icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Configuring the Default Authentication Profile

In the Authentication Profile section on the Default Settings page (Administration > Authentication Settings > Default Settings), you can:

  • User Repository Type: Choose one of the following repositories and configure accordingly.

    Active Directory (AD) and OpenLDAP user repositories are only available when SCIM provisioning is disabled and SAML auto-provisioning is enabled for only one identity provider (IdP).

    If you are configuring a Zscaler Authentication Bridge (ZAB), see Deploying a Zscaler Authentication Bridge to learn more about configuring the directory and deploying the ZAB.

    Close

  • Disable Directory Sync & Enable SCIM Provisioning: This setting only appears if you choose Active Directory or OpenLDAP for the User Repository Type and SAML for the Authentication Type. Enable this setting to disable directory synchronization for the user repository type so that you can enable SCIM provisioning or SAML auto-provisioning (if you have multiple IdPs). Use this setting to migrate from directory synchronization to SCIM provisioning.

    If you enable this setting:

    • The Zscaler service disables directory synchronization. Therefore, the Authentication Wizard and Advanced Configuration options for AD and OpenLDAP disappear, as well as the Directory Synchronization section.
    • You can enable SCIM provisioning or SAML auto-provisioning for your IdPs.
    • The Formed-Based option for Authentication Type becomes unavailable.
    Close

  • Authentication Frequency: Choose how often users are required to authenticate to the Zscaler service. These options don't apply to users with Zscaler Client Connector.

    • Daily: Authentication expires between 12 to 24 hours from the login time, depending on the time the user authenticated the day before.

    • Only Once: This is the default authentication interval. After users have logged in, they do not need to authenticate again as long as the cookie is saved in the browser or as an Adobe Flash object. (Typically, the cookie expires in about two years.) However, to log out of Zscaler, users must log out of the service explicitly or delete the cookie from their browser.

      Zscaler recommends choosing Only Once as your authentication frequency. To learn more, see About User Authentication Frequency.

    • Once Per Session: Authentication expires after the user closes the browser. In this case, no cookie is saved.
    • Custom: Customize your authentication interval.
      • Custom Authentication Frequency (days): Enter the number of days, between 1 and 180 inclusive. Authentication is requested when the user's cookie expires.
    Close

  • Authentication Type: Choose how users authenticate into the Zscaler service. Zscaler recommends using SAML Single Sign-On (SSO).

    • Form-Based: Users log in to the Zscaler service with their credentials. See Configuring the Hosted User Database.

      • Password Strength: Choose the required password strength.
        • None: Choose to place no restriction on the strength or complexity of the passwords. Not recommended. Weak passwords can be easily compromised.
        • Medium: Choose to require users to set passwords that are at least eight characters long and that contain at least one non-alphabetic character. This is the default.

        • Strong: Choose to require users to set passwords that are at least eight characters long and that contain at least one digit, one capital letter, and one special character.

          Only ASCII characters are allowed for the password.

      • Password Expiry: Choose the duration after which users must change their passwords. The default is Never, but Zscaler strongly recommends setting the duration higher. Old passwords allow access to your system by people no longer in your organization.

      If you're using AD or OpenLDAP user repositories, you must disable Disable Directory Sync & Enable SCIM Provisioning to choose Form-Based authentication.

    • SAML: Users authenticate with SAML SSO. You must configure at least one IdP to enable SAML. To learn more, see Configuring SAML. Also, if the Zscaler service provider (SP) signing SSL certificate is about to expire or expired, the following field appears:

      • SP SSL Certificate Expiration Date: Displays the expiration date for the SAML signing certificate of the SP. A Caution icon appears if the certificate expires within 30 days.

      If you're using AD or OpenLDAP user repositories, you must disable SCIM provisioning and enable SAML auto-provisioning for only one IdP to choose SAML authentication.

    Close

  • If you are using Active Directory (AD) or OpenLDAP, you can click Sync Now to synchronize the Zscaler service with the AD or OpenLDAP server.

    Screenshot of the Sync Now button

    Depending on the Synchronization Frequency you configured for your AD or OpenLDAP server, under Last Synchronization Time, you can view the time when the Zscaler service last synchronized with the AD or OpenLDAP server.

    Close
  • Configure a One-Time Token or One-Time Link

Authentication Profile section on the Default Settings page

Related Articles
About Provisioning and Authenticating UsersChoosing Provisioning and Authentication MethodsAbout Authentication Default SettingsConfiguring the Default Authentication ProfileConfiguring the Hosted User DatabaseManaging Forced ReauthenticationConfiguring a One-Time Token or One-Time LinkAbout User Authentication FrequencyAbout Authentication ProfilesConfiguring Custom Authentication Timeout ProfilesAbout Zscaler CookiesAbout Surrogate IPExempting URLs and Cloud Apps from AuthenticationRecommended Security Settings for Microsoft Edge BrowserZIA Authentication Error Codes