icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Choosing Provisioning and Authentication Methods

This article provides an overview of the various provisioning and authentication mechanisms that the Zscaler service supports. To learn more, see About Provisioning and Authenticating Users. Zscaler recommends deploying SCIM for provisioning and Identity Federation using SAML for authentication.

Provisioning Methods

The following tables list the benefits, requirements, and supported authentication methods for the 5 supported provisioning methods: Identity Federation using SCIM, SAML, Hosted User Database, synchronization with a directory server, and Zscaler Authentication Bridge (ZAB).

  • SCIM
    Users and groups are provisioned via APIs. SAML is the only supported authentication method. Zscaler recommends this method for provisioning and SAML for authentication. To learn more, see About SCIM.
    Benefits
    • No need to wait for synchronization intervals or for the user to log in to the Zscaler service.
    • When group membership or department membership changes, the Zscaler user database is automatically updated in near real time.
    • No inbound connections are required from Zscaler to the customer's user directory or any other component in the customer's network.
    • Simplified integration with major identity providers through technology partnerships.
    Requirements
    • Need to obtain a SCIM client and implement it.
    • If you want to use a cloud-based identity provider, check if the IdP supports SCIM 2.0.
    To configure SCIM provisioning, see Configuring SCIM.
    Close
  • Identity Federation Using SAML
    Users are provisioned and authenticate once to an identity provider. Zscaler recommends this method for authentication. To learn more, see Understanding SAML.
    Benefits
    • No changes to the existing firewall.
    • First time authentication can be totally transparent to the user.
    • Can be obtained for free through Zscaler partners.
    Requirements
    • Need to obtain the SAML service and implement it.
    • If you want to use a cloud-based identity provider, check its availability in your region.
    To configure SAML, see Configuring SAML.
    Close
  • Hosted User Database

    Upload user information to the database manually through a CSV import or ZAB. If SAML or SCIM aren't feasible, Zscaler recommends this method for organizations with up to 100 users.

    Following are the supported authentication methods:

    Benefits
    • Easy to deploy.
    • No need to back up data.
    Requirements
    N/A
    To configure the Hosted User Database, see Configuring the Hosted User Database.
    Close
  • Directory Server Synchronization

    Synchronize user, group, and department data from a directory server, such as a Microsoft Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) server. Passwords are never synchronized. If SAML isn't feasible, Zscaler recommends this method for organizations with more than 100 users. To learn more, see About LDAP User Synchronization.

    Following are the supported authentication methods:

    Benefits
    • Use existing infrastructure.
    • Secure communications.
    • User data can be synchronized periodically or on demand.
    Requirements
    • Configure firewall to allow the Zscaler service to synchronize with directory server.
    • The Zscaler service must have read-only access to the directory.
    To synchronize with a directory server, see Synchronizing User Data with an Active Directory or OpenLDAP.
    Close
  • ZAB

    A virtual appliance that you can use to automatically import user information from an Active Directory (AD) or a Lightweight Directory Access Protocol (LDAP) server to the Zscaler database. To learn more, see About the Zscaler Authentication Bridge.

    When you use the ZAB for provisioning and SAML for authentication, only the primary IdP in the ZIA Admin Portal can have SAML auto-provisioning enabled. While the ZAB is being used for provisioning, you cannot enable SCIM on any IdP.

    Following are the supported authentication methods:

    Benefits
    • Does not require inbound connections to your directory server.
    • Virtual appliance is managed and maintained by your organization.
    • User data can be synchronized periodically or on demand.
    Requirements
    Download and install the virtual appliance.
    To deploy a ZAB, see Deploying a Zscaler Authentication Bridge.
    Close

Authentication Methods

The following tables list the benefits and requirements for the 7 supported authentication methods: Identity Federation using SAML, Kerberos Authentication, Directory server, ZAB, one-time link, one-time token, and passwords.

  • Identity Federation Using SAML
    Users are provisioned and authenticate once to an identity provider. Zscaler recommends this method for authentication. To learn more, see Understanding SAML.
    Benefits
    • No changes to the existing firewall.
    • First time authentication can be totally transparent to the user.
    • Can be obtained for free through Zscaler partners.
    Requirements
    • Need to obtain the SAML service and implement it.
    • If you want to use a cloud-based identity provider, check its availability in your region.
    To configure SAML, see Configuring SAML.
    Close
  • Kerberos Authentication
    Zscaler supports authentication using Kerberos, an industry standard secure protocol that is widely used to authenticate users to network services. To learn more, see About Kerberos Authentication.
    Benefits
    • It enables the Zscaler service to authenticate users when they use applications that do not support cookies, such as Office 365 and Windows Metro Apps.
    • It enables transparent Single Sign-On (SSO) authentication for users. Users authenticate themselves once, when they log in to their corporate domain. They do not have to log in and authenticate themselves to the Zscaler service.
    • The Zscaler service can enforce granular user, group, and department policies on FTP transactions as well as HTTPS transactions, without having to decrypt the HTTPS transactions. The service can authenticate the CONNECT request without decryption. However, it must decrypt the transaction to authenticate the subsequent ClientHello request.
    • Your organization does not need to configure its firewall to allow incoming connections from the ZIA Public Service Edges.
    • Kerberos is a secure open standard protocol that most operating systems support, including Windows 7, Windows 8, OS X, Linux, and FreeBSD. Additionally, most browsers support Kerberos authentication, including Microsoft Edge, Firefox, and Safari.
    Requirements
    • A PAC file must be used to forward traffic to the Zscaler service.
    • Users must be provisioned on the Zscaler service before they can use Kerberos for authentication.

    Additionally, the following are required in a Windows environment:

    • A domain controller that runs Windows Server 2003, 2008 or later.
    • Client devices must run Windows Vista or later.
    To configure Kerberos authentication, see Deploying Kerberos Authentication.
    Close
  • Directory Server Synchronization
    The Zscaler service queries a directory server to verify the password. This method is used only with LDAP synchronization as the provisioning method. To learn more, see About LDAP User Synchronization.
    Benefits
    • Use existing authentication infrastructure.
    • Secure communications.
    • No software or hardware installation on site.
    • Passwords do not leave the organization.
    Requirements
    • Configure the firewall to allow Zscaler service.
    • The directory server must allow the Zscaler service to perform an LDAP BIND.
    To synchronize with a directory server, see Synchronizing User Data with an Active Directory or OpenLDAP.
    Close
  • ZAB
    A virtual appliance that you can use to provision and authenticate users. To learn more, see About the Zscaler Authentication Bridge.
    Benefits
    • Virtual appliance is managed and maintained by your organization.
    • User data can be synchronized periodically or on demand.
    • Passwords do not leave the organization.
    Requirements
    Download and install the virtual appliance.
    To deploy a ZAB, see Deploying a Zscaler Authentication Bridge.
    Close
  • One-Time Token
    The Zscaler service emails a temporary password for the user to log in.
    Benefits
    • Users don't click on links.
    • Users manage passwords themselves and without administrator intervention.
    • Authentication isn't dependent on Active Directory passwords.
    • No software or hardware installation on site.
    Requirements
    Valid email addresses.
    To learn more about one-time tokens and how to configure them, see Configuring a One-Time Token or One-Time Link.
    Close
  • Passwords
    Upload and store passwords on the database of the Zscaler service. This method is used only with the Hosted User Database.
    Benefits
    • Does not require valid email addresses.
    • Supports password complexity enforcement.
    • Supports password expiry at configured intervals.
    Requirements
    • Administrators need to manage passwords.
    • No software or hardware installation on site.
    To learn more about password-based authentication and how to configure the Hosted User Database, see Configuring the Hosted User Database.
    Close
Related Articles
About Provisioning and Authenticating UsersChoosing Provisioning and Authentication MethodsAbout Authentication Default SettingsConfiguring the Default Authentication ProfileConfiguring the Hosted User DatabaseManaging Forced ReauthenticationConfiguring a One-Time Token or One-Time LinkAbout User Authentication FrequencyAbout Authentication ProfilesConfiguring Custom Authentication Timeout ProfilesAbout Zscaler CookiesAbout Surrogate IPExempting URLs and Cloud Apps from AuthenticationRecommended Security Settings for Microsoft Edge BrowserZIA Authentication Error Codes