Secure Internet and SaaS Access (ZIA) Help
Authentication & Administration
Administrator & Role Management
SAML for Admins
Admin SAML Configuration Guide for Microsoft Entra ID

Secure Internet and SaaS Access (ZIA)

Admin SAML Configuration Guide for Microsoft Entra ID

This guide illustrates how to configure Microsoft Entra ID (formerly Azure Active Directory) as the identity provider (IdP) for the Zscaler service and use SAML single sign-on (SSO) for your organization's admins. To learn more about the steps in the Microsoft Entra admin center, refer to the Microsoft Entra ID documentation.

Prerequisites

Ensure that you have the following before you start configuring Microsoft Entra ID as the IdP:

Existing Microsoft Entra account
Zscaler cloud name
Admin accounts created for your organization's admins

Configuring SAML Admin SSO with Microsoft Entra ID

To configure Microsoft Entra ID as the IdP for the Zscaler service and use SAML SSO for admins:

1. Add the Zscaler Internet Access Administrator application in the Microsoft Entra admin center.

To add the Zscaler Internet Access Administrator application (ZIA Admin application) in Microsoft Entra ID:

Sign in to the Microsoft Entra admin center.
Go to Identity > Applications > Enterprise applications.
See image.
Close
Click New application.
See image.
Close
The Browse Microsoft Entra ID Gallery page appears.
On the Browse Microsoft Entra ID Gallery page, enter zscaler admin in the search bar, and click the Zscaler Internet Access Administrator application.
See image.
Close
Click Create.
See image.
Close
The Microsoft Entra ID service displays a notification that the ZIA Admin application was added.

2. Configure SAML Admin SSO in the Microsoft Entra admin center.

To configure SAML admin SSO in the Microsoft Entra admin center:

In the left-side navigation for the ZIA Admin application, click Single sign-on.
See image.
Close
Choose SAML.
See image.
Close
In Basic SAML Configuration, click the Edit icon.
See image.
Close
The Basic SAML Configuration window appears.
In the Basic SAML Configuration window:
- Identifier (Entity ID): Enter the following identifier.
```
admin.<Zscaler cloud>.net
```
  The <Zscaler cloud> depends on the URL you use to log in to the Zscaler service. For example, if you log in to https://admin.zscalerbeta.net, then the identifier is admin.zscalerbeta.net.
- Reply URL (Assertion Consumer Service URL): Select one of the following Zscaler admin SSO URLs with your Zscaler cloud name.
  - https://admin.zscaler.net/adminsso.do
  - https://admin.zscalerone.net/adminsso.do
  - https://admin.zscalertwo.net/adminsso.do
  - https://admin.zscalerthree.net/adminsso.do
  - https://admin.zscloud.net/adminsso.do
  - https://admin.zscalerbeta.net/adminsso.do
- The Zscaler cloud name depends on the URL you use to log in to the Zscaler service. For example, if you log in to https://admin.zscalerbeta.net, then select https://admin.zscalerbeta.net/adminsso.do.
- Sign on URL: Leave this field blank.
- Relay State: Leave this field blank.
- Logout URL: Leave this field blank.
See image.
Close
Click Save and exit the window.
In SAML Signing Certificate, download Certificate (base64). You need it for Step 3 in 5. Configure SAML Admin SSO in the ZIA Admin Portal.
See image.
Close

3. Assign admins to the ZIA Admin application

In order for Microsoft Entra ID admins to authenticate through the Zscaler service, you must assign Microsoft Entra ID admins to the ZIA Admin application.

To assign admins to the Zscaler cloud application in the Microsoft Entra admin center:

In the left-side navigation of the ZIA Admin application, click Users and groups.
See image.
Close
Click Add user.
See image.
Close
The Add Assignment window appears.
In the Add Assignment window, click Users and groups.
See image.
Close
The Users and groups window appears.
In the Users and groups window, select the admins you want to assign to the ZIA Admin application, and click Select.
See image.
Close
In the Add Assignment window, click Assign.
See image.
Close

in the Microsoft Entra admin center .

4. (Optional) Enable IdP-Initiated SSO

By default, the ZIA Admin application is visible to admins in their My Apps portal.

To enable or disable application visibility:

In the left-side navigation for the ZIA Admin application, click Properties.
See image.
Close
For Visible to users?, choose Yes or No.
See image.
Close

in the Microsoft Entra admin center .

5. Configure SAML Admin SSO in the ZIA Admin Portal.

Testing the SAML Configuration

To test the SAML admin SSO, users can initiate the SAML connection from the ZIA Admin application. There are two ways to do this:

Go to Microsoft My Apps Portal
You can use this method if you've enabled application visibility in Step 2 of 4. (Optional) Enable IdP-Initiated SSO.
To go to the Microsoft My Apps portal:
1. Sign in to the Microsoft My Apps portal to get access to all your assigned visible applications.
2. Click the Zscaler Internet Access Administrator.
  See image.
  Close
  You are automatically signed in to the ZIA Admin Portal.
Close
Browse to the User Access URL
If you've disabled application visibility in Step 2 of 4. (Optional) Enable IdP-Initiated SSO, you can use this method to directly access the ZIA Admin application from the browser.
To browse to the user access URL:
1. In the left-side navigation for the ZIA Admin application, click Properties.
  See image.
  Close
2. Copy the User access URL.
  See image.
  Close
3. Browse to the user access URL.
  See image.
  Close
  You are automatically signed in to the ZIA Admin Portal.
Close

Secure Internet and SaaS Access (ZIA)

Admin SAML Configuration Guide for Microsoft Entra ID

Prerequisites

Configuring SAML Admin SSO with Microsoft Entra ID

Testing the SAML Configuration

Was this article helpful? Click an icon below to submit feedback.

Related Articles