This document has been created by Sales Engineering team from both Zscaler and InWebo companies in order to provide some guidance on the configuration steps to integrate Zscaler Private Access with InWebo multi factor authentication. This document can’t be considered as official documentation. For further information, please refer to https://inwebo.atlassian.net and https://help.zscaler.com/. For any comment or feedback on that document, please use that thread.
First step is to connect to your ZPA admin portal https://admin.private.zscaler.com/ and navigate to Administration->Authentication->IDP configuration.
Then select “Add Idp Configuration” on the top right corner as described below:
Then start to complete the configuration wizard by choosing “User” as Single Sign-On and the domain that will be used to trigger InWebo authentication.
In the second step, please download the Service Provider Metadata that will be used in the InWebo portal to configure ZPA as a Service Provider.
Once you complete step 1 and step 2 you can pause the configuration at step 3 since you’ll have to go to InWebo admin portal to configure the SP and collect IdP Metadata to complete IdP configuration wizard (step 3 - Create IdP).
In the inWebo Administration console, select the “secure sites” tab and add a SAML 2.0 connector in the "connectors” section.
Open the metadata file downloaded from the Zscaler console and copy/paste the metadata in section 1 of the connector and click on “Save”.
Once the SAML connector is created go back to section 1 and click on “Download inWebo IdP SAML 2.0 metadata in XML format” to download the inWebo metadata file.
To offer a better user experience to your users, change the “Push Authentication” setting to Yes. Configure section 3 as shown below to provide relevant SAML attributes to Zscaler. Click “Update”.
You can choose the NameID value depending on your configuration (User login or User email). Zscaler best practices is to use an email address with a domain name rather than a login name.
Click on “Download inWebo IdP SAML 2.0 metadata in XML format” and keep it for the next steps to configure ZPA.
In the “Secure site” column click on “Add a Secure Site of type” and select the SAML connector name you configured above. You can set the Called URL to point to one of the ZPA protected applications or any other URL relevant in your context. The Called URL setting is only used to set a bookmark for the user on his My Inwebo portal, it has no impact on the security.
Once you configured InWebo and downloaded the IdP Metadata, you can use them to finish the SSO configuration you’ve started in the first step of that guide. So please return to ZPA admin portal and navigate to Administration->Authentication->IdP Configuration and click to resume the Inwebo IdP Configuration. You should see the final step of configuration to upload your IdP metadata file (xml file). Once Metadata is uploaded to the portal please make sure that all fields are completed: Certificate, Sign-On URL and IdP Entity ID.
Once this step is validated you can test your configuration and import SAML attributes by clicking on “Import Attributes” on the following screen:
You’ll be challenged for InWebo authentication. Please complete the authentication steps as below:
Step1: Enter your InWebo username and click “OK”:
Step 2: Accept the authentication request by entering your pin
Once these two steps are done and the authentication process successfully you should be able to review the imported attributes. Then click “Save”.
Attributes should be saved in the SAML Attributes section as shown below:
Make sure you enable the following option in the Mobile Portal (Zscaler Client Connector) to enhance the user experience during authentication steps with InWebo.
Open Zscaler Client Connector and enter your credentials. Please note that step can be avoided if you install Zscaler Client Connector with the domain and cloud parameters. If you have both ZIA and ZPA services enabled for that domain name (e.g. crepain.zscloud.net) you’ll have two authentication steps: One for ZIA and one for ZPA. If the same IdP is configured, the user should be challenged only once.
Your username should be already filled-in if you enabled the option in the ZCC configuration (see previous chapter). Click “OK”.
The user should receive a notification on the InWebo Authenticator application. He/She must enter his/her PIN code to validate the authentication request.
Once these steps are completed, you should see ZCC Authenticated and Connector for ZPA service:
–End of Guide-
Hope you find it useful.