Proxy PAC - SSO

(Rajeev Srikant) #1

Planning to use custom proxy PAC for my branch users.
In my branch network, planning to use internet break out for internet access. The users will be in LAN & their PC will be configured for using Proxy PAC.
With Proxy PAC they will reach Zscaler via Internet break out.
So nearly 500 users will be sharing the same public IP from the branch internet.

Question: Will I be able to achieve SSO when the user tries to access internet.
Possible option: ADFS or Azure AD

Let me know if I can achieve SSO

(Jones Leung) #2

Yes you can, and many customers do achieve it as well.

The auth actually happens between your user devices and the SAML solution (ADFS or Azure AD in your case). So you need to make sure they are configured to support it.

Best Regards,

Jones Leung

(Rajeev Srikant) #3

Thanks Jones
Is there any document you can refer me where SSO is achieved when using Proxy PAC

(Jones Leung) #4

Hi Rajeev,

As I mentioned, the auth actually happens between your SAML solution and your user device, Zscaler is not involved. So I would suggest you to check with the SAML solution for doc about SSO.

Best Regards,

Jones Leung

(Thomas Quinlan) #5

Rajeev,

If you can, I would also consider using the Z App. It provides for a much better user experience along with some other benefits.

The data sheet for Z App is here (PDF link, remove the brackets):

https://www[.]zscaler.com/resources/data[-]sheets/zscaler-mobile-app[.]pdf

(Rajeev Srikant) #6

Thanks Thomas
We are planning to use PAC. The users sit in our LAN network & we want to control it via PAC.
If we use PAC of Zscaler, is it required to advertise the Zscaler PAC & ZEN Node IPs into our network.

(Thomas Quinlan) #7

Rajeev,

The users will need to be able to access & download the PAC from us if you host it with us, yes. That’s not a requirement, but is advised:

https://help.zscaler.com/zia/what-pac-file

Please note that if those users roam, there may be other requirements. Z App is generally recommended to cover the use case where users roam (especially if they’ll be on networks that aren’t yours). If they are fixed, that may not apply.