Would ZScaler support sp-initiated authentication flows for admin portal https://admin.zscloud.net/ authentication requests? We need admin to be redirected to iDP for the authentication since https://admin.zscloud.net/ does not support 2FA.
Today we support only IDP initiated flows for the Admin Portal, SP
initiated is for end-user. You are able to create admins in Zscaler who do
not have passwords, meaning they have to initiate from the IDP. You can
set this by editing the Admin in the Zscaler Admin Portal, for the option
to appear you first need to configure the SAML IDP for Admins.
Details are provided in the below support articles:
We have SSO configured for admins and it’s working with no issues. the problem with ZScaler admin access not supporting sp-initiated flows is that we are not able to control from which ip addresses the admins can signin from (they could be anywhere on the internet) and enforce 2FA for admin, which is a violation of our security requirements for the privileged access.
Whilst we don’t support sp-initiated flows for Admin SSO, it should be
possible with most SAML IDP solutions to define which source IP addresses
can carry out IDP initiated authentication.
Then for your admin accounts in Zscaler, just ensure that only SAML is
supported, not the Zscaler hosted password. That way only your admins can
use your SAML solution (IDP initiated authentication, with source IP as a
factor) to ensure that is their only method for gaining access to the admin
I will give it a try and let you know if this works. Thanks,
Looks like even I disable even if I disable password based login for an admin and save the changes. It is come back as enabled anyway. I’m not sure if this is expected behavior.