Authenticating user without an interaction from user

Is there a way to authenticate users without they interactions to put username and password?
means for example using Kerberos or certificate authentication or whatever authentication method can do that.

Welcome to Z Community @mina.m.magdy!

You’re correct that Kerberos authentication can be achieved without a user needing to enter username and password.

SAML is a more commonly used approach for authentication and provisioning. Most common SAML IDPs will offer a method to ‘transparently’ authenticate users via IWA (Integrated Windows Authentication) - assuming the user is already logged onto the domain.

There are some useful articles on our Help portal you may wish to review:

https://help.zscaler.com/zia/choosing-provisioning-authentication-methods

https://help.zscaler.com/zia/authentication-administration/provisioning-authenticating-users/saml-scim

Do you mean this:

i.e: saml integration with ADFS and following link.

Hello Mina, hello Nick,

I would say in comparing Kerberos and SAML that they are both similarly ‘transparent’, in that the user does not need to enter their username and password in to the browser.

There is however a technical difference between SAML, where the SAML authentication process depends on an interaction (user requests website which leads to a redirect to authenticate) and kerberos where the user in the background requests a ticket from the Kerberos service. In practice, however, they are very similar - both are transparent to the end user (assuming the user is already logged on to your domain)

The big advantage with SAML is auto provisioning - users are discovered automatically when they log in to the IDP (eg AD FS) and the username is passed to Zscaler (the SP) in the SAML assertion. With Kerberos, you need an extra step to pass the users to Zscaler with an authentication bridge, an LDAP synchronisation or similar.

Kerberos supports some non browser applications, which is an advantage, but with Zscaler these applications are likely to work anyway with automatic authentication bypasses or thanks to proxy IP surrogate. So this is not much of an advantage compared with the convenience of SAML user auto-provisioning

All the best,
Peter