. In the Add Cloud Application/Edit Identity Proxy Settings window, do the following:
  - Name: Enter a name for the cloud app instance.
  - Status: Enable to use the Zscaler service as the IdP proxy for the cloud app.
  - Cloud Application: Select the cloud app that you want the IdP for.
  - Domain: Applicable only to Google Apps. Enter the domain name for the Google Apps cloud application.
  - ACS URL: This is the Assertion Consumer Service URL. For Box, the URL is displayed. For Office 365, the URL is auto-filled. For Google Apps, the URL is completed as you type in your domain. For the rest of the cloud apps, enter the Login URL that you copy from your cloud app.
  - Entity ID: This is auto-populated for most of the cloud apps. For Salesforce, enter the Entity ID that you copy from your cloud app. For Github, enter the ACS URL string without the /saml/consume string at the end of the URL.
  - Response Signing SSL Certificate: Choose the certificate that you want the Identity Proxy to use for signing SAML responses. Zscaler recommends choosing the certificate with the longest validation period.
  - SSL Certificate Expiration Date: Displays the expiration date for the signing SAML response certificate for the Identity Proxy. You see the expiration date field if the certificate is about to expire or has expired. A Caution icon appears if the certificate expires within 30 days.
  - Identity Transformation: Choose one of the following transformation rules for the login attribute.
  - Pass-through Zscaler Identity: Passes the Zscaler login name as is.
  - Change Domain to: Replaces the domain part of the username with a different domain name that you choose in the Change Domain to drop-down menu.
    Zscaler recommends that you not use this option for GitHub.
  - Remove Domain Name: Deletes the domain part of the user name in the response and passes only the user ID.
  - Pass-on Group Details: Enable to send all group information of the user in the response. For GitHub, select Disable because groups are not supported on GitHub.
  - Group Identifier Name: Enter the group attribute name.
  - Managed Device: Choose one of the following options based on which you want to identify as your managed devices:
    - Proxied via Zscaler: Identifies the user devices as managed devices if their traffic is proxied via Zscaler (i.e., Zscaler Client Connector, PAC File, GRE or IPSEC tunneling).
    - Proxied via Zscaler with IdP Attribute: Identifies the user devices as managed devices if their traffic is proxied via Zscaler with at least one of the IdP managed device attributes. Ensure that your IdP configuration specifies the trust attribute and trust attribute value and is marked as your default IdP if you wish to identify your managed devices using IdP attributes.
      Device Trust Attribute: Displays the SAML trust attribute configured on your IdP. This field can't be edited.
      Device Trust Attribute Value: Displays the SAML trust attribute value configured on your IdP for managed devices. This field can't be edited.
  - Action: Choose one of the following actions for when unmanaged devices try to access the cloud app:
    - Browser Isolation: Isolates the traffic from unmanaged devices through a remote browser based on the isolation profile selected.
      Isolation Profile: Select the isolation profile from the list if you choose the Browser Isolation action. This list includes the isolation profiles that you created for your organization.
    - Block: Blocks access to the cloud app from an unmanaged device.
5. Click Save and activate the change.
Close
2. Download the Zscaler Certificate and Obtain Information from the Admin Portal
To download the Zscaler certificate and obtain information from the Admin Portal:
1. Go to Administration > Identity > Internet & SaaS > Identity Proxy Settings.
  The Identity Proxy Settings page displays the settings for the cloud apps.
2. Click Download to download the Zscaler certificate for the cloud app that you are configuring.
3. Copy the Identity Proxy URL and the Issuer Entity ID for the cloud app that you are configuring. Click the values to expand the URL.
  See image.
  Close
Close

3. Configure Zscaler as the IdP for Your Cloud App

Ensure that you have the following from the Admin Portal for the cloud app:

The Issuer Entity ID
The Zscaler certificate that you downloaded from the Admin Portal
The Identity Proxy URL

Configure Zscaler as the IdP for the cloud app. Following are instructions for each app:

Box
To set up Single Sign-On (SSO), submit a request with Box. Box uses the information that you provide to set up the SSO integration.
Complete the following in the request form:
- Your email address: Enter your email address.
- Briefly summarize your issue/question: Specify that you want to set up SSO for Box.
- Who is your Identity Provider?: Select Other w/o Metadata or Other with Metadata. If you select Other with Metadata, make sure that you upload the Metadata file in the attachments.
- Give us more details: Enter the following information:
  - Entity/Connection ID: The Issuer Entity ID that you copied from the Admin Portal.
  - Redirect URL: The Identity Proxy URL that you copied from the Admin Portal.
  - Identity Provider: Enter Zscaler Inc.
  - Attribute for User's First Name: Enter NameID
  - Attribute for Groups: Provide the group attribute if you are using Groups and have added a Group Identifier Name in the Admin Portal.
- Priority: Set the priority according to your requirement.
- Box Subdomain: Enter the Box subdomain of your company.
- Attachments: Attach the public certificate that you downloaded from the Admin Portal. If you've selected Other with Metadata as your IdP, attach the Metadata file downloaded from the Admin Portal as well.
See image.
Close
Close
GitHub
To set up SSO with GitHub:
1. Log in to GitHub with your admin account. Ensure that you are logged in to Zscaler service so that the traffic is forwarded to Zscaler.
2. Click your profile picture and then click Your organizations.
3. From the Organizations page, click the required organization link.
4. Go to Settings > Organization security.
5. Under the SAML single sign-on section, select Enable SAML authentication and complete the following:
  - Sign on URL: Enter the Identity Proxy URL that you copied from the Admin Portal.
  - Issuer: Enter the Issuer Entity ID that you copied from the Admin Portal.
  - Public certificate: Copy and paste the text from the Zscaler certificate you downloaded from the Admin Portal.
6. Click Test SAML configuration and then click Save after your SAML SSO identity is successfully authenticated.
  See image.
  Close
7. Go to the Teams tab and click Authenticate your account before using SSO for the first time.
8. Click Continue.
Close
Google Apps
To set up SSO with Google Apps:
1. Log in to the Google Admin Console with your admin account.
2. Click Security. The Security page appears
3. On the Security page, click Set up single sign-on (SSO).
4. Enable Setup SSO with third party identity provider
5. Complete the following:
  - Sign-in page URL: Enter the Identity Proxy URL that you copied from the Admin Portal.
  - Sign-out page URL: Enter the Google logout URL: https://accounts.google.com/logout.
  - Change password URL: (Optional) Enter a URL that allows users to change their passwords.
  - Verification certificate: Upload the Zscaler certificate that you downloaded from the Admin Portal.
6. Click Save
  See image.
  Close
Users who are assigned administrator roles in Google cannot use SSO.
Close

Office 365

To set up SSO with Office 365:

a. Set up SAML for Microsoft Entra Connect (formerly Azure AD Connect)

Configure federation with AD FS and connect it via Microsoft Entra Connect. To learn more, refer to the Microsoft documentation for AD FS.
Log in to the Microsoft Entra Portal via Windows PowerShell using the following command:
```
Connect-MsolService
```
Run the following command to reset your domain authentication and prepare AD FS for setting Zscaler parameters:
```
Set-MsolDomainAuthentication -DomainName <YourDomainName> -Authentication Managed
```

Configure your setup script file (PS1) using the following template:

See setup script template.

$dom="<Your Domain>"
    $BrandName="<Custom Brand Name>"
    $LogOnUrl="https://idp.<Zscaler Cloud Name>/samlsso/<Issuer Entity Id>"
    $LogOffUrl="https://logout.<Zscaler Cloud Name>/"
    $ecpUrl="https://idp.<Zscaler Cloud Name>/samlsso/<Issuer Entity Id>"
    
    $MySigningCert= "<Zscaler Certificate Content>"
    $MyURI="<Zscaler Cloud Name>"
    $uri="<Issuer Entity Id>"
    Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $BrandName -Authentication Federated -PassiveLogOnUri $LogOnUrl -ActiveLogOnUri $ecpURL -SigningCertificate $MySigningCert -IssuerUri $uri -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol "SAMLP"

See script parameters and descriptions.

Parameter	Description
$dom	Name of the domain
$Brandname	Custom brand name
$LogOnUrl	Identity Proxy URL that you copied from the Admin Portal
$LogOffUrl	Log out URL
$ecpUrl	Same as the logon URL
$MySigningCert	Text copied from the Zscaler certificate that you downloaded from the Admin Portal
$MyURI	Zscaler cloud name
$uri	Issuer Entity ID that you copied from the Admin Portal

Run the following command to execute the script:
```
./<setup script name>.ps1
```
Run the following command to verify the parameters configured:
```
Get-MsolDomainFederationSettings -DomainName <YourDomainName> 
```
See image.
Close

b. Configure AD FS claim rule for Office 365

Ensure that the SAML 2.0 IdP for single sign-on is configured.

Select your Relying Party Trust in the AD FS Management portal.

Add the following custom rule to the Claim Issuance Policy:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
            => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN",  
            "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query =  
            "samAccountName={0};userPrincipalName,objectGUID;{1}", param = regexreplace(c.Value,  
            "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

Log in to Office 365 Portal and verify if login.microsoftonline.com gets redirected to IdP.<Zscaler Cloud Name> for authentication.

If you need to reset the Office 365 configuration, complete the following steps:

Run the following command to reset your domain authentication and prepare AD FS for setting Zscaler parameters:
```
Set-MsolDomainAuthentication -DomainName <YourDomainName> -Authentication Managed
```
(Optional) Delete the AD FS claim rule that was added to the Claim Issuance Policy for the Relying Trust Party. See Configure AD FS claim rule for Office 365.

Salesforce
To set up SSO with Salesforce:
- a. Configure the Zscaler SAML SSO Settings
  To configure the Zscaler SAML SSO settings:
  1. Log in to Salesforce.
  2. In the top right corner, click Setup. The Setup page appears.
  3. On the Setup page, expand Security Controls in the left-hand menu, and select Single Sign-On Settings. The Single Sign-On Settings page appears.
  4. On the Single Sign-On Settings page, click Edit, and check SAML Enabled.
  5. Click Save.
  6. In the Single Sign-On Settings page, click New.
  7. Configure the following SAML SSO settings:
    Name: Enter a name for the setting.
    API Name: Salesforce automatically uses the value you entered for Name. You can customize the name here, if you want.
    Issuer: Enter the Issuer Entity ID that you copied from the Admin Portal.
    Entity ID: Enter https://saml.salesforce.com/.
    Select your Request Signing Certificate, Request Signature Method, and Assertion Decryption Certificate as desired.
    SAML Identity Type: Select Assertion contains the User's Salesforce username.
    SAML Identity Location: Select Identity is in the NameIdentifier element of the Subject statement.
    Service Provider Initiated Request Binding: Select HTTP POST.
    Identity Provider Certificate: Upload the certificate you downloaded from the Admin Portal.
    Identity Provider Login URL: Enter the Identity Proxy URL that you copied from the Admin Portal.
    Configure the Custom Logout URL, Custom Error URL, and Single Logout Enabled fields as desired.
    See image.
    Close
  8. Click Save
  Close
- b. Enable the Zscaler SAML SSO Settings as the Authentication Service
  To enable the Zscaler SAML SSO settings as the authentication service:
  1. In the top right corner, click Setup and select Setup from the drop-down menu. The Setup page appears.
  2. On the Setup page, expand Company Settings in the left-hand menu, and select My Domain. The My Domain page appears.
  3. Scroll down to Authentication Configuration and click Edit. The Authentication Configuration page appears.
  4. On the Authentication Configuration page, select the Authentication Service that you configured in Admin Portal. In this example, it's ZscalerExample.
  5. Click Save.
    See image.
    Close
  Close
- c. Obtain the Salesforce Login URL
  After you configure Zscaler as the IdP for Salesforce, you must retrieve the Login URL from the app. To obtain the Salesforce Login URL:
  1. In the top right corner, click Setup and select Setup from the drop-down menu. The Setup page appears.
  2. On the Setup page, expand Identity in the left-hand menu, and select Single Sign-On Settings. The Single Sign-On Settings page appears.
  3. In the Single Sign-On Settings list, click the Zscaler SAML SSO setting that you configured in Admin Portal. In this example, it's ZscalerExample.
  4. Copy the Login URL and specify it as the ACS URL while when you configure configuring the Salesforce cloud app instance in the Admin Portal.
    See image.
    Close
  Close
Close
ServiceNow
To set up SSO with ServiceNow:
1. Log in to your ServiceNow instance with your admin account. Ensure that you are logged in to Zscaler service so that the traffic is forwarded to Zscaler.
2. On the left pane, under Multi-Provider SSO, click Identity Providers.
3. From the Identity Providers page, click New and then click SAML.
  See image.
  Close
4. On the Identity Provider New Record page:
  - Name: Enter a name for the identity provider.
  - Identity provider URL: Enter the Issuer Entity ID that you copied from the Admin Portal.
  - Identity Provider's AuthnRequest: Enter the Identity Proxy URL that you copied from the Admin Portal.
  See image.
  Close
5. Go to the Advanced tab.
  - UserField: Ensure that this is set to email.
  - Single Sign-On Script: Select MultiSSOv2_SAML2_custom.
  See image.
  Close
6. Click Submit. The IdP is created and added to the Identity Providers page.
7. From the Identity Providers page, click the identity provider record that you created. Edit the following:
  1. In the X.509 Certificate section, click the New button.
    See image.
    Close
  2. On the X.509 Certificate New Record page:
    - Name: Enter a name for the certificate.
    - Format: Select the PEM format from the drop-down menu.
    - PEM Certificate: Copy and paste the text from the Zscaler certificate that you downloaded from the Admin Portal, and click Submit.
    See image.
    Close
  3. From the X.509 Certificate section, click the Edit button. The Edit Members page appears.
  4. From the Collection pane, select the certificate that you created and add it to the X.509 Certificates List pane and then click Save.
    See image.
    Close
  5. Click Test Connection on the top right.
  6. After the connection is tested successfully, click Activate.
    See image.
    Close
  7. From the Related Links section, click Set as Auto Redirect IdP.
  8. Select the Default option and click Update.
    See image.
    Close
Close
ShareFile
To set up SSO with ShareFile:
1. Log in to ShareFile with your admin account.
2. From the ShareFile dashboard, go to Settings > Admin Settings > Security > Login & Security Policy.
3. Under the Basic Settings section for Single sign-on / SAML 2.0 Configuration, complete the following:
  - Enable SAML: Select Yes to enable SAML authentication.
  - Your IDP Issuer / Entity ID: Enter the Issuer Entity ID that you copied from the Admin Portal.
  - X.509 Certificate: Click Change and then copy and paste the text from the Zscaler certificate you downloaded from the Admin Portal.
  - Login URL: Enter the Identity Proxy URL that you copied from the Admin Portal.
  See image.
  Close
4. Under Optional Settings, complete the following:
  - Require SSO Login: Select No.
  - SP-Initiated SSO certificate: Choose HTTP Redirect with no signature.
  - Enable Web Authentication: Select Yes.
  - SP-Initiated Auth Context: Choose Username and Password and Minimum.
  See image.
  Close
5. Click Save.
Close
Slack
To set up SSO with Slack:
1. Log in to Slack with your admin account. Ensure that you are logged in to Zscaler service so that the traffic is forwarded to Zscaler.
2. Click Manage Organization in the upper right of the page. The Workspaces page appears.
3. Go to Security > SSO settings in the left-side navigation. The SSO Settings page appears.
  See image.
  Close
4. Click Configure SSO. The Configure SSO window appears.
5. In the Configure SSO window:
  1. SSO Name: Enter a name for the SSO.
  2. SAML 2.0 Endpoint URL: Paste the Zscaler Identity Proxy URL that you copied from the Admin Portal.
  3. Identity Provider Issuer URL: Paste the Zscaler Issuer Entity ID that you copied from the Admin Portal.
  4. Service Provider Issuer URL: Enter https://slack.com.
  5. Public (X.509) Certificate: Open the zscaler_certificate.cer file that you downloaded from the Admin Portal with a text editor and copy and paste the entire contents.
  6. Sign the Response: Deselect this checkbox.
  See image.
  Close
6. Click Test Configuration on the bottom right of the window. The Finish SSO Configuration window appears. If the configuration tests correctly, a confirmation message appears stating that everything looks good at the top of the window. If there is a problem with the configuration, you receive either a glitch reported or a failure, and you have to start over from the beginning.
7. On the Finish SSO Configuration page, click Confirm Update to activate the configuration.
Close

After the Zscaler service is configured as the IdP Proxy, users of the specified cloud app are redirected to Zscaler Identity Proxy for authentication.

Experience Center

Configuring the Zscaler Identity Proxy for Cloud Apps

​​Prerequisite

Configuring the Zscaler service as an IdP Proxy

Related Articles

Prerequisite