This example illustrates how to configure Google Apps as the Identity Provider (IdP) for the Zscaler service. Refer to the Google Apps documentation for additional information about the steps in the example.
Ensure that you have the following before you start the configuration:
Configuring the Zscaler Service in Google Apps
To configure the Zscaler service in Google:
- Log in to your Google account. Open the Google apps menu and click Admin to go to the Admin console.
- In the Admin console page, click the Apps icon.
- In the APPS SETTINGS page, click the SAML apps icon.
- Click Add a service/App to your domain.
- In the Enable SSO for SAML Application step, click SETUP MY OWN CUSTOM APP.
- In the Google IdP Information step, do the following, then click NEXT.
- Copy the SSO URL. You will paste this in the Admin Portal when configuring the Zscaler service for SAML in step 3.
- Download the Certificate.
- In the Basic Information for your Custom App step, specify an Application Name, then click NEXT.
- In the Service Provider Details step, complete the following fields, and then click NEXT.
- ACS URL: Enter the Zscaler SSO URL as https://login.<Zscaler cloud name>.net:443/sfc_sso.
- In place of <Zscaler cloud name> above, enter the name of the cloud on which your organization is provisioned. In this example, the Zscaler SSO URL is https://login.zscalerone.net:443/sfc_sso.
To learn more, see What is my cloud name?
- Entity ID: Enter your Zscaler cloud name. In this example, the Entity ID is zscalerone.net.
- In the Attribute Mapping section, click ADD NEW MAPPING to configure the following attributes, and then click FINISH.
- In the Enter the application attribute field, enter displayName. Select Basic Information and Primary Email.
- In the Enter the application attribute field, enter department. Select Employee Details and Department.
In the example below, these values have already been entered.
- Click the overflow menu icon and click ON for everyone, then click TURN ON FOR EVERYONE.
Configuring the Zscaler Service for SAML
To configure the Zscaler service, do the following:
- Go to Administration > Authentication Settings.
- From Authentication Type, choose SAML and click Configure SAML.
- In the Edit SAML window, enter the SSO URL in the SAML Portal URL field, and upload the certificate.
The SSO URL and the certificate are found in the Google IdP Information window when you configured the Zscaler Service in Google in step 6.
To learn more, see How do I configure SAML?
Configuring the Authentication Bypass List
To enable users to access Google Apps, do the following:
- Go to Administration > Advanced Settings.
- In the Authentication Bypass section, add accounts.google.com to the Bypassed URLs field.
- Click Save and activate the change.
If you are using PAC files, ensure that you add accounts.google.com to the bypass list in the PAC files, otherwise authentication will fail.
If (shExpMatch(host, "accounts.google.com"))
Testing the Configuration
If you are already logged in to the Zscaler service, browse to https://login.<Zscaler cloud name>.net/zscaler.portal (and replace <Zscaler cloud name> with your cloud name), and click Logout. To learn more, see What is my cloud name?
Ensure that your traffic is being forwarded to the Zscaler service and browse to a web site. When prompted for authentication, provide your Google login credentials to login. If an error occurs, see SAML Troubleshooting Guidelines.