Small note for everyone: when setting up authentication from Z-App, please ensure that you whitelist and/or bypass in your proxy and gateways any traffic from Z-App to samlsp.private.zscaler.com.
The IP page at https://ips.zscaler.net/zpa outlines that *.private.zscaler.com should be allowed. Thus this wildcard captures the SAMLSP domain, but far to often we find that the samlsp.private.zscaler.com FQDN is being inspected. So please do not forget to whitelist this.
FYI: samlsp.private.zscaler.com is used to confirm your users domain, thus tenant and then direct them to the correct IDP for authentication. If Z-App cannot reach this, then there is no chance for ZPA to be authenticated.