This configuration example illustrates how to configure SiteMinder version of R12 SP3 CR5 as an IdP for the Zscaler service. If you are using SiteMinder r12.0 SP2 or the initial release of r12.0 SP3 (prior to CR1), download and deploy an assertion generator plug-in (AGP).
There are 3 considerations for deploying Zscaler with SiteMinder:
Ensure that you have the following before you start configuring SiteMinder:
There are several versions of this script but they all have the basic function of redirecting the request and appending the “RelayState”. Some scripts also include more error handling but therefore may require more customization/changes to match the specific environment.
The simplest version of the JSP is:
<% String msg = (String)request.getParameter("RelayState"); String redirectURL = "http://original.example.com/affwebservices/public/saml2sso?SPID=staging.zcaler.saml2&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&RelayState="+msg;response.sendRedirect(redirectURL); %>
Ensure that this file is included in the WAR file so that it is included in any reboot/reload/restart.
“&RelayState=”+msg;”. String redirectURL = “http://securenet.example.com/affwebservices/public/ saml2sso?SPID=staging.<cloudname>.saml2&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&RelayState="+msg;
The service requires the user name (BSmith@zscaler.com), given name (Bill Smith) and member-of-Groups (Browsing-group1, Browsing-Group2). The AD attributes will be samaccountname or email, givenname and memberOf. The key to handling Groups is to use the FMATTR function (shown in the following figure).
When you configure the Zscaler service, go to Administration > Authentication > Authentication Settings, click Configure SAML, and enter the redirection script in the SAML Portal URL field. The other attributes must match those defined in the SiteMinder Service Provider Properties.
Ensure that you add the redirected URL to the bypass list in the PAC files; otherwise, authentication will fail. This is due to the browser trying to reach the authentication URL via the Zscaler service but the current user is not yet authorized to use the service so the request never passes through the Zscaler node.
If (dnsDomainIs(host, "securenet.com") ) return "DIRECT";