How do I configure the Zscaler Identity Proxy for cloud apps?


How do I configure the Zscaler Identity Proxy for cloud apps?

Click to watch a video about Identity Proxy Settings.

To enable Identity Proxy settings for cloud applications, see Configuration Task C (Enable Identity Proxy settings for each cloud application) below.

You can configure the Zscaler service as an Identity Provider for the following cloud apps: Salesforce, Box and Google Apps. This restricts users to going to these applications only through the Zscaler service. When users try to access these apps with their corporate accounts without going through the Zscaler service, authentication will fail, and they won’t be allowed to log in.

The following figure illustrates the authentication process when the Zscaler service is set up as the IdP for a cloud app, such as Salesforce.

Process diagram of the authentication process when Zscaler service is set up as the IdP for Salesforce cloud app 

Configuring the Zscaler Service as an IdP Proxy

Ensure that SSL inspection is enabled for the location before configuring the Zscaler service as an IdP for Box, Google Apps or Salesforce. 

Then complete the following tasks:

Before you can configure Zscaler as an IdP for Box, Google Apps or Salesforce, you will need to download the Zscaler certificate and copy information from the Zscaler admin portal:

  1. Go to Administration > Authentication > Identity Proxy Settings.
    The Identity Proxy Settings page displays the settings for the three cloud apps.
  2. Click Download to download the Zscaler certificate for the cloud app that you are configuring. 
  3. Copy the Identity Proxy URL and Issuer Details.
    • Click the Identity Proxy URL or Issuer Details value to view the complete string, which you can then copy.
      OR
    • Click the Edit icon to view the Identity Proxy settings page of the cloud app, and then copy the values. 
      See image.

Screenshot of Identity Proxy Settings page with Edit Icon highlighted and the Identity Proxy URL expanded.

 After you download the Zscaler certificate and obtain the Identity Proxy URL and Issuer Details, you can then configure Zscaler as an IdP for Box, Salesforce or Google Apps. Following are configuration instructions for each one.

To add a Single-Sign on integration to your Box account, fill out the SSO Questionnaire at https://cloud.box.com/ssoform. Box will then use the information that you provide to set up the Single-Sign on integration. You'll need the following from the Zscaler admin portal to fill out the questionnaire:

  • The Issuer Details
  • The certificate that you downloaded from the Zscaler admin portal
  • Identity proxy URL

See the questionnaire.

 Screenshot of the SSO Questionnaire with filled fields

Before you start, ensure that you have the following from the Zscaler admin portal:

  • Identity proxy URL
  • The certificate that you downloaded from the Zscaler admin portal

Note that the single-sign on feature cannot be used by users who are assigned administrator roles in Google.

Log in to the Google Admin Console (https://admin.google.com) and do the following:

  1. Click Security > Set up single sign-on (SSO).
  2. Complete the page as shown below.

Screenshot of Set Up SSO on the Google Admin Console

Before you start, ensure that you have the following from the Zscaler admin portal:

  • The Issuer Details
  • The certificate that you downloaded from the Zscaler admin portal
  • Identity proxy URL

Log in to salesforce.com and do the following:

  1. Click Setup.
  2. From the menu on the left, expand Security Controls and select Single Sign-On Settings.
  3. If SAML is enabled as shown in the image, skip this step. Otherwise, click Edit and enable SAML.
  4. Click NewSee image.
  5. Complete the SAML Single Sign-On Settings. See image.

Enable the Zscaler Single Sign-On settings as the authentication method:

  1. Click Setup.
  2. From the menu on the left, expand Domain Management and select My Domain.
  3. Edit the Authentication Configuration.
  4. Select the Authentication Service you configured.
  5. Click SaveSee image.

After you configure Zscaler as the IdP for Salesforce, ensure that you have the Login URL from the app. Log in to salesforce.com and do the following:

  1. Click Setup.
  2. From the menu on the left, expand Security Controls and select Single Sign-On Settings.
  3. Click the applicable item in the Single Sign-On Settings list.
  4. Copy the Salesforce Login URLSee image.

 Screenshot of Salesforce Single Sign-On Settings page

 Screenshot of Salesforce SAML SIngle Sign-On Settings page

 Screenshot of Authentication Configuration to enable the Zscaler Sign-On settings as authentication method.

 Screenshot of Salesforce SAML SIngle Sign-On Settings page with Salesforce Login URL highlighted.

Log in to the Zscaler admin portal and do the following:

  1. Go to Administration > Authentication > Identity Proxy Settings.
  2. Click the Edit icon to edit the proxy settings of the cloud app (Box, Google Apps, or Salesforce):
  3. In the Cloud Application section, complete the following:
    • Input your Domain: Enter the domain name.
    • AssertionCustomerService URL: For Box, the URL is displayed. For GoogleApps, the URL is completed as you type in your domain. For Salesforce, enter the Salesforce Login URL.
    • Select Enable.
  4. The Identity Proxy Settings section displays SAML information about the Zscaler IdP. These fields are not configurable.
    • SAML Version: Displays the SAML version implemented by the Zscaler IdP.
    • Identity Proxy URL: The Zscaler service dynamically generates a unique Identity proxy URL. You add this URL as the Identity Provider for SAML SSO when you configure single-sign on for the app.
    • Issuer Details: Displays the random part of the Identity Proxy URL.
    • Identity Request Binding: Displays the SAML assertion (HTTP-POST) that the Zscaler service, as the IdP, sends the cloud app.
    • User Identifier: NameID is the LDAP attribute that maps to the login name that users enter when they authenticate to the Zscaler service.
    • Restrict access to Box.net via Zscaler: Please ensure that users have the Zscaler profile enforced on devices to continue using this app when they're outside the corporate network.
  5. In the Identity Transformation Rules section, choose the transformation rule for the login attribute:
    • Pass-through Zscaler Identity: Passes the Zscaler login name as is.
    • Change Domain to: Replaces the domain part of the user name with a different domain name. Choose a domain from the Change Domain to list that appears.
    • Remove Domain Name: Deletes the domain part of the user name in the response and passes only the user ID.
  6. In the Group section, complete the following:
    • Pass-on Group Details: Select this to send all groups of the user in the response.
    • Group Identifier Name: Enter the group attribute name.
  7. Click Save and activate the change.