About Authentication Profile

Zscaler supports different types of provisioning and authentication methods. You can configure the Authentication Profile page according to the authentication method you choose.

Directory Type: Click the type of directory you want to configure.

NOTE: If you are configuring a Zscaler Authentication Bridge (ZAB), see How do I deploy a Zscaler Authentication Bridge? for more information about configuring the directory and deploying the ZAB.

To configure a Hosted User Database (Hosted DB), see How do I configure the Hosted User Database?

    To configure an Active Directory, see Configuring the Zscaler Service to Synchronize Data.

    To configure an OpenLDAP directory, see Configuring the Zscaler Service to Synchronize Data

    Authentication Frequency: Choose how often users are required to authenticate to the Zscaler service. Note that you will configure this section when you configure your prefered authentication method.

    • Daily: Authentication will expire between 12 to 24 hours from the login time, depending on the time the user authenticated the day before.
    • Only Once: This is the default authentication interval. Once users have logged in, they do not need to authenticate again as long as the cookie is saved in the browser or as an Adobe Flash object. (Typically, the cookie expires in about two years.) However, to log out of Zscaler, users must log out of the service explicitly or delete the cookie from their browser.

    NOTE: Zscaler recommends choosing Only Once as your authentication frequency. For more information, see Why does Zscaler recommend configuring the Authentication Frequency to be Only Once?

    • Once Per Session: Authentication expires once the user closes the browser. In this case, no cookie is saved.
    • Custom: Customize your authentication interval.
      • Custom Authentication Frequency (days): Enter the number of days, between 1 and 180 inclusive. Authentication will be requested at midnight according to your timezone.

    Authentication Type: Choose how users will authenticate into the Zscaler service.

    • Form-Based: Users log in to the service with their credentials. See How do I configure the Hosted User Database? for instructions.
      • Password Strength: Choose the required password strength.
        • None: Choose to place no restriction on the strength or complexity of the passwords. Not recommended. Weak passwords can be easily compromised.
        • Medium: Choose to require users to set passwords that are at least eight characters long and that contain at least one non-alphabetic character. This is the default.
        • Strong: Choose to require users to set passwords that are at least eight characters long and that contain at least one digit, one capital letter, and one special character.
          NOTE: Only ASCII characters are allowed for the password.
      • Password Expiry: Choose the duration after which users must change their passwords. The default is Never, but Zscaler strongly recommends setting the duration higher. Old passwords allow access to your system by people no longer in your organization.
    • SAML: Users authenticate with SAML single-sign on. See How do I configure SAML? for instructions.

    Temporary Authentication: Choose one of the temporary authentication methods below, and then click Send Authentication Email.

    • Disabled: Disables temporary authentication. If you disable temporary authentication, you cannot send an authentication email.
    • One-Time Token: Sends the user a unique one time password.
    • One-Time Link: Sends the user a unique link.

    If you are using Active Directory (AD) or OpenLDAP, you can click Sync Now to synchronize the Zscaler service with the AD or OpenLDAP server.

    About Authentication Profile

    NOTE: Depending on the Synchronization Frequency you configured for your AD or OpenLDAP server, under Last Synchronization Time, you can view the time when the Zscaler service last synchronized with the AD or OpenLDAP server.

    Enable Kerberos: Enable to use Kerberos authentication in addition to other authentication methods. If you enable Kerberos, the Domain Trust Password field will appear below. You must use this password to establish a trust relationship between the Zscaler domain and your organization's domain. 

    See How do I deploy Kerberos? for instructions deploying Kerberos.

    • Last Reauthentication: Displays the last time that Force Reauthentication was completed.
    • Force Reauthentication: Click Start to log out all users in your organization and force them to reauthenticate to the Zscaler service. This may take several minutes depending on the number of users in your organization.
    • Reauthentication Status: Displays one of the following logout states.
      • Completed: The Central Authority (CA) has logged out all users successfully. The Last Reauthentication field will update the time accordingly.
      • In Progress: The CA is in the process of logging out all users.
      • Error: The CA has failed to log out all users. Under Force Reauthentication, an error message displays explaining why the logout failed. You can click Retry after the error is addressed. 
        See image.
      • None: Displays if Force Reauthentication has never been executed in the Zscaler admin portal.

    Force Reauth Error UI.png