About the Zscaler Authentication Bridge

Configuring a Zscaler Authentication Bridge (ZAB) is one of the tasks you must complete when deploying a Zscaler Authentication Bridge. See How do I deploy a Zscaler Authentication Bridge? for the full list of tasks.

Click to:

Watch a video about the Zscaler Authentication Bridge

Read about the Zscaler Authentication Bridge

Read about What You Can Do on the Authentication Bridges Page

The Zscaler Authentication Bridge (ZAB) is a virtual appliance that you can use to provision as well as authenticate users. You can use the ZAB to automatically import user information from an Active Directory (AD) or a Lightweight Directory Access Protocol (LDAP) server to the Zscaler database, without requiring inbound connections to your directory server. The ZAB can be used solely as a provisioning tool in conjunction with another authentication mechanism, such as SAML or Kerberos. Alternatively, it can be used for authentication as well, using LDAP with SSL client certificates.

The ZAB scales to hundreds of thousands of users. It requires minimal administration. After you deploy it, you can configure the service to automatically synchronize users on demand or daily, weekly or monthly. See How do I deploy a Zscaler Authentication Bridge?

Provisioning Users

You can download the ZAB from the Zscaler service portal and install it as a virtual appliance on a hypervisor at your location. As shown in the diagram, the ZAB opens a long-living secure outbound tunnel to the Zscaler Central Authority (CA). It downloads the authentication profile configuration of your organization from the CA and connects to the directory server. It synchronizes user information from the directory server to the Zscaler cloud on demand or as scheduled.

Provisioning Users

The service synchronizes data as follows:

  • It adds users, groups and departments that are in the directory server, but not in the Zscaler service. It can synchronize up to 128 groups per user.
  • It deletes users, groups and departments that are in the service, but not in the directory server. The service invalidates the authentication cookies of the users that were deleted and they are no longer allowed to authenticate.
  • If there is a discrepancy between the information that’s in the service and in the directory server, the ZAB modifies its data to match what’s in the directory server.

The ZAB does not synchronize passwords. Passwords are always stored and maintained on your directory server.

Authenticating Users

A ZAB can also be used as an authentication tool. As shown in the diagram below, the Zscaler service communicates only with the ZAB during the authentication process. The service directs requests to the ZAB, which in turn authenticates users against your organization's directory server. Note that the passwords are always stored on your directory server. They are never stored on the ZAB or the CA.

Authenticating Users

Configuring a Zscaler Authentication Bridge (ZAB) is one of the tasks you must complete when deploying a Zscaler Authentication Bridge. See How do I deploy a Zscaler Authentication Bridge? for the full list of tasks.

NOTE: You must have the Zscaler Authentication Bridge (ZAB) subscription to view the Authentication Bridges page.

  1. Add a ZAB. See How do I add a Zscaler Authentication Bridge?
  2. Download the ZAB virtual machine.
  3. View the configured ZAB.
  4. Search for the configured ZAB.
  5. Download the SSL certificate for the ZAB.
  6. Edit the configured ZAB. See How do I edit, delete, or duplicate items in the admin portal?
  7. Modify the table and its columns. See How do I use tables in the admin portal?
  8. View the Authentication Profile page. See About Authentication Profile.

About Authentication Bridges

  1. Go to Administration > Authentication > Authentication Settings.
  2. Click the Authentication Bridges tab.
  3. Click Download ZB VM.
  4. In the Download ZAB VM window, specify the Number of Users that the ZAB synchronizes, and optionally, authenticates. Then, click Compute to compute the appropriate resources for your ZAB. The ZAB can synchronize and authenticate hundreds of thousands of users. The ZAB specifications are determined by the number of users that the ZAB provisions.
    See image.
  5. After the ZAB specifications display, under ZAB Virtual Machine, click Download ZAB VM to download the ZAB VM.

Compute ZAB resources

Click Download in the SSL Certificate column to download the SSL certificate for the ZAB. The ZAB uses this certificate to authenticate itself to the Zscaler service.