ZIdentity
Migrating Zscaler Service Admins to ZIdentity
Watch a video on ZIdentity Migration.
ZIdentity is the common identity service for all Zscaler products. ZIdentity provides a centralized platform for managing admin roles and entitlements across all Zscaler services. ZIdentity is being provisioned for all new customers since January 2024. Existing customers began upgrading to ZIdentity in June 2024. At this time, the majority of Zscaler customers are upgraded to ZIdentity.
Prior to ZIdentity, customers provisioned and managed administrators and end users directly in individual Zscaler services (e.g., Zscaler Internet Access (ZIA), Zscaler Private Access (ZPA), etc.). The external identity provider (IdP) integrations were also configured directly to individual Zscaler services.
With ZIdentity migration, administrator data and their role assignments are transferred from various Zscaler services and synced to ZIdentity. It also offers a unified authentication experience. Administrators can authenticate and access all Zscaler service admin portals with a single set of credentials, eliminating the need for multiple login credentials.
Migration and Upgrade Processes
ZIdentity migration includes the following use cases:
Customer-Driven Migration: Customers that authenticate their Zscaler administrators with an external IdP, request for ZIdentity migration.
Watch a video on customer-driven migration.
- Migration Process
- Customers must contact their Zscaler Account team to provision a ZIdentity tenant and have it linked to all their Zscaler tenants.
- Zscaler sends an email to the customer to specify the Zscaler service tenants that must be linked to the ZIdentity tenant and the new ZIdentity super admin’s name and email ID.
Zscaler provisions the ZIdentity tenant and links the customer’s Zscaler service tenants (ZIA, ZPA, ZDX, etc.).
Next, as the ZIdentity super admin, you need to complete the following:
- When you receive the email about the new ZIdentity tenant registration, follow the instructions provided in the email and complete the registration.
- Connect your organization's external IdP to ZIdentity and provision your admins (users) to ZIdentity.
Inform the other admins to test ZIdentity by clicking the tile at their IdP to confirm they see the ZIdentity SSO portal (ZIdentity Landing Page) and the assigned Zscaler service tiles.
- The service tiles are disabled until you complete the migration.
- If the admins don't see the assigned tiles, the super admin can review the entitlements assigned to the admins on the Entitlements tab in the ZIdentity Admin Portal. They can also make adjustments to the entitlements on the Administrative Entitlements page.
When all the admins confirm they can access the ZIdentity Landing Page and see the Zscaler service tiles, go to the ZIdentity Admin Portal and click the link in the banner to proceed with the admin migration.
Read the message and click Confirm.
The ZIdentity admin migration is completed.
- Migration Process
Zscaler-Driven Upgrade: Zscaler upgrades customers that host and authenticate their administrators with Zscaler.
Watch a video on Zscaler-driven upgrade.
- Upgrade Process
- Zscaler identifies all the hosted tenants for ZIdentity upgrade, based on customer registration and product configuration data.
- Zscaler generates the ZIdentity vanity domain (e.g., https://acme.zslogin.net) for each customer.
- Zscaler collects the email address of the user who is going to be the new ZIdentity super admin.
The super admin receives an email indicating they’ll be upgraded, the day of the upgrade, and the vanity domain (e.g., https://acme.zslogin.net) their tenant is assigned.
Customers can change the Zscaler assigned vanity domain (e.g., https://acme.zslogin.net) within 7 days prior to the completion of the upgrade.
- All admins receive emails indicating when they’ll be upgraded.
When the upgrade is completed, admins can continue using the old Zscaler admin URLs to log in. Zscaler detects if their tenant is upgraded and redirects the admins to the ZIdentity login page to enter their password. Admins can continue using their old passwords as they are seamlessly migrated.
After the upgrade, admins need to manage users and groups in the ZIdentity Admin Portal.
- Upgrade Process
Enrolling for MFA
Post the Zscaler-driven upgrade, all admins, including the super admin, are required to enroll for multi-factor authentication (MFA).
Zscaler strongly recommends that all admins are configured with a proper email address. In case admins forget their password or lose an MFA authenticator, Email OTP authentication helps recover the password or MFA authenticator.
Accessing Zscaler Services after Migration
The authentication process changes after the admins are migrated to ZIdentity. After the migration, the credential validation for admins of all Zscaler services is handled by ZIdentity.
To improve security, all admins with credentials hosted at Zscaler must use multi-factor authentication (MFA) for admin login. The MFA options supported include security key or biometric, Google Authenticator, email OTP, and SMS OTP. To learn more, see Accessing and Navigating the ZIdentity Landing Page.
Admins can authenticate in any of the following ways:
Zscaler recommends using the vanity domain (e.g., https://acme.zslogin.net) for simplicity and directly accessing the ZIdentity Landing Page via SSO URL.
- Use the Two-Step Login Process
- Access a Zscaler admin portal (ZIA, ZDX, ZPA, Branch Connector, Cloud Connector, or Deception).
Enter the login ID that you have been using.
After the migration, the credential validation for ZIA and ZPA admins is handled by ZIdentity. When ZIA or ZPA admins log in for the first time post migration, their password stored in the respective admin-portal is synced with the ZIdentity Admin Portal, and the validation is handled by ZIdentity.
- Click Next.
- Enter your existing password for the respective Zscaler service, then click Next.
When you are prompted to set up the MFA, select the required authentication method, then click Set Up.
A message appears indicating that a link is sent to your email address for completing MFA enrollment.
- Click Continue and you are logged in to the respective admin portal.
- Access ZIdentity through Your Organization's External IdP
- Go to your organization's external IdP (e.g., Okta).
Click the Zscaler tile.
The ZIdentity page appears.
- Enter the password that you have been using.
After successful validation, you are logged in to the ZIdentity Landing Page that displays the assigned Zscaler service tiles.
The first admin who logs in is presented with the ZIdentity End User Service Agreement (EUSA) and they accept it. Admins can access ZIdentity only if someone from that service tenant accepts the EUSA.
- Use the ZIdentity Vanity Domain
Access the Zscaler assigned vanity domain (e.g., https://acme.zslogin.net).
The ZIdentity page appears.
- Enter the login ID and password that you have been using.
You are prompted to set up the MFA.
After successful validation, you are logged in to the ZIdentity Landing Page that displays the assigned Zscaler service tiles.
The first admin who logs in is presented with the ZIdentity End User Service Agreement (EUSA) and they accept it. Admins can access ZIdentity only if someone from that service tenant accepts the EUSA.
- Use of ZIA Admin API and Zscaler Cloud & Branch Connectors
When Cloud Connector attempts to authenticate to ZIA's admin API and ZIA is linked to ZIdentity, ZIA receives the request and then attempts to validate the credentials with ZIdentity. If ZIdentity has a hosted user with that username and password, it validates the credentials and provides a successful response to ZIA. Then, ZIA responds to Cloud Connector with a success message, completing authentication to the ZIA Admin API.
User accounts with login ID domains that are associated with an external IdP can still be used for the Cloud Connector use case in some scenarios.
ZIdentity does not support users with both IdP mapping and passwords. However, to provide a seamless migration experience, passwords from ZIA are still synced to ZIdentity even if the user's domain is mapped to an IdP, retaining some password-managed functions. Additionally, Zscaler recommends that customers migrate away from such configurations where users with both password and IdP mapping are present. Customers must make necessary changes to use user identities under a vanity domain (e.g.,
Close<your_domain>
.zslogin.net
) that cannot be mapped against an IdP.