How to restrict access to a SaaS app to only traffic routed through Zscaler

Please just point me to the right resources if this is already answered elsewhere!

We use a third-party SaaS application (not included in the list here) that we want to only allow users to access through Zscaler. Said another way, without connecting to Zscaler, we don’t want any user in our organization to be able to use this SaaS application.

With the SaaS vendor’s cooperation, what are the options for enforcing this?

For example, if Zscaler includes a signature in user requests routed through Zscaler and forwarded to the SaaS application, the SaaS application could verify the signature before providing access to our data. As far as I can tell though, that’s not an option.

Thank you for your help!

Sounds like About Identity Proxy Settings | Zscaler is what you’re looking for. You can also combine identity proxy with browser isolation (isolation proxy) to enforce granular controls on what a user is allowed to do on a sanctioned saas app.

Thank you so much for your help @lpergament! Looking at About Identity Proxy Settings | Zscaler, it seemed to me like it only works with certain cloud apps (e.g., Box, Microsoft Office 365, Salesforce). Am I misunderstanding that? If so, is there documentation on how to implement the Identity Proxy for apps other than the ones listed here?