Secure Internet and SaaS Access (ZIA)
Admin SAML Configuration Guide for Microsoft Entra ID
This guide illustrates how to configure Microsoft Entra ID (formerly Azure Active Directory) as the identity provider (IdP) for the Zscaler service and use SAML single sign-on (SSO) for your organization's admins. To learn more about the steps in the Microsoft Entra admin center, refer to the Microsoft Entra ID documentation.
Prerequisites
Ensure that you have the following before you start configuring Microsoft Entra ID as the IdP:
- Existing Microsoft Entra account
- Zscaler cloud name
- Admin accounts created for your organization's admins
Configuring SAML Admin SSO with Microsoft Entra ID
To configure Microsoft Entra ID as the IdP for the Zscaler service and use SAML SSO for admins:
1. Add the Zscaler Internet Access Administrator application in the Microsoft Entra admin center.
To add the Zscaler Internet Access Administrator application (ZIA Admin application) in Microsoft Entra ID:
- Sign in to the Microsoft Entra admin center.
Go to Identity > Applications > Enterprise applications.
Click New application.
The Browse Microsoft Entra ID Gallery page appears.
On the Browse Microsoft Entra ID Gallery page, enter
zscaler admin
in the search bar, and click the Zscaler Internet Access Administrator application.Click Create.
The Microsoft Entra ID service displays a notification that the ZIA Admin application was added.
2. Configure SAML Admin SSO in the Microsoft Entra admin center.
To configure SAML admin SSO in the Microsoft Entra admin center:
In the left-side navigation for the ZIA Admin application, click Single sign-on.
Choose SAML.
In Basic SAML Configuration, click the Edit icon.
The Basic SAML Configuration window appears.
In the Basic SAML Configuration window:
Identifier (Entity ID): Enter the following identifier.
admin.<Zscaler cloud>.net
The <Zscaler cloud> depends on the URL you use to log in to the Zscaler service. For example, if you log in to https://admin.zscalerbeta.net, then the identifier is admin.zscalerbeta.net.
- Reply URL (Assertion Consumer Service URL): Select one of the following Zscaler admin SSO URLs with your Zscaler cloud name.
- https://admin.zscaler.net/adminsso.do
- https://admin.zscalerone.net/adminsso.do
- https://admin.zscalertwo.net/adminsso.do
- https://admin.zscalerthree.net/adminsso.do
- https://admin.zscloud.net/adminsso.do
- https://admin.zscalerbeta.net/adminsso.do
- The Zscaler cloud name depends on the URL you use to log in to the Zscaler service. For example, if you log in to https://admin.zscalerbeta.net, then select https://admin.zscalerbeta.net/adminsso.do.
- Sign on URL: Leave this field blank.
- Relay State: Leave this field blank.
- Logout URL: Leave this field blank.
- Click Save and exit the window.
In SAML Signing Certificate, download Certificate (base64). You need it for Step 3 in 5. Configure SAML Admin SSO in the ZIA Admin Portal.
3. Assign admins to the ZIA Admin application
In order for Microsoft Entra ID admins to authenticate through the Zscaler service, you must assign Microsoft Entra ID admins to the ZIA Admin application.
To assign admins to the Zscaler cloud application in the Microsoft Entra admin center:
In the left-side navigation of the ZIA Admin application, click Users and groups.
Click Add user.
The Add Assignment window appears.
In the Add Assignment window, click Users and groups.
The Users and groups window appears.
In the Users and groups window, select the admins you want to assign to the ZIA Admin application, and click Select.
In the Add Assignment window, click Assign.
4. (Optional) Enable IdP-Initiated SSO
By default, the ZIA Admin application is visible to admins in their My Apps portal.
To enable or disable application visibility:
In the left-side navigation for the ZIA Admin application, click Properties.
For Visible to users?, choose Yes or No.
5. Configure SAML Admin SSO in the ZIA Admin Portal.
Testing the SAML Configuration
To test the SAML admin SSO, users can initiate the SAML connection from the ZIA Admin application. There are two ways to do this:
- Go to Microsoft My Apps Portal
You can use this method if you've enabled application visibility in Step 2 of 4. (Optional) Enable IdP-Initiated SSO.
To go to the Microsoft My Apps portal:
- Sign in to the Microsoft My Apps portal to get access to all your assigned visible applications.
Click the Zscaler Internet Access Administrator.
You are automatically signed in to the ZIA Admin Portal.
- Browse to the User Access URL
If you've disabled application visibility in Step 2 of 4. (Optional) Enable IdP-Initiated SSO, you can use this method to directly access the ZIA Admin application from the browser.
To browse to the user access URL:
In the left-side navigation for the ZIA Admin application, click Properties.
Copy the User access URL.
Browse to the user access URL.
You are automatically signed in to the ZIA Admin Portal.