Problem with Azure AD SSO

Hi.
I’m trying to configure a user SSO for ZPA (as well as ZIA…)
I’ve followed all the steps in these two URLs, but seems like it’s not going well.
https://help.zscaler.com/zpa/configuration-guide-microsoft-azure-ad
https://help.zscaler.com/zpa/configuring-idp-single-sign
On the last step (Step 3d) where you test the IDP access outside of Zscaler portal, I cannot reach the SSO login page.
Instead I get a white page with a bunch of texts (query?) and there is no error.

Can you give me a hint to what may be the issue?
My colleagues and I have been trying the configuration twice and always end up in the this situation,

Sumanth, can you share a screenshot of what you are seeing?

We’ve had this working - this shows the new UI:

1 Like

i cant send you a screenshot but here’s some of the texts I’m seeing…

“nameid”:
“orgID”:
“idpEntityID”:

after the colon, it has data from my Azure AD.

does this work for accounts for ZSCloud?

Where are you seeing those? A SAML trace taken from a browser would typically look like below. This is from classlink as an idp (not AD) but basically the vendor is sending a samlp:Response. Zscaler typically queries Azure/365 then autopopulates the users.

<?xml version="1.0"?>

<samlp:Response xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”
xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”
ID="_98ec7b17-a31f-4858-860d-ae3a18867bbb"
Version=“2.0”
IssueInstant=“2019-07-03T16:44:20.225Z”
Destination=“https://login.zscalerone.net:443/sfc_sso
InResponseTo="_4885959269131611487">
saml:Issuerhttps://idp.classlink.com/sso/metadata/dlBYaWttTEkyYlU9</saml:Issuer>
<ds:Signature xmlns:ds=“http://www.w3.org/2000/09/xmldsig#”>
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#” />
<ds:SignatureMethod Algorithm=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” />
<ds:Reference URI="#_98ec7b17-a31f-4858-860d-ae3a18867bbb">
ds:Transforms
<ds:Transform Algorithm=“http://www.w3.org/2000/09/xmldsig#enveloped-signature” />
<ds:Transform Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#” /></ds:Transforms>
<ds:DigestMethod Algorithm=“http://www.w3.org/2000/09/xmldsig#sha1” />
ds:DigestValuesiNsdy0uBY8wh/yox2ghlmhcxA0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
ds:SignatureValueZ/lQceErDxLiRUSrqlBRheRPE/DypfyeT5wkiBGIydsiGKXIJ/XJCJD/Nby7gpzb/ysLojcM/+sO4ceYpQOLY1lUjssljPPYYe8P4GNQC9vBt9Pt9QuRwwcsfmICq7NzjKYx4dotVhojeSa/mkSQgSgEnxofpTxwXWh7WdTWhWNmSd1WwsWj+zlhQhNtHcMX3EKf2jW5/TUhOqmrmvzEVSVijChvfRG9VYVHnMVrr5tJg7pmxB2w9bejmpN9iprSHcc/tXm/IggAGokF+P4XdaEMXf1sD3wRpb/i3QadTY8Ua05+7Ulmd/xZQiNf34omTYoZ7wFnjCNVldd+3HjVZg==</ds:SignatureValue>
ds:KeyInfo
ds:X509Data
ds:X509CertificateMIIGtDCCBZygAwIBAgIIOjohA3ExbucwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMTgwODAxMTUzMDQ1WhcNMjAwOTIzMTcyMjAwWjA9MSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxGDAWBgNVBAMMDyouY2xhc3NsaW5rLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKZm+hrct6Kw+jzXBYUR8zrgGkf6PoYP6fl2Q9F85SgIzpbubnwpKVkgeb2Wm93RbchXMuqL8xLOoGditCK/UAiBoJT2rGPAc/12OhiyGvqZs76Wg2G8O/YCA35zc3uHi55QnOPQGOzEejmp5XQgV7wupMJG1++aC+u+HBZV2OnTuoV529UXul+EiLca8J3Z8O2pNtXx8KZTU0gTcJ5JsXTXBBzdIJESVwQEbgtOKN54+EB4vGJU2vZEKuUcSG2YqZfjOw3pNYRRbe1h5rhp749NGEcdvSzjHDZNtg/phi+BOvDDdGO/o/QjOOz18Lc6IK3MYaPZADoAyEFuQOGhlYkCAwEAAaOCAz4wggM6MAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkaWcyczEtODUzLmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMCkGA1UdEQQiMCCCDyouY2xhc3NsaW5rLmNvbYINY2xhc3NsaW5rLmNvbTAdBgNVHQ4EFgQUaf1dh/T6pTYuCiE0qn97GTBIW2kwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB3AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABZPYdlosAAAQDAEgwRgIhAM2kPkVsYVlhqLA+FVG4ExK0ZniakKDZBMOHdHR8j8VPAiEA4NcJ+jUotK28L2r19Evea94kxDjI6B9Z9qUmWj0rsiwAdQDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAWT2HZf0AAAEAwBGMEQCIBTEhQ4tW/6LXME5xF9hrAcDPeR7PujKuA8Gd/XnvRusAiAYdECrBhN0LprwjKrXbC1SsqmyIcKld145tQYhhSECNQB2AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABZPYdmL8AAAQDAEcwRQIgG9LH9+6Wz2AZ8JBsYRadvhwgQ+4MbPLQAVt5zbB1W6MCIQCPO1ZpuuVvXBMCC0lRlRJPZpPOSqchaXOwOqckd1ddyTANBgkqhkiG9w0BAQsFAAOCAQEAuR0TJA150liIT2JOL1GTizGXZkSsddDxCd7CeVD3DeZJHMhA7BoiVstp+RgLb9KesgKWxu418GZZusjiVdWqVEe3JL9wjoU2rK3rRB09Cd8Ac1Nehe4wK0z8eoDZBivq0Ga/z6z1BVa9IhIfzbQT/OV3mC5wlNvxypFKDoTlYEEYSkCLl8coeIrpRTJvEP1fkkCbzOKEfS4EKrS435GJvL7fag/+lSGV6LgXDkwAFHGxcp1QXQoZuhUbgps+d8MZVf9UsTgFa74U21WNbx28UY+rLLvmZd5rVc8hbqzSShbvsQl4+IrCG9HhuJ4Z/17IokeUR6d3lySO1vMwwa92Nw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
samlp:Status
<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Success” /></samlp:Status>
<saml:Assertion xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance
xmlns:xs=“http://www.w3.org/2001/XMLSchema
ID="_0e6ae988-b116-4944-b064-f5a4699d57f5"
Version=“2.0”
IssueInstant=“2019-07-03T16:44:20.225Z”>
saml:Issuerhttps://idp.classlink.com/sso/metadata/dlBYaWttTEkyYlU9</saml:Issuer>
saml:Subject
<saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>dianne@k12gapps.mcnc.org</saml:NameID>
<saml:SubjectConfirmation Method=“urn:oasis:names:tc:SAML:2.0:cm:bearer”>
<saml:SubjectConfirmationData NotOnOrAfter=“2019-07-04T00:44:20.225Z”
Recipient=“https://login.zscalerone.net:443/sfc_sso
InResponseTo="_4885959269131611487" /></saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore=“2019-07-03T16:44:20.225Z”
NotOnOrAfter=“2019-07-04T00:44:20.225Z”>
saml:AudienceRestriction
saml:Audiencezscalerone.net</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant=“2019-07-03T16:44:20.225Z”
SessionNotOnOrAfter=“2019-07-04T00:44:20.225Z”
SessionIndex="_38ffb1d9-1b83-4da0-9461-e79336af4dc4">
saml:AuthnContext
saml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
saml:AttributeStatement
<saml:Attribute Name=“Department”
NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xsi:type=“xs:string”>student</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>