Configuring ADFS for Admin SAML Single Sign-On

Configuring ADFS for Admin SAML Single Sign-On

This example illustrates how to configure a Windows Server 2008 R2 running SAML 2.0 ADFS as an IdP for the Zscaler service to enable SAML single sign-on for your organization's admins. It assumes that ADFS 3.0 is already installed on the Windows server. Refer to the Windows ADFS documentation for additional information about the steps in the example. Below are relevant technical attributes:

  • ACS URL: https://admin.<cloud_name>/
    • For example, if your cloud is, would be your ACS URL. To learn how you can find your cloud name, see What is my cloud name?
  • Hashing algorithms: AES-1 and AES-256


Below are the prerequisites for configuring the ADFS server:

  • ADFS account with admin privileges
  • Admin accounts created for your organization's admins. To learn more, see Add Admins.
  • XML Metadata, downloaded from the Zscaler Admin Portal. To learn more, see About SAML Single Sign-On for Admins.

Configuration Steps

To add the Zscaler service to ADFS, go to Start > ADFS Management 2.0 to launch the ADFS management application and do the following:

A.  Configure the Zscaler service as a relying party trust

In ADFS, a relying party is a Federation Service or application that requests and consumes claims from a claims provider in a particular transaction. Complete the following steps to add Zscaler as a relying party trust.

  1. In the ADFS 3.0 Management window, open the Trust Relationships > Relying Party Trusts folder. In the Actions menu on the right, click Add Relying Party Trust.

Screenshot displaying how to configure the Zscaler service as a relying party trust

  1. When the Add Relying Party Trust wizard appears, click Start

The wizard steps are listed on the column on the left.

Screenshot showing the text displayed when opening the add relying party trust wizard

  1. In Select Data Source, choose Import data about the relying party from a file, and click Next.

Screenshot highlighting the "Import data about the relying party from a file" section

  1. Enter a Display name for the Zscaler service, such as Admin SAML Zscaler-Beta, and then click Next.
  2. Allow the wizard to run through the next three steps (Choose Profile, Configure Certificate, Configure URL, and Configure Identifiers).
  3. In Configure Multi-factor Authentication Now?, select I do not want to configure multi-factor authentication settings for this relying party trust at this time, and then click Next.

Screenshot highlighting the multi-factor authentication settings with recommended option selected.

  1. In Choose Issuance Authorization Rules, select Permit all users to access this relying party, and click Next.

Screenshot of Issuance Authorization Rules with "Permit all users to access this relying party" selected.

  1. In Ready to Add Trust, the wizard displays the configured settings. Click Next.

Screenshot of the Ready to Add Trust window with the next button highlighted

  1. Ensure the option to open the Edit Claim Rules dialog is checked. Click Finish to add the relying party trust to the database.  

B. Add a Claim Rule

Configure the SAML Assertions to be federated to Zscaler for identifying the admin with the following steps.

  1. When the Edit Claim Rules window appears, click Add Rule.

Screenshot displaying the Edit Claim Rules window with the Add Rule button highlighted

  1. In Choose Rule Type of the Add Transform Claim Rule wizard, select Send LDAP Attributes as Claims as the claim rule template so the claims contain LDAP attribute values from the attribute store, AD. Then click Next.

Screenshot of Add Transform Claim Rule wizard with Next button highlighted

  1. In Configure Claim Rule, do the following and click Finish.
    • Enter a name for the claim rule (for example, zsbeta claims).
    • From the Attribute Store menu, choose Active Directory.
    • Map the LDAP attributes that represent the user's login name to the field in the outgoing claim.
      • From the LDAP Attribute column, select User-Principal-Name.
      • From the Outgoing Claim Type column, select Name ID.

The email address is sent as the Name ID.

Screenshot of the Add Transform Claim wizard with the finish button highlighted.

C. Export the Certificate

To export the certificate that you will upload to the Zscaler service:

  1. In the ADFS 3.0 Management window, open the Service > Certificates folder. In the Actions menu on the right, click View Certificate.
  2. In the Certificate window, go to the Details tab and click Copy to File… to open the Certificate Export wizard.

Screenshot of the details tab in the certificate window illustrating how to download the certificate.

  1. Start the Certificate Export Wizard.

Screenshot of the opening page of the Certificate Export Window

  1. In Export File Format, choose Base-64 encoded as the file format of the certificate you want to export and click Next.

Screenshot for the Export File Format with Base 64-encoded X.509 selected in a red box

  1. In File to Export, either click Browse to navigate to the file you want to export or enter the file name. Click Next.

Screenshot showing the Certificate Export Window and where to enter the file name

  1. Click Finish to exit the wizard.

Upload this certificate to the Zscaler service. To learn more, see About SAML Single Sign-On for Admins.

Screenshot of the final page of the Certificate Export Wizard

The admin can now sign in to the Zscaler Admin Portal through ADFS as an IDP. See example below.

Screenshot example of new sign in options

Screenshot example of the new sign in options