SAML Configuration Example: Google Apps


SAML Configuration Example: Google Apps

This example illustrates how to configure Google Apps as the Identity Provider for the Zscaler service. Refer to the Google Apps documentation for additional information about the steps in the example.

Prerequisites

Ensure that you have the following before you start the configuration:

Configuring the Zscaler Service in Google Apps

To configure the Zscaler service in Google:

  1. Log in to your Google account. Open the Google apps menu and click the Admin icon to go to the Admin console.  

  1. In the Admin console page, click the Apps icon.

  1. In the APP SETTINGS page, click the SAML apps icon.

  1. Click Add a service/App to your domain.

  1. In the Enable SSO for SAML Application step, click SETUP MY OWN CUSTOM APP.

  1. In the Google IdP Information step, do the following, then click NEXT.
    • Copy the SSO URL. You will paste this in the admin portal when configuring the Zscaler service for SAML in step 3.
    • Download the Certificate.  

  1. In the Basic Information for your Custom App step, specify an Application Name, then click NEXT.  

  1. In the Service Provider Details step, complete the following fields, and then click NEXT.
    • ACS URL: Enter the Zscaler SSO URL as https://login.<zscaler_cloud>:443/sfc_sso.
      • In place of <zscaler_cloud> above, enter the name of the cloud on which your organization is provisioned. In this example, the Zscaler SSO URL is https://login.zscalerone.net:443/sfc_sso. 
        To learn how you can find your cloud name, see What is my cloud name?  
    • Entity ID: Enter your Zscaler cloud name. In this example, the Entity ID is zscalerone.net.

  1. In the Attribute Mapping section, click ADD NEW MAPPING to configure the following attributes, and then click FINISH.
    • In the Enter the application attribute field, enter displayName. Select Basic Information and Primary Email.
    • In the Enter the application attribute field, enter department. Select Employee Details and Department
      Note that in the image below, these values have already been entered.

  1. Click the overflow menu icon and click ON for everyone
    Then click TURN ON FOR EVERYONE.

Configuring the Zscaler Service for SAML

To configure the Zscaler service, do the following:

  1. Go to Administration > Authentication > Authentication Settings.
  2. From Authentication Type, choose SAML and click Configure SAML.
  3. In the Edit SAML window, enter the SSO URL in the SAML Portal URL field, and upload the certificate.

The SSO URL and the certificate are found in the Google IdP Information window when you configured the Zscaler Service in Google in step 6.

For more information about configuring the service to use SAML, see How do I configure SAML?

Configuring the Authentication Bypass List

To enable users to access Google Apps, do the following:

  1. Go to Administration > Settings > Advanced Settings.
  2. In the Authentication Bypass section, add accounts.google.com to the Bypassed URLs field.
  3. Click Save and activate the change.

If you are using PAC files, ensure that you add accounts.google.com to the bypass list in the PAC files, otherwise authentication will fail.

     	If (shExpMatch(host, "accounts.google.com"))
	return "DIRECT";

Testing the Configuration

If you are already logged in to the Zscaler service, browse to https://login.zscaler.net/zscaler.portal (or replace zscaler.net with the cloud name you are using), and click Logout.

To learn how you can find your cloud name, see What is my cloud name?

Then ensure that your traffic is being forwarded to the Zscaler service and browse to a web site. When prompted for authentication, provide your Google login credentials to login. (If any error occurs, see SAML Troubleshooting Guidelines.)