Configuring SAML for Admins

Watch a video about Administrator Management, including how to configure SAML for admins

The Zscaler service supports identity provider (IdP)-initiated SAML to authenticate administrators. The admin can log in to the Admin Portal directly from a Single Sign-On (SSO) provider's portal by clicking the Zscaler application icon. This feature also enables you to integrate admin authentication with your existing two-factor authentication solution.

Admins are not added through auto-provisioning. Rather, an admin must be added in the Admin Portal and can then use SAML authentication to log into it. The Zscaler service does provide a password authentication option for admins, but the Zscaler service recommends that admins use SAML authentication to log in to the Admin Portal. However, the service also recommends that you have at least one super admin with password authentication enabled to ensure an admin can still access the Admin Portal if SAML servers external to the Zscaler service become unreachable. The Zscaler service supports SAML 2.0 and above.

Prerequisites

  • Admin accounts created for your organization's admins. To learn more, see Adding Admins.
  • Configure an IdP, such as ADFS, Okta, etc.
  • Obtain the SSL certificate of the IdP. You will upload this certificate to the Admin Portal when you configure the service to use SAML.

Configuring SAML SSO for Admins

To configure SAML SSO for admins in the Zscaler Admin Portal:

  1. Go to Administration > Administrator Management.
  2. Click the Administrator Management tab. 
    • Enable SAML Authentication: Enable to allow admins to log in to the Admin Portal directly from your SSO provider portal. An IdP, such as ADFS, Okta, etc., must already be configured for your organization, and you must add the admin account in the Admin Portal rather than through auto-provisioning.
    • Upload SSL certificate: Click Upload, and then click Choose File to navigate to the public certificate that is used to verify the digital signature of the IdP. This is the base-64 encoded PEM format that you downloaded from the IdP. The file extension must be .pem without any other dots (.) in the file name.
    • Download XML Metadata: Click Download to export the XML metadata of the Zscaler service. The metadata details Zscaler SAML capabilities and is used for auto-configuration. Some IdPs require the metadata to configure service providers.
    • Issuer: Optionally, enter the IdP issuer associated with the Zscaler service.
  3. Click Save and activate the change.

SAML Configuration Guides

Following are guides for configuring admin SAML SSO with specific IdPs.

When configuring other IdPs, the following information might be required:

  • The ACS URL: 
https://admin.<Zscaler Cloud>.net/adminsso.do.

Replace <Zscaler Cloud> with the name of the cloud on which your organization is provisioned. To learn more, see What is my cloud name?

  • The SSL certificate format must Base-64 encoded PEM format
  • The Entity ID:
admin.zscalerbeta.net