For users to access your applications via ZPA, they must first authenticate into Zscaler Client Connector using any SAML 2.0-compliant identity provider (IdP) with the service provider-initiated (SP initiated) model. ZPA user SSO is SP initiated, but ZPA admin SSO can be SP initiated or IdP initiated. When a ZPA admin selects Single Sign-On Using IdP on the ZPA Admin Portal's Sign In page, the login is SP initiated. If the ZPA admin logs directly into their IdP, it's IdP initiated.

Prior to configuring your IdP, Zscaler recommends reading IdP Configuration Best Practices.

The IdP must be configured to recognize Zscaler as a valid SP, and you must configure the full details for the IdP within the ZPA Admin Portal. To learn more, see Configuring an IdP for Single Sign-On.

About the IdP Configuration Page

The IdP Configuration page is read only if you are subscribed to ZIdentity] for users. To learn more, see What Is ZIdentity?

On the IdP Configuration page (Authentication > User Authentication > IdP Configuration), you can do the following:

1. View a list of applied filters available from the current and previous user sessions. Applied filters must be saved to the user session first before they can be viewed. Use the drop-down menu to select the applied filters to view. To learn more, see Using Tables.
2. Hide the filters on the page by clicking Hide Filters. Click Show Filters to show the filters.
3. Refresh the IdP Configuration page to reflect the most current information.
4. Filter the information that appears in the table. By default, no filters are applied. You can also save applied filters to your preferences so that they're visible in future user sessions. To learn more, see Using Tables.

5. Add a new IdP configuration.

   The Add button is hidden if you are subscribed to ZIdentity for users. To learn more, see What Is ZIdentity?

6. View a list of the names of all IdPs that were configured for your organization. For each IdP configuration, you can see:

   • Name: The name of the IdP configuration. An icon shows next to the name of the IdP if the IdP certificate is close to expiring or has expired:

     • If the IdP certificate has expired, a red Warning icon () is displayed.
     • If the IdP certificate has less than 7 days before expiration, a yellow Caution icon () is displayed.
     • If the IdP certificate has less than 30 days before expiration, an orange Info icon () is displayed.

     If the IdP certificate is part of a certificate chain instead of a single certificate, the certificate expiring the earliest is considered to reflect the expiration icons.

• Status: The status of the IdP configuration (i.e., enabled, disabled, or resume if the configuration was paused during set up).
• IdP Entity ID: The entity ID URL for the IdP.
• Single Sign-On: Indicates whether the IdP is set up for Admin or User SSO.

If the IdP configuration was set up prior to the Multiple Identity Provider Support for Single Sign-On release and was configured to use Both (i.e., admin and user SSO), it still functions as before. However, it is listed in the table with Admin, User displayed for this column.
See image.

You can expand the row to view details regarding the configuration, import SAML attributes, or verify that SSO was configured correctly for the IdP.

7. Edit an existing IdP configuration.
8. Delete an IdP configuration.

An IdP cannot be deleted if it is used for emergency access. When an IdP gets deleted, all user risk scores associated with users of that IdP are also deleted.

9. Modify the columns displayed in the table.
10. Display more rows or a different page of the table.
11. Open the Zscaler Help Browser and view Help Portal articles without leaving the ZPA Admin Portal.
12. Go to the SAML Attributes page to import attributes or add them manually. If you expand the row to view details for an IdP configuration set up for User SSO, you can click Show Attributes to see a filtered view of the SAML Attributes page for that IdP.
13. Go to the Settings page to modify authentication settings (e.g., enabling Remote Assistance).
14. Go to the Emergency Access page to configure emergency access for third-party users.
15. Go to the Emergency Access Users page to view and manage users designated for emergency access.