icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Admin SAML Configuration Guide for Microsoft Entra ID

This guide illustrates how to configure Microsoft Entra ID (formerly Azure Active Directory) as the identity provider (IdP) for the Zscaler service and use SAML single sign-on (SSO) for your organization's admins. To learn more about the steps in the Microsoft Entra admin center, refer to the Microsoft Entra ID documentation.

Prerequisites

Ensure that you have the following before you start configuring Microsoft Entra ID as the IdP:

Configuring SAML Admin SSO with Microsoft Entra ID

To configure Microsoft Entra ID as the IdP for the Zscaler service and use SAML SSO for admins:

To add the Zscaler Internet Access Administrator application (ZIA Admin application) in Microsoft Entra ID:

  1. Sign in to the Microsoft Entra admin center.
  2. Go to Identity > Applications > Enterprise applications.

  3. Click New application.

    The Browse Microsoft Entra ID Gallery page appears.

  4. On the Browse Microsoft Entra ID Gallery page, enter zscaler admin in the search bar, and click the Zscaler Internet Access Administrator application.

  5. Click Create.

    The Microsoft Entra ID service displays a notification that the ZIA Admin application was added.

Close

To configure SAML admin SSO in the Microsoft Entra admin center:

  1. In the left-side navigation for the ZIA Admin application, click Single sign-on.

  2. Choose SAML.

  3. In Basic SAML Configuration, click the Edit icon.

    The Basic SAML Configuration window appears.

  4. In the Basic SAML Configuration window:

    • Identifier (Entity ID): Enter the following identifier.

      admin.<Zscaler cloud>.net

      The <Zscaler cloud> depends on the URL you use to log in to the Zscaler service. For example, if you log in to https://admin.zscalerbeta.net, then the identifier is admin.zscalerbeta.net.

    • Reply URL (Assertion Consumer Service URL): Select one of the following Zscaler admin SSO URLs with your Zscaler cloud name.
      • https://admin.zscaler.net/adminsso.do
      • https://admin.zscalerone.net/adminsso.do
      • https://admin.zscalertwo.net/adminsso.do
      • https://admin.zscalerthree.net/adminsso.do
      • https://admin.zscloud.net/adminsso.do
      • https://admin.zscalerbeta.net/adminsso.do
    • The Zscaler cloud name depends on the URL you use to log in to the Zscaler service. For example, if you log in to https://admin.zscalerbeta.net, then select https://admin.zscalerbeta.net/adminsso.do.
    • Sign on URL: Leave this field blank.
    • Relay State: Leave this field blank.
    • Logout URL: Leave this field blank.

  5. Click Save and exit the window.
  6. In SAML Signing Certificate, download Certificate (base64). You need it for Step 3 in 5. Configure SAML Admin SSO in the ZIA Admin Portal.

Close

In order for Microsoft Entra ID admins to authenticate through the Zscaler service, you must assign Microsoft Entra ID admins to the ZIA Admin application.

To assign admins to the Zscaler cloud application in the Microsoft Entra admin center:

  1. In the left-side navigation of the ZIA Admin application, click Users and groups.

  2. Click Add user.

    The Add Assignment window appears.

  3. In the Add Assignment window, click Users and groups.

    The Users and groups window appears.

  4. In the Users and groups window, select the admins you want to assign to the ZIA Admin application, and click Select.

  5. In the Add Assignment window, click Assign.

Close
in the Microsoft Entra admin center.

By default, the ZIA Admin application is visible to admins in their My Apps portal.

To enable or disable application visibility:

  1. In the left-side navigation for the ZIA Admin application, click Properties.​​​​​

  2. For Visible to users?, choose Yes or No.​​​

Close
in the Microsoft Entra admin center.

5. Configure SAML Admin SSO in the ZIA Admin Portal.

Testing the SAML Configuration

To test the SAML admin SSO, users can initiate the SAML connection from the ZIA Admin application. There are two ways to do this:

Related Articles
Configuring SAML for AdminsAdmin SAML Configuration Guide for AD FS 3.0Admin SAML Configuration Guide for OktaAdmin SAML Configuration Guide for Microsoft Entra ID