F5 as IdP for SAML

Hi,

our customer would like to use his F5 for SAML single-sign-on. As I was not even aware that an F5 is capable my question is, if someone did this already and if Zscaler supports an F5 as IdP?

Thank you & best regards
Andreas

Hi @Andreas, I have a customer using F5 APM as SAML IDP for Zscaler authentication and helped with the initial setup when we POC’d this in 2014. Below are my notes that we used for internal KB.

I note that some terms and screenshots may be dated as I’ve not refreshed the article since it was first drafted, but be assured we do have this integrated. Generally, any SAML IDP that supports SAMLv2 POST-Binding should be capable of integrating with Zscaler services.


Description:

Instructions on how to configure F5 as IDP for SAML Auth

Solution:

F5 APM can be configured as a SAML IDP for Zscaler, the following inputs are needed. This assumes the APM will be fronting a directory server, typically AD.

The below configuration has been taken from a successful Zscaler integration with F5 APM as IdP

[ Access Policy ] ›› [ SAML : BIG-IP as IdP ]

image

image

image

image

image

image

[ Access Policy ] ›› [ Access Profiles : Access Profiles List ] ›› Zscaler-AD-FetchAttrib

image

image

image

image

image

CLI config output

TMSH —> list apm

apm aaa active-directory ZscalerADlab {
    admin-encrypted-password $M$zl$1TXWA5rNyVGQc8qwRH1zgg==
    admin-name Administrator
    domain zdemo.net
    domain-controller 10.0.2.8
    use-pool disabled
}
apm aaa localdb Zscaler { }
apm apm-avr-config apm-avr-config { }
apm epsec epsec-package epsec-1.0.0-223.0.iso {
    checksum SHA1:32411648:fe9f3056f9fb9c7628b671e5e574ccf7716b42b3
    create-time 2013-05-08:05:46:06
    created-by root
    last-update-time 2013-05-08:05:46:06
    mode 33188
    oesis-version 3.6.6528.2
    revision 1
    size 32411648
    updated-by root
    version 1.0.0-223.0
}
apm epsec epsec-package epsec-1.0.0-245.0.iso {
    checksum SHA1:35469312:a5a0658e32468f442bb4c76e6c7cdadad5aadcf2
    create-time 2013-07-30:05:45:31
    created-by root
    last-update-time 2013-07-30:05:45:31
    mode 33188
    oesis-version 3.6.7371.2
    revision 1
    size 35469312
    updated-by root
    version 1.0.0-245.0
}
apm policy access-policy Zscaler {
    default-ending Zscaler_end_deny
    items {
        Zscaler_act_full_resource_assign { }
        Zscaler_act_localdb_auth { }
        Zscaler_act_logon_page { }
        Zscaler_end_allow { }
        Zscaler_end_deny { }
        Zscaler_ent { }
    }
    start-item Zscaler_ent
}
apm policy access-policy Zscaler-AD {
    default-ending Zscaler-AD_end_deny
    items {
        Zscaler-AD_act_active_directory_auth { }
        Zscaler-AD_act_full_resource_assign { }
        Zscaler-AD_act_logon_page { }
        Zscaler-AD_end_allow { }
        Zscaler-AD_end_deny { }
        Zscaler-AD_ent { }
    }
    start-item Zscaler-AD_ent
}
apm policy access-policy Zscaler-AD-FetchAttrib {
    default-ending Zscaler-AD-FetchAttrib_end_deny
    items {
        Zscaler-AD-FetchAttrib_act_active_directory_auth { }
        Zscaler-AD-FetchAttrib_act_active_directory_query { }
        Zscaler-AD-FetchAttrib_act_full_resource_assign { }
        Zscaler-AD-FetchAttrib_act_logon_page { }
        Zscaler-AD-FetchAttrib_end_allow { }
        Zscaler-AD-FetchAttrib_end_deny { }
        Zscaler-AD-FetchAttrib_ent { }
    }
    start-item Zscaler-AD-FetchAttrib_ent
}
apm policy access-policy Zscaler-Local {
    default-ending Zscaler-Local_end_deny
    items {
        Zscaler-Local_act_full_resource_assign { }
        Zscaler-Local_act_localdb_auth { }
        Zscaler-Local_act_logon_page { }
        Zscaler-Local_end_allow { }
        Zscaler-Local_end_deny { }
        Zscaler-Local_ent { }
    }
    start-item Zscaler-Local_ent
}
apm policy agent aaa-active-directory Zscaler-AD-FetchAttrib_act_active_directory_auth_ag {
    server ZscalerADlab
    show-extended-error true
    type auth
}
apm policy agent aaa-active-directory Zscaler-AD-FetchAttrib_act_active_directory_query_ag {
    fetch-nested-groups true
    fetch-primary-group true
    query-attrname { displayName memberOf Department }
    server ZscalerADlab
    type query
}
apm policy agent aaa-active-directory Zscaler-AD_act_active_directory_auth_ag {
    server ZscalerADlab
    show-extended-error true
    type auth
}
apm policy agent aaa-localdb Zscaler-Local_act_localdb_auth_ag {
    localdb-instance Zscaler
}
apm policy agent aaa-localdb Zscaler_act_localdb_auth_ag {
    localdb-instance Zscaler
}
apm policy agent ending-allow Zscaler-AD-FetchAttrib_end_allow_ag { }
apm policy agent ending-allow Zscaler-AD_end_allow_ag { }
apm policy agent ending-allow Zscaler-Local_end_allow_ag { }
apm policy agent ending-allow Zscaler_end_allow_ag { }
apm policy agent ending-deny Zscaler-AD-FetchAttrib_end_deny_ag {
    customization-group Zscaler-AD-FetchAttrib_end_deny_ag
}
apm policy agent ending-deny Zscaler-AD_end_deny_ag {
    customization-group Zscaler-AD_end_deny_ag
}
apm policy agent ending-deny Zscaler-Local_end_deny_ag {
    customization-group Zscaler-Local_end_deny_ag
}
apm policy agent ending-deny Zscaler_end_deny_ag {
    customization-group Zscaler_end_deny_ag
}
apm policy agent logon-page Zscaler-AD-FetchAttrib_act_logon_page_ag {
    customization-group Zscaler-AD-FetchAttrib_act_logon_page_ag
}
apm policy agent logon-page Zscaler-AD_act_logon_page_ag {
    customization-group Zscaler-AD_act_logon_page_ag
}
apm policy agent logon-page Zscaler-Local_act_logon_page_ag {
    customization-group Zscaler-Local_act_logon_page_ag
}
apm policy agent logon-page Zscaler_act_logon_page_ag {
    customization-group Zscaler_act_logon_page_ag
}
apm policy agent resource-assign Zscaler-AD-FetchAttrib_act_full_resource_assign_ag {
    rules {
        {
            saml-resources { /Common/Zscaler }
            webtop /Common/Zscaler
        }
    }
}
apm policy agent resource-assign Zscaler-AD_act_full_resource_assign_ag {
    rules {
        {
            saml-resources { /Common/Zscaler }
            webtop /Common/Zscaler
        }
    }
}
apm policy agent resource-assign Zscaler-Local_act_full_resource_assign_ag {
    rules {
        {
            saml-resources { /Common/Zscaler }
            webtop /Common/Zscaler
        }
    }
}
apm policy agent resource-assign Zscaler_act_full_resource_assign_ag {
    rules {
        {
            saml-resources { /Common/Zscaler }
            webtop /Common/Zscaler
        }
    }
}
apm policy customization-group Zscaler-AD-FetchAttrib_act_logon_page_ag {
    checksum SHA1:1446:c0d7714de2943782c52784398ab28b1d277b71a7
    create-time 2013-10-10:20:47:44
    created-by root
    last-update-time 2013-10-10:20:47:44
    mode 33188
    revision 1
    size 1446
    updated-by root
}
apm policy customization-group Zscaler-AD-FetchAttrib_end_deny_ag {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:47:44
    created-by root
    last-update-time 2013-10-10:20:47:44
    mode 33188
    revision 1
    size 62
    type logout
    updated-by root
}
apm policy customization-group Zscaler-AD-FetchAttrib_eps {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:47:44
    created-by root
    last-update-time 2013-10-10:20:47:44
    mode 33188
    revision 1
    size 62
    type eps
    updated-by root
}
apm policy customization-group Zscaler-AD-FetchAttrib_errormap {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:47:44
    created-by root
    last-update-time 2013-10-10:20:47:44
    mode 33188
    revision 1
    size 62
    type errormap
    updated-by root
}
apm policy customization-group Zscaler-AD-FetchAttrib_frameworkinstallation {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:47:44
    created-by root
    last-update-time 2013-10-10:20:47:44
    mode 33188
    revision 1
    size 62
    type framework-installation
    updated-by root
}
apm policy customization-group Zscaler-AD-FetchAttrib_general_ui {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:47:44
    created-by root
    last-update-time 2013-10-10:20:47:44
    mode 33188
    revision 1
    size 62
    type general-ui
    updated-by root
}
apm policy customization-group Zscaler-AD-FetchAttrib_logout {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:47:44
    created-by root
    last-update-time 2013-10-10:20:47:44
    mode 33188
    revision 1
    size 62
    type logout
    updated-by root
}
apm policy customization-group Zscaler-AD_act_logon_page_ag {
    checksum SHA1:1446:c0d7714de2943782c52784398ab28b1d277b71a7
    create-time 2013-10-10:20:25:46
    created-by root
    last-update-time 2013-10-10:20:25:46
    mode 33188
    revision 1
    size 1446
    updated-by root
}
apm policy customization-group Zscaler-AD_end_deny_ag {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:25:46
    created-by root
    last-update-time 2013-10-10:20:25:46
    mode 33188
    revision 1
    size 62
    type logout
    updated-by root
}
apm policy customization-group Zscaler-AD_eps {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:25:46
    created-by root
    last-update-time 2013-10-10:20:25:46
    mode 33188
    revision 1
    size 62
    type eps
    updated-by root
}
apm policy customization-group Zscaler-AD_errormap {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:25:46
    created-by root
    last-update-time 2013-10-10:20:25:46
    mode 33188
    revision 1
    size 62
    type errormap
    updated-by root
}
apm policy customization-group Zscaler-AD_frameworkinstallation {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:25:46
    created-by root
    last-update-time 2013-10-10:20:25:46
    mode 33188
    revision 1
    size 62
    type framework-installation
    updated-by root
}
apm policy customization-group Zscaler-AD_general_ui {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:25:46
    created-by root
    last-update-time 2013-10-10:20:25:46
    mode 33188
    revision 1
    size 62
    type general-ui
    updated-by root
}
apm policy customization-group Zscaler-AD_logout {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:25:46
    created-by root
    last-update-time 2013-10-10:20:25:46
    mode 33188
    revision 1
    size 62
    type logout
    updated-by root
}
apm policy customization-group Zscaler-Local_act_logon_page_ag {
    checksum SHA1:1446:c0d7714de2943782c52784398ab28b1d277b71a7
    create-time 2013-10-10:20:26:08
    created-by root
    last-update-time 2013-10-10:20:26:08
    mode 33188
    revision 1
    size 1446
    updated-by root
}
apm policy customization-group Zscaler-Local_end_deny_ag {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:26:08
    created-by root
    last-update-time 2013-10-10:20:26:08
    mode 33188
    revision 1
    size 62
    type logout
    updated-by root
}
apm policy customization-group Zscaler-Local_eps {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:26:08
    created-by root
    last-update-time 2013-10-10:20:26:08
    mode 33188
    revision 1
    size 62
    type eps
    updated-by root
}
apm policy customization-group Zscaler-Local_errormap {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:26:08
    created-by root
    last-update-time 2013-10-10:20:26:08
    mode 33188
    revision 1
    size 62
    type errormap
    updated-by root
}
apm policy customization-group Zscaler-Local_frameworkinstallation {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:26:08
    created-by root
    last-update-time 2013-10-10:20:26:08
    mode 33188
    revision 1
    size 62
    type framework-installation
    updated-by root
}
apm policy customization-group Zscaler-Local_general_ui {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:26:08
    created-by root
    last-update-time 2013-10-10:20:26:08
    mode 33188
    revision 1
    size 62
    type general-ui
    updated-by root
}
apm policy customization-group Zscaler-Local_logout {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:20:26:08
    created-by root
    last-update-time 2013-10-10:20:26:08
    mode 33188
    revision 1
    size 62
    type logout
    updated-by root
}
apm policy customization-group Zscaler_act_logon_page_ag {
    checksum SHA1:1446:c0d7714de2943782c52784398ab28b1d277b71a7
    create-time 2013-10-10:19:03:49
    created-by root
    last-update-time 2013-10-10:19:03:49
    mode 33188
    revision 2
    size 1446
    updated-by root
}
apm policy customization-group Zscaler_customization {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:18:14:25
    created-by root
    last-update-time 2013-10-10:18:14:25
    mode 33188
    revision 1
    size 62
    type webtop
    updated-by root
}
apm policy customization-group Zscaler_end_deny_ag {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:18:16:09
    created-by root
    last-update-time 2013-10-10:18:16:09
    mode 33188
    revision 1
    size 62
    type logout
    updated-by root
}
apm policy customization-group Zscaler_eps {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:18:16:09
    created-by root
    last-update-time 2013-10-10:18:16:09
    mode 33188
    revision 1
    size 62
    type eps
    updated-by root
}
apm policy customization-group Zscaler_errormap {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:18:16:09
    created-by root
    last-update-time 2013-10-10:18:16:09
    mode 33188
    revision 1
    size 62
    type errormap
    updated-by root
}
apm policy customization-group Zscaler_frameworkinstallation {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:18:16:09
    created-by root
    last-update-time 2013-10-10:18:16:09
    mode 33188
    revision 1
    size 62
    type framework-installation
    updated-by root
}
apm policy customization-group Zscaler_general_ui {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:18:16:10
    created-by root
    last-update-time 2013-10-10:18:16:10
    mode 33188
    revision 1
    size 62
    type general-ui
    updated-by root
}
apm policy customization-group Zscaler_logout {
    checksum SHA1:62:fd61541c1097d460e42c50904684def2794ba70d
    create-time 2013-10-10:18:16:09
    created-by root
    last-update-time 2013-10-10:18:16:09
    mode 33188
    revision 1
    size 62
    type logout
    updated-by root
}
apm policy customization-group Zscaler_resource_saml_customization {
    checksum SHA1:234:d2c84835d72845bcc56f06c891a51e2ec115701c
    create-time 2013-10-10:18:13:29
    created-by root
    last-update-time 2013-10-10:18:13:29
    mode 33188
    revision 1
    size 234
    type resource-saml
    updated-by root
}
apm policy policy-item Zscaler-AD-FetchAttrib_act_active_directory_auth {
    agents {
        Zscaler-AD-FetchAttrib_act_active_directory_auth_ag {
            type aaa-active-directory
        }
    }
    caption "AD Auth"
    color 1
    item-type action
    rules {
        {
            caption Successful
            expression "expr {[mcget {session.ad.last.authresult}] == 1}"
            next-item Zscaler-AD-FetchAttrib_act_active_directory_query
        }
        {
            caption fallback
            next-item Zscaler-AD-FetchAttrib_end_deny
        }
    }
}
apm policy policy-item Zscaler-AD-FetchAttrib_act_active_directory_query {
    agents {
        Zscaler-AD-FetchAttrib_act_active_directory_query_ag {
            type aaa-active-directory
        }
    }
    caption "AD Query"
    color 1
    item-type action
    rules {
        {
            caption fallback
            next-item Zscaler-AD-FetchAttrib_act_full_resource_assign
        }
    }
}
apm policy policy-item Zscaler-AD-FetchAttrib_act_full_resource_assign {
    agents {
        Zscaler-AD-FetchAttrib_act_full_resource_assign_ag {
            type resource-assign
        }
    }
    caption "Advanced Resource Assign"
    color 1
    item-type action
    rules {
        {
            caption fallback
            next-item Zscaler-AD-FetchAttrib_end_allow
        }
    }
}
apm policy policy-item Zscaler-AD-FetchAttrib_act_logon_page {
    agents {
        Zscaler-AD-FetchAttrib_act_logon_page_ag {
            type logon-page
        }
    }
    caption "Logon Page"
    color 1
    item-type action
    rules {
        {
            caption fallback
            next-item Zscaler-AD-FetchAttrib_act_active_directory_auth
        }
    }
}
apm policy policy-item Zscaler-AD-FetchAttrib_end_allow {
    agents {
        Zscaler-AD-FetchAttrib_end_allow_ag {
            type ending-allow
        }
    }
    caption Allow
    color 1
    item-type ending
}
apm policy policy-item Zscaler-AD-FetchAttrib_end_deny {
    agents {
        Zscaler-AD-FetchAttrib_end_deny_ag {
            type ending-deny
        }
    }
    caption Deny
    color 2
    item-type ending
}
apm policy policy-item Zscaler-AD-FetchAttrib_ent {
    caption Start
    color 1
    rules {
        {
            caption fallback
            next-item Zscaler-AD-FetchAttrib_act_logon_page
        }
    }
}
apm policy policy-item Zscaler-AD_act_active_directory_auth {
    agents {
        Zscaler-AD_act_active_directory_auth_ag {
            type aaa-active-directory
        }
    }
    caption "AD Auth"
    color 1
    item-type action
    rules {
        {
            caption Successful
            expression "expr {[mcget {session.ad.last.authresult}] == 1}"
            next-item Zscaler-AD_act_full_resource_assign
        }
        {
            caption fallback
            next-item Zscaler-AD_end_deny
        }
    }
}
apm policy policy-item Zscaler-AD_act_full_resource_assign {
    agents {
        Zscaler-AD_act_full_resource_assign_ag {
            type resource-assign
        }
    }
    caption "Advanced Resource Assign"
    color 1
    item-type action
    rules {
        {
            caption fallback
            next-item Zscaler-AD_end_allow
        }
    }
}
apm policy policy-item Zscaler-AD_act_logon_page {
    agents {
        Zscaler-AD_act_logon_page_ag {
            type logon-page
        }
    }
    caption "Logon Page"
    color 1
    item-type action
    rules {
        {
            caption fallback
            next-item Zscaler-AD_act_active_directory_auth
        }
    }
}
apm policy policy-item Zscaler-AD_end_allow {
    agents {
        Zscaler-AD_end_allow_ag {
            type ending-allow
        }
    }
    caption Allow
    color 1
    item-type ending
}
apm policy policy-item Zscaler-AD_end_deny {
    agents {
        Zscaler-AD_end_deny_ag {
            type ending-deny
        }
    }
    caption Deny
    color 2
    item-type ending
}
apm policy policy-item Zscaler-AD_ent {
    caption Start
    color 1
    rules {
        {
            caption fallback
            next-item Zscaler-AD_act_logon_page
        }
    }
}
apm policy policy-item Zscaler-Local_act_full_resource_assign {
    agents {
        Zscaler-Local_act_full_resource_assign_ag {
            type resource-assign
        }
    }
    caption "Advanced Resource Assign"
    color 1
    item-type action
    rules {
        {
            caption fallback
            next-item Zscaler-Local_end_allow
        }
    }
}
apm policy policy-item Zscaler-Local_act_localdb_auth {
    agents {
        Zscaler-Local_act_localdb_auth_ag {
            type aaa-localdb
        }
    }
    caption "LocalDB Auth"
    color 1
    item-type action
    rules {
        {
            caption Successful
            expression "expr {[mcget {session.localdb.last.result}] == 1}"
            next-item Zscaler-Local_act_full_resource_assign
        }
        {
            caption "Locked User Out"
            expression "expr {[mcget {session.localdb.last.result}] == 2}"
            next-item Zscaler-Local_end_deny
        }
        {
            caption fallback
            next-item Zscaler-Local_end_deny
        }
    }
}
apm policy policy-item Zscaler-Local_act_logon_page {
    agents {
        Zscaler-Local_act_logon_page_ag {
            type logon-page
        }
    }
    caption "Logon Page"
    color 1
    item-type action
    rules {
        {
            caption fallback
            next-item Zscaler-Local_act_localdb_auth
        }
    }
}
apm policy policy-item Zscaler-Local_end_allow {
    agents {
        Zscaler-Local_end_allow_ag {
            type ending-allow
        }
    }
    caption Allow
    color 1
    item-type ending
}
apm policy policy-item Zscaler-Local_end_deny {
    agents {
        Zscaler-Local_end_deny_ag {
            type ending-deny
        }
    }
    caption Deny
    color 2
    item-type ending
}
apm policy policy-item Zscaler-Local_ent {
    caption Start
    color 1
    rules {
        {
            caption fallback
            next-item Zscaler-Local_act_logon_page
        }
    }
}
apm policy policy-item Zscaler_act_full_resource_assign {
    agents {
        Zscaler_act_full_resource_assign_ag {
            type resource-assign
        }
    }
    caption "Advanced Resource Assign"
    color 1
    item-type action
    rules {
        {
            caption fallback
            next-item Zscaler_end_allow
        }
    }
}
apm policy policy-item Zscaler_act_localdb_auth {
    agents {
        Zscaler_act_localdb_auth_ag {
            type aaa-localdb
        }
    }
    caption "LocalDB Auth"
    color 1
    item-type action
    rules {
        {
            caption Successful
            expression "expr {[mcget {session.localdb.last.result}] == 1}"
            next-item Zscaler_act_full_resource_assign
        }
        {
            caption "Locked User Out"
            expression "expr {[mcget {session.localdb.last.result}] == 2}"
            next-item Zscaler_end_deny
        }
        {
            caption fallback
            next-item Zscaler_end_deny
        }
    }
}
apm policy policy-item Zscaler_act_logon_page {
    agents {
        Zscaler_act_logon_page_ag {
            type logon-page
        }
    }
    caption "Logon Page"
    color 1
    item-type action
    rules {
        {
            caption fallback
            next-item Zscaler_act_localdb_auth
        }
    }
}
apm policy policy-item Zscaler_end_allow {
    agents {
        Zscaler_end_allow_ag {
            type ending-allow
        }
    }
    caption Allow
    color 1
    item-type ending
}
apm policy policy-item Zscaler_end_deny {
    agents {
        Zscaler_end_deny_ag {
            type ending-deny
        }
    }
    caption Deny
    color 2
    item-type ending
}
apm policy policy-item Zscaler_ent {
    caption Start
    color 1
    rules {
        {
            caption fallback
            next-item Zscaler_act_logon_page
        }
    }
}
apm profile access Zscaler {
    accept-languages { en }
    access-policy Zscaler
    app-service none
    customization-group Zscaler_logout
    default-language en
    domain-cookie none
    domain-mode single-domain
    eps-group Zscaler_eps
    errormap-group Zscaler_errormap
    exchange-profile none
    framework-installation-group Zscaler_frameworkinstallation
    general-ui-group Zscaler_general_ui
    generation 2
    generation-action noop
    httponly-cookie false
    logout-uri-include none
    logout-uri-timeout 5
    modified-since-last-policy-sync true
    persistent-cookie false
    secure-cookie true
    sso-name none
    user-identity-method http
}
apm profile access Zscaler-AD {
    accept-languages { en }
    access-policy Zscaler-AD
    access-policy-timeout 300
    app-service none
    customization-group Zscaler-AD_logout
    default-language en
    defaults-from access
    domain-cookie none
    domain-mode single-domain
    eps-group Zscaler-AD_eps
    errormap-group Zscaler-AD_errormap
    exchange-profile none
    framework-installation-group Zscaler-AD_frameworkinstallation
    general-ui-group Zscaler-AD_general_ui
    generation 6
    generation-action noop
    httponly-cookie false
    inactivity-timeout 900
    logout-uri-include none
    logout-uri-timeout 5
    max-concurrent-sessions 0
    max-concurrent-users 0
    max-failure-delay 5
    max-in-progress-sessions 0
    max-session-timeout 0
    min-failure-delay 2
    modified-since-last-policy-sync true
    persistent-cookie false
    primary-auth-service none
    restrict-to-single-client-ip false
    secure-cookie true
    sso-name none
    user-identity-method http
}
apm profile access Zscaler-AD-FetchAttrib {
    accept-languages { en }
    access-policy Zscaler-AD-FetchAttrib
    access-policy-timeout 300
    app-service none
    customization-group Zscaler-AD-FetchAttrib_logout
    default-language en
    defaults-from access
    domain-cookie none
    domain-mode single-domain
    eps-group Zscaler-AD-FetchAttrib_eps
    errormap-group Zscaler-AD-FetchAttrib_errormap
    exchange-profile none
    framework-installation-group Zscaler-AD-FetchAttrib_frameworkinstallation
    general-ui-group Zscaler-AD-FetchAttrib_general_ui
    generation 12
    generation-action noop
    httponly-cookie false
    inactivity-timeout 900
    logout-uri-include none
    logout-uri-timeout 5
    max-concurrent-sessions 0
    max-concurrent-users 0
    max-failure-delay 5
    max-in-progress-sessions 0
    max-session-timeout 0
    min-failure-delay 2
    modified-since-last-policy-sync true
    persistent-cookie false
    primary-auth-service none
    restrict-to-single-client-ip false
    secure-cookie true
    sso-name none
    user-identity-method http
}
apm profile access Zscaler-Local {
    accept-languages { en }
    access-policy Zscaler-Local
    access-policy-timeout 300
    app-service none
    customization-group Zscaler-Local_logout
    default-language en
    defaults-from access
    domain-cookie none
    domain-mode single-domain
    eps-group Zscaler-Local_eps
    errormap-group Zscaler-Local_errormap
    exchange-profile none
    framework-installation-group Zscaler-Local_frameworkinstallation
    general-ui-group Zscaler-Local_general_ui
    generation 3
    generation-action noop
    httponly-cookie false
    inactivity-timeout 900
    logout-uri-include none
    logout-uri-timeout 5
    max-concurrent-sessions 0
    max-concurrent-users 0
    max-failure-delay 5
    max-in-progress-sessions 0
    max-session-timeout 0
    min-failure-delay 2
    modified-since-last-policy-sync true
    persistent-cookie false
    primary-auth-service none
    restrict-to-single-client-ip false
    secure-cookie true
    sso-name none
    user-identity-method http
}
apm resource webtop Zscaler {
    customization-group Zscaler_customization
    webtop-type full
}
apm sso saml Zscaler {
    attributes {
        {
            name memberOf
            value "%{session.ad.last.attr.memberOf}"
        }
        {
            name department
            value "%{session.ad.last.attr.department}"
        }
        {
            name displayName
            value "%{session.ad.last.attr.displayName}"
        }
    }
    entity-id https://54.208.137.109/idpzscaler
    idp-certificate default.crt
    idp-signkey default.key
    sp-connectors {
        Zscaler
    }
    subject-value "%{session.logon.last.username}"
}
apm sso saml-resource Zscaler {
    customization-group Zscaler_resource_saml_customization
    publish-on-webtop false
    sso-config-saml Zscaler
}
apm sso saml-sp-connector Zscaler {
    assertion-consumer-uri https://login.zscaler.net:443/sfc_sso
    entity-id zscaler.net
}
2 Likes

Hi Scott,

thank you very much! This will help me definitely a lot!

Best regards
Andreas