We are working on deploying client connectors to some of our 3rd party vendors and one of the challenge I see is I’m unable hide or bypass authentication for ZIA since I only need private access for them.
Has anyone comeacross this issue and manage to resolve it?
Yes, this is known. Authentication starts from ZIA and the ZPA if both are opted.
I never seen any solution to hide zia authentication. We used disable zia and enable zpa only after authention.
Agree with Ramesh. The only other option is to consider your authentication method. If you have a common auth method (same IdP, same domain) there is no way around ZIA auth as it is required and comes first. If you have a separate IdP for your contractors, that may be the reason for what you are experiencing now. One solution would be to add the contractor’s IdP to ZIA (which was not available in the past). Multiple IdP support will allow you to use the same login for contractors for both ZIA and ZPA, in which case it will still be required, but appear seamless to the end user. You would of course disable ZIA by setting to a forwarding profile with forwarding set to “None”. The other alternative is to add the contractors to your ZIA IdP/auth domain, but this involves additional management of users technically outside your domain and is therefore not the recommended practice, but it will work the same from a seamless login perspective.
There is also one other method, albeit a bit more severe. You could separate the ZPA instance from your ZIA instance and cloud Ops would associate with what we call a ZIA stub. You would then have to manage that ZPA instance separately as a “contractor-only ZPA instance” and obtain a separate subscription for this instance. Again, not the recommended solution, but technically an option to obtain seamless ZIA/ZPA login.
Hi @wick54 ,
In near future, we can use ZCC 3.9 to automatically assigned ZIA entitlement based on Device Group. Refer to here Enabling ZIA for Device Groups | Zscaler