About SAML Single Sign-On for Admins

About SAML Single Sign-On for Admins

The Zscaler service supports Identity Provider (IDP)-initiated SAML to authenticate admins. The admin can log in to the Zscaler admin portal directly from an SSO provider's portal by clicking the Zscaler application icon. This feature also enables you to integrate admin authentication with your existing two-factor authentication solution.

Note that admins are not added through auto-provisioning. Rather, an admin must be added in the Zscaler admin portal and can then use SAML authentication to log in to the Zscaler admin portal. The Zscaler service does provide a password authentication option for admins, but the Zscaler service recommends that admins use SAML authentication to log in to the Zscaler admin portal. However, the service also recommends that you have at least one super admin with password authentication enabled to ensure an admin can still access the admin portal if SAML servers external to the Zscaler service become unreachable. The Zscaler service supports SAML 2.0 and above.


  • Admin account(s) created for your organization's admin(s). See How do I add admins?
  • Configure an IdP, such as ADFS, Okta, etc.
  • Obtain the SSL certificate of the IdP. You will upload this certificate to the Zscaler service portal when you configure the service to use SAML.

Configuring SAML Single Sign-On for Admins

  1. Go to Administration > Administrator Management.
  2. Click the SAML tab.
    • Enable SAML Authentication: Enable to allow admins to log in to the Zscaler admin portal directly from your SSO provider portal. An IdP, such as ADFS or Okta, must already be configured for your organization, and you must add the admin account in the Zscaler admin portal rather than through auto-provisioning.
    • Upload SSL certificate: Click Upload, and then click Choose File to navigate to the public certificate that is used to verify the digital signature of the IdP. This is the base-64 encoded PEM format that you downloaded from the IdP. The file extension must be .pem without any other dots (.) in the file name.
    • Download XML Metadata: Click Download to export the XML metadata of the Zscaler service. The metadata details Zscaler SAML capabilities and is used for auto-configuration. Some IdPs require the metadata to configure service providers.
    • Issuer: Optionally, enter the IdP issuer associated with the Zscaler service.
  3. Click Save and activate the change.

Configuration Examples

Click below for examples of how to add the Zscaler service to an IDP.

For configuring IDPs other than ADFS or Okta, note that the following information may be necessary: