Configuring ADFS for Admin SAML Single Sign-On

Configuring ADFS for Admin SAML Single Sign-On

This example illustrates how to configure a Windows Server 2008 R2 running SAML 2.0 ADFS as an IdP for the Zscaler service to enable SAML single sign-on for your organization's admins. It assumes that ADFS 3.0 is already installed on the Windows server. Refer to the Windows ADFS documentation for additional information about the steps in the example. Below are relevant technical attributes:

  • ACS URL: https://admin.<cloud-name>/
    • For example, if your cloud is, would be your ACS URL. To learn how you can find your cloud name, see What is my cloud name?
  • Hashing algorithms: AES-1 and AES-256


Below are the prerequisites for configuring the ADFS server:

Configuration Steps

To add the Zscaler service to ADFS, go to Start > ADFS Management 2.0 to launch the ADFS management application and do the following:

A.  Configure the Zscaler service as a relying party trust

In ADFS, a relying party is a Federation Service or application that requests and consumes claims from a claims provider in a particular transaction. Complete the following steps to add Zscaler as a relying party trust.

  1. In the ADFS 3.0 Management window, open the Trust Relationships > Relying Party Trusts folder. In the Actions menu on the right, click Add Relying Party Trust.

A.  Configure the Zscaler service as a relying party trust

  1. When the Add Relying Party Trust wizard appears, click Start

The wizard steps are listed on the column on the left.

  1. In Select Data Source, choose Import data about the relying party from a file, and click Next.

  1. Enter a Display name for the Zscaler service, such as Admin SAML Zscaler-Beta, and then click Next.
  2. Allow the wizard to run through the next three steps (Choose Profile, Configure Certificate, Configure URL, and Configure Identifiers).
  3. In Configure Multi-factor Authentication Now?, select I do not want to configure multi-factor authentication settings for this relying party trust at this time, and then click Next.

  1. In Choose Issuance Authorization Rules, select Permit all users to access this relying party, and click Next.

  1. In Ready to Add Trust, the wizard displays the configured settings. Click Next.

  1. Ensure the option to open the Edit Claim Rules dialog is checked. Click Finish to add the relying party trust to the database.  

B. Add a Claim Rule

Configure the SAML Assertions to be federated to Zscaler for identifying the admin with the following steps.

  1. When the Edit Claim Rules window appears, click Add Rule.

B. Add a Claim Rule

  1. In Choose Rule Type of the Add Transform Claim Rule wizard, select Send LDAP Attributes as Claims as the claim rule template so the claims contain LDAP attribute values from the attribute store, AD. Then click Next.

  1. In Configure Claim Rule, do the following and click Finish.
    • Enter a name for the claim rule (for example, zsbeta claims).
    • From the Attribute Store menu, choose Active Directory.
    • Map the LDAP attributes that represent the user's login name to the field in the outgoing claim.
      • From the LDAP Attribute column, select User-Principal-Name.
      • From the Outgoing Claim Type column, select Name ID.

The email address is sent as the Name ID.

C. Export the Certificate

To export the certificate that you will upload to the Zscaler service:

  1. In the ADFS 3.0 Management window, open the Service > Certificates folder. In the Actions menu on the right, click View Certificate.
  2. In the Certificate window, go to the Details tab and click Copy to File… to open the Certificate Export wizard.

C. Export the Certificate

  1. Start the Certificate Export Wizard.

  1. In Export File Format, choose Base-64 encoded as the file format of the certificate you want to export and click Next.

  1. In File to Export, either click Browse to navigate to the file you want to export or enter the file name. Click Next.

  1. Click Finish to exit the wizard.

Upload this certificate to the Zscaler service. See About SAML Single Sign-On for Admins.

The admin can now sign in to the Zscaler admin portal through ADFS as an IDP. See example below.