Client connector SAML Sign Issue

Hi Team,

we have run in to an issue where once the client connector is pushed to machines and it is unable to sign in within the corporate network, it seems to be work fine off corporate network which suspected to be issue with connectivity to IDP (Azure AD). Once sign in from offnet and bring the laptop over to corporate network connectivity to Zscaler via Ztunnel 2.0 continue to work.

Has anyone come across with this issue and anyone know What IP addresses needs to be allowed on corporate firewalls to allow SAML SSO with Azure AD? Also believe there is no way to route SAML traffic to IDP via zscaler unless user is logged in and ztunnel is built successfully.

What is the architecture on the corporate network? I’m assuming from what you’ve said that the users cannot connect directly to the internet. Are they able to DNS resolve the internet, or do they pass through a proxy (i.e. PAC file to Zscaler cloud) to resolve/connect.
What you’re most likely experiencing is that the client connector is unable to get to either the Zscaler sign in page, or the Microsoft sign in page. You would either need to allow DNS resolution/connectivity to the hosts/IP’s here Config | Zscaler , as well as the Microsoft URLs. Alternatively you could configure the Proxy Settings in the browser, which ZCC should follow to connect to the internet for enrolment (i.e. connection to login.microsoftonline.com in ZCC connects through your browsers proxy - gateway.zscaler.net) described here Enrolling Zscaler Client Connector Users When Using a Proxy | Zscaler