Admin portal auth redirect to iDP with SSO integration

(Alex) #1

Would ZScaler support sp-initiated authentication flows for admin portal authentication requests? We need admin to be redirected to iDP for the authentication since does not support 2FA.

(Scott Bullock) #2

Hi Alex,
Today we support only IDP initiated flows for the Admin Portal, SP
initiated is for end-user. You are able to create admins in Zscaler who do
not have passwords, meaning they have to initiate from the IDP. You can
set this by editing the Admin in the Zscaler Admin Portal, for the option
to appear you first need to configure the SAML IDP for Admins.

Details are provided in the below support articles:

Kind regards,

(Alex) #3

We have SSO configured for admins and it’s working with no issues. the problem with ZScaler admin access not supporting sp-initiated flows is that we are not able to control from which ip addresses the admins can signin from (they could be anywhere on the internet) and enforce 2FA for admin, which is a violation of our security requirements for the privileged access.

(Nick Morgan) #4

Hi Alex,
Whilst we don’t support sp-initiated flows for Admin SSO, it should be
possible with most SAML IDP solutions to define which source IP addresses
can carry out IDP initiated authentication.

Then for your admin accounts in Zscaler, just ensure that only SAML is
supported, not the Zscaler hosted password. That way only your admins can
use your SAML solution (IDP initiated authentication, with source IP as a
factor) to ensure that is their only method for gaining access to the admin


(Alex) #5

I will give it a try and let you know if this works. Thanks,

(Alex) #6

Looks like even I disable even if I disable password based login for an admin and save the changes. It is come back as enabled anyway. I’m not sure if this is expected behavior.

(Scott Bullock) #7

Alex, if you disable password login it should stay disabled. Please open a
case in regard to this and our support team will be able to assist you.

Many thanks,

(Peter Howes) #8

Hello all,

I joined the forum on the basis of this thread, well done :slight_smile:

Virtually all my questions are answered… I’d just like to ask how this works when SAML is used for my normal user authentication and then I want to use my admin user to connect to the Zscaler admin portal.

Is there possibly a conflict there? Does web authentication for https://admin.<cloud_name>/ need to be deactivated? Does the user need to use a private browser window?

It would be nice if our admins used a separate jumphost, but I’d just like to get clear if we can have an expectation that the user can mix their admin and standard user in the same browser instance or not.

I have seen some problems with MS Azure services where other admins want to use their admin accounts and SSO access didn’t work as expected (although there we didn’t get to the bottom of what was happening)


(Scott Bullock) #9

Both user and admin SAML can be used in parallel without issue.

IDP for admin will be based on an entirely different SAML claim, so you can use both without needing to worry about chopping/changing browsers or systems.

(Yutaka Tokeshi) #10

With my understanding Zscaler recommends that the end-customer have at least one super admin with password authentication enabled even when SAML Single Sign-On for Admins is used. But some customers concern there is a super admin with password authentication without 2FA (such as certificate/token). Is it also possible to disable password authenticated super admin?

(Jones Leung) #11

Hi Yukata,

As I know internally we are reviewing the request. Please add your input to our internal system to facilitate the review.

Best Regards,

Jones Leung

SE Manager, Greater China


(Alex) #12

Hi Jones,
We have the same requirements. Could you share the ER number for this?

(Jones Leung) #13

Hi Alex,

The ER no is ER-4725, which is about allowing customer to disable an admin, including the default super admin. You can reach our support or the Zscaler SE in your region to add your input to the ER.