Watch a video about the Zscaler Authentication Bridge

The Zscaler Authentication Bridge (ZAB) is a virtual appliance that you can use to provision as well as authenticate users. You can use the ZAB to automatically import user information from an Active Directory (AD) or a Lightweight Directory Access Protocol (LDAP) server to the Zscaler database, without requiring inbound connections to your directory server. The ZAB can be used solely as a provisioning tool in conjunction with another authentication mechanism, such as SAML or Kerberos. Alternatively, it can be used for authentication using LDAP with SSL client certificates.

The ZAB scales to hundreds of thousands of users. It requires minimal administration. After you deploy it, you can configure the Zscaler service to automatically synchronize users on demand, daily, weekly, or monthly. To learn more, see Deploying a Zscaler Authentication Bridge.

The Authentication Bridge page is unavailable if you're subscribed to the ZIdentity service. Users can be imported into the ZIdentity Admin Portal through different methods to enroll them in the ZIA service. To learn more, see What Is ZIdentity?

New or clean deployment of ZAB requires a virtual machine image running on Zscaler OS version 24.

Provisioning Users

You can download the ZAB from the ZIA Admin Portal and install it as a virtual appliance on a hypervisor at your location. As shown in the diagram, the ZAB opens a long-living secure outbound tunnel to the Zscaler Central Authority (CA). It downloads the authentication profile configuration of your organization from the CA and connects to the directory server. It synchronizes user information from the directory server to the Zscaler cloud on demand or as scheduled.

1. The ZAB downloads your organization's authentication profile.
2. The ZAB synchronizes user information to the Zscaler service on demand or as scheduled.

The Zscaler service synchronizes data as follows:

• It adds users, groups, and departments that are in the directory server, but not in the Zscaler service. It can synchronize up to 128 groups per user.
• It deletes users, groups, and departments that are in the service, but not in the directory server. The service invalidates the authentication cookies of the users that were deleted and they are no longer allowed to authenticate.
• If there is a discrepancy between the information that’s in the service and in the directory server, the ZAB modifies its data to match what’s in the directory server.

The ZAB doesn't synchronize passwords. Passwords are always stored and maintained on your directory server.

Authenticating Users

A ZAB can also be used as an authentication tool. As shown in the diagram, the Zscaler service communicates only with the ZAB during the authentication process. The service directs requests to the ZAB, which in turn authenticates users against your organization's directory server. The passwords are always stored on your directory server. They are never stored on the ZAB or the CA.

1. A user opens a browser and sends an HTTP request.
2. When the ZIA Public Service Edge receives an unauthenticated request, it displays the login form.
3. The user enters a login name.
4. The ZIA Public Service Edge sends the request to the Central Authority (CA).
5. The CA directs the request to the Zscaler Authentication Bridge (ZAB).
6. The ZAB challenges the user for a password. It then creates a TLS connection to the directory server and sends an LDAP BIND request with the username and password.
7. The user enters the username and password.
8. After the user is authenticated, the ZAB redirects the browser to the CA.
9. The CA sets the Zscaler gateway cookie and redirects the browser to the Zscaler Public Service Edge.
10. The Zscaler Public Service Edge sets the domain cookie on the browser and sends the HTTP request to the requested site.

About the Authentication Bridges Page

You must have a ZAB subscription to view the Authentication Bridges page.

On the Authentication Bridges page (Administration > Authentication Settings > Authentication Bridges), you can do the following:

1. Add a ZAB.
2. Download the ZAB virtual machine.
3. Search for a configured ZAB.
4. View a list of configured ZABs. For each ZAB, you can view the following information:
   • Name: The name of the ZAB.
   • Status: The status of the ZAB (Enabled or Disabled).
   • SSL Certificate: Download option to download the ZAB's SSL certificate.
5. Download the SSL certificate for the ZAB. The ZAB uses this certificate to authenticate itself to the Zscaler service.
6. Modify the table and its columns.
7. Edit the configured ZAB.