Choosing Provisioning and Authentication Methods


Choosing Provisioning and Authentication Methods

This section provides an overview of the various provisioning and authentication mechanisms that the Zscaler service supports. Zscaler recommends deploying Identity Federation using SAML for provisioning and authentication.

Provisioning Methods

The following table lists the benefits, requirements, and supported authentication methods for the four supported provisioning methods: Identity Federation using SAML, Hosted User Database, synchronization with a directory server, and Zscaler Authentication Bridge.

Identity Federation Using SAML Hosted User Database

Users are provisioned and authenticate once to an identity provider.

Zscaler recommends this method for provisioning and authentication.

Upload user information to the database manually, through a CSV import or the Zscaler Authentication Bridge.

If SAML isn't feasible, Zscaler recommends this method for organizations with up to 100 users.

Benefits Benefits
  • No changes to existing firewall
  • First time authentication can be totally transparent to the user
  • Can be obtained for free through Zscaler partners
  • Easy to deploy
  • No need to back up data
Requirements Requirements
  • Need to obtain the SAML service and implement it
  • If you want to use a cloud-based identity provider, check its availability in your region.

Not applicable.

Supported Authentication Methods Supported Authentication Methods

Not applicable.

  • Passwords (Default)
  • Kerberos
  • One-Time Link
  • One-Time Password
Synchronization with a Directory Server Zscaler Authentication Bridge

Synchronize user, group, and department data from a directory server, such as a Microsoft Active Directory (AD) or LDAP server. (Passwords are never synchronized.)

If SAML isn't feasible, Zscaler recommends this method for organizations with more than 100 users.

A virtual appliance that you can use to automatically import user information from an Active Directory (AD) or a Lightweight Directory Access Protocol (LDAP) server to the Zscaler database.

Benefits Benefits
  • Use existing infrastructure
  • Secure communications
  • User data can be synchronized periodically or on demand
  • Does not require inbound connections to your directory server
  • Virtual appliance is managed and maintained by your organization
  • User data can be synchronized periodically or on demand
Requirements Requirements
  • Configure firewall to allow the service to synchronize with directory server
  • The Zscaler service must have read-only access to the directory

Download and install the virtual appliance.

Supported Authentication Methods Supported Authentication Methods
  • LDAP BIND
  • One-Time Link
  • One-Time Password
  • Pre-Provisioned Cookies
  • Hosted User Database
  • LDAP BIND
  • SAML
  • One-Time Link
  • One-Time Password

Authentication Methods

The following table lists the benefits and requirements for the seven supported authentication methods: Identity Federation using SAML, Hosted User Database, directory server, Zscaler Authentication Bridge, one-time link, one-time token, and passwords.

Identity Federation Using SAML Kerberos

With SAML, users authenticate once to an identity provider and can be provisioned on the service.

Zscaler recommendeds this method for provisioning and authentication.

Zscaler supports authentication using Kerberos, an industry standard secure protocol that is widely used to authenticate users to network services.

Benefits Benefits
  • No changes to existing firewall
  • First time authentication can be totally transparent to the user
  • Can be obtained for free through Zscaler partners
  • It enables the Zscaler service to authenticate users when they use applications that do not support cookies, such as Office 365 and Windows Metro Apps.
  • It enables transparent Single Sign-On (SSO) authentication for users. Users authenticate themselves once, when they log in to their corporate domain. They do not have to log in and authenticate themselves to the Zscaler service.
  • The service can enforce granular user, group and department policies on FTP transactions as well as HTTPS transactions, without having to decrypt the HTTPS transactions.
  • Your organization does not need to configure its firewall to allow incoming connections from the Zscaler Enforcement Nodes (ZENs).
  • Kerberos is a secure open standard protocol that most operating systems support, including Windows 7, Windows 8, OS X, Linux, and FreeBSD. Additionally, most browsers support Kerberos authentication, including Internet Explorer, Firefox and Safari.
Requirements Requirements
  • Need to obtain the SAML service and implement it
  • If you want to use a cloud-based identity provider, check its availability in your region.
  • A PAC file must be used to forward traffic to the Zscaler service
  • Users must be provisioned on the Zscaler service before they can use Kerberos for authentication

Additionally, the following are required in a Windows environment:

  • A domain controller that runs Windows Server 2003, 2008 or higher
  • Client devices must run Windows Vista or higher
Directory Server Zscaler Authentication Bridge

The service queries a directory server to verify the password. Used only with LDAP Synchronization as the provisioning method.

A virtual appliance that you can use to provision and authenticate users.

Benefits Benefits
  • Use existing authentication infrastructure
  • Secure communications
  • No software or hardware installation on site
  • Passwords do not leave the organization
  • Virtual appliance is managed and maintained by your organization
  • User data can be synchronized periodically or on demand
  • Password do not leave the organization
Requirements Requirements
  • Configure firewall to allow Zscaler service
  • The directory server must allow the Zscaler service to perform an LDAP BIND

Download and install the virtual appliance.

One-Time Link One-Time Token

The service emails a unique URL for the user to click and log in without a password.

The service emails a temporary password for the user to log in.

Benefits Benefits
  • No need to manage passwords
  • Easy to deploy
  • Corporate or AD passwords do not leave organization
  • Can send link to temporary email address instead of corporate
  • No administrator intervention
  • No need for users to remember passwords.
  • No software or hardware installation on site
  • Users don’t click on links
  • Users manage passwords themselves and without administrator intervention
  • Authentication isn't dependent on Active Directory passwords
  • No software or hardware installation on site
Requirements Requirements
  • Allow users to click on links
  • Links can be sent to valid email addresses only

Valid email addresses.

Passwords

Upload and store passwords on the database of the service. This is used only with the Hosted User Database.

Benefits
  • Doesn't require valid email addresses
  • Supports password complexity enforcement
  • Supports password expiry at configured intervals
Requirements
  • Administrators need to manage passwords
  • No software or hardware installation on site