Using the Zscaler App Portal as an Identity Provider (IdP)


Using the Zscaler App Portal as an Identity Provider (IdP)

The Zscaler App portal can function as an identity provider (IdP) for the Zscaler service. With this feature, users do not need to be tied to your organization’s standard identity provider (IdP) in order to authenticate to the Zscaler service. Instead, if your organization uses SAML-based single sign-on (SSO), the app can use a device token to auto-provision and silently authenticate users and devices for the Zscaler service.

You can generate the device token in the Zscaler App portal and pass the token to the app in an installer option. In addition, in the Zscaler admin portal, you must upload the Zscaler App IdP certificate and add the Zscaler App IdP URL as your SAML Portal URL. The app is then able to gather user ID and other relevant parameters from devices and send the information to the Zscaler cloud in SAML requests. The Zscaler App portal parses and verifies the SAML requests, enabling the Zscaler cloud to provision and silently authenticate users.

You must complete the following tasks to begin using the Zscaler App portal as an IdP for Zscaler.

In the Zscaler App Portal:

  • Obtain the Zscaler App IdP URL.
  • Download the Zscaler App IdP certificate.
  • Create the device token.

In the Zscaler admin portal:

  • Add the Zscaler App IdP URL as the SAML Portal URL.
  • Upload the Zscaler App IdP certificate.

When installing the Zscaler App:

  • Pass the device token in an installer option.

Configuring the Zscaler App Portal

To obtain the Zscaler App IdP URL, download the IdP certificate, and create a device token:

  1. In the Zscaler App portal, go to Administration.
  2. From the left menu, select Zscaler App IDP. See image.
  3. You must enter the IDP URL shown here into the SAML Portal URL field within the Zscaler admin portal.
  4. Under Zscaler App IDP Certificate, click Download. You must upload this certificate to the Zscaler admin portal. See image.
  5. Under Manage Device Tokens, click Create Device Token.
  6. In the Create Device Token window, do the following:
    1. Enter Password: Enter a password that is at least six characters and includes at least one alphabetic character and a number.
    2. Token Description: Enter a description that will help you track the device token.
    3. Click Create Device Token. See image.

The token you generate appears in the table under Manage Device Tokens. You can create up to 8 tokens.

Screenshot of the generated device tokens for Zscaler App

Screenshot of the Zscaler App IDP page in the Zscaler App Portal

Screenshot of the IDP URL and Zscaler App IDP Certificate

Screenshot of creating a device token in the Zscaler App Portal

Configuring the Zscaler Admin Portal

To add the Zscaler App IdP URL and upload the IdP certificate: 

  1. Go to Administration > Authentication > Authentication Settings.
  2. In the Authentication Profile tab, under Authentication Type, select SAML.
  3. Click Configure SAML. See image.
  4. In the New SAML or Edit SAML window, under Identity Provider (IDP) Options, do the following:
    1. SAML Portal URL: Enter the Zscaler App IdP URL you obtained from the Zscaler App portal.
    2. Under Public SSL Certificate, click Upload, then click Choose File to navigate to the Zscaler App IdP certificate you downloaded from the Zscaler App portal.
    3. Under Auto-Provisioning Options, select Enable SAML Auto-Provisioning.
    4. Click Save. See image.
  5. Click Save again and activate the change.

Screenshot of the Configure SAML option in the Authentication Profile tab in the Zscaler admin portal

Screenshot of adding the Zscaler App IdP URL as the SAML Portal URL in the Zscaler admin portal

Passing the Device Token

To use the Zscaler App as an IdP for your users, you must pass the device token to users' devices during installation. Below are instructions for passing the device token for Windows and macOS.

Windows: MSI Installer

Windows: EXE Installer

macOS: Installer App

To deploy the MSI file with the device token and install the Zscaler App, use the following command-line option and properties:

msiexec /i <complete_path> /quiet DEVICETOKEN=<device_token> USERDOMAIN=<your_organization's_domain>
  • Replace <complete_path> with the absolute pathname to the MSI installer file. For example, C:\Users\User\Downloads\Zscaler-windows-1.1.2.000025-installer.msi.
  • Using the /quiet switch installs the app in silent mode.
  • Replace <device_token> with the device token you created in the Zscaler App portal
  • Replace <your_organization's_domain> with your organization's domain. In the example image below, the organization's domain is safemarch.com

You can add as many MSI installer options as needed for your deployment. To learn more, see Running the MSI File with Command-Line Options.

Screenshot of the command line option when running a Zscaler App MSI file

To create an MST file that includes the device token using Orca:

  1. After opening Orca, go to File > Open.
  2. Double-click the MSI file.
  3. Go to Transform New Transform.
  4. In the Tables column, click PropertySee image.
  5. Click Tables, then Add Row.
  6. In the Add Row menu, do the following:
    1. Property: Enter DEVICETOKEN.
    2. Value: Enter the device token you created in the Zscaler App portalSee image.
    3. Click OK.

You can add as many MSI installer options as needed for your deployment. To learn more, see Create an MST File.

  1. To save your changes, go to Transform > Generate Transform....
  2. In the Save Transform As window, enter a file name and click Save
  3. Deploy the MST file.

Screenshot of saving the MST file for Zscaler

Screenshot of using Orca to create an MST file to install Zscaler App

Screenshot of passing the device token in an MST file for Zscaler App

While deploying the Zscaler App in an AD environment, you can enter the command-line option when you define the system start-up script to install the Zscaler App. In the following example, Windows Server 2012 R2 is used.

  1. Select the GPO Policy and go to Computer Configuration > Policies > Windows Settings > Scripts > Startup.
  2. Double-click to open.
  3. Click Add to open a new wizard.
  4. In the Script Name field, specify the absolute pathname to the EXE installer. For example: \\SERVER\\share\Zscaler-windows-1.1.2.000025-installer.exe.
  5. In the Script Parameters field, enter the following parameters:  
    • To installs the app in silent mode, enter: --mode unattended
    • To pass the device token, use:
--deviceToken <device_token> --userDomain <your_organization's_domain>
  • Replace <device_token> with the device token you created in the Zscaler App portal
  • Replace <your_organization's_domain> with your organization's domain. In the example image below, the organization's domain is safemarch.com

You can add as many script parameters as needed for your deployment. To learn more, see Running the EXE File with Command-Line Options.

  1. Click OKSee image.
  2. Click Apply and use the following command:
'gpupdate.exe /force'
  1. Remotely reboot the OU computers on which you want to install the app using the following command:
'shutdown.exe –r –m \\Remote-Computer-Name –t 0'

Screenshot of defining the system start-up script for the Zscaler App EXE file

To deploy the EXE file and install the Zscaler App with the device token, use the following command-line options with the absolute pathname of the EXE installer. In this example, the complete path is C:\Users\User\Downloads\Zscaler-windows-1.1.2.000025-installer.exe.

  • To install the app in silent mode, run the EXE installer file with the following command-line option: --mode unattended
  • To pass the device token, run the EXE installer file using the following command: 
--deviceToken <device_token> --userDomain <your_organization's_domain>
  • Replace <device_token> with the device token you created in the Zscaler App portal
  • Replace <your_organization's_domain> with your organization's domain. In the example image below, the organization's domain is safemarch.com

You can add as many command-line options as needed for your deployment. To learn more, see Running the EXE File with Command-Line Options.

Screenshot of the command line option when running a Zscaler App EXE file

To pass the device token using the installer app, use the following command:

sudo sh <download_location>/Contents/MacOS/installbuilder.sh --deviceToken <device_token> --cloudName <zscaler_cloud>
  • Replace <download_location> with the location of the unzipped installer app. For example: /Users/abansal/Downloads/Zscaler-osx-1.1.2.000-installer.app/Contents/MacOS/installbuilder.sh.
  • Replace <device_token> with the device token you created in the Zscaler App portal.
  • Replace <zscaler_cloud> with your cloud name. For example, if your cloud name is zscalertwo.net, use --cloudName zscalertwo. To learn more, see What is my cloud name?

You can add as many command-line options as needed for your deployment. To learn more, see Installing the Package with Command-Line Options.


Screenshot of the command line option with the macOS installer app for Zscaler App