Using Zscaler App as IDP and ADFS


(obi-wan) #1

I was if it is possible to try out Zscaler App on some computers without modifying our current setup? We’re using a PAC file deployed to all computers which allows us to enforce web browsing policies on all browser activity from port 80/443.

I would like to enable Zscaler App as the IDP without changing our current IDP, which is ADFS.

Basically what I’m after is a good strategy on testing out Zscaler App on 1 computer to start without disrupting any of the other systems on our network.

What I’m hoping to gain from Zscaler App is better identity association and improved security policy enforcement. Our biggest issue is not having a username (random.person@company.com) when 80/443 is detecting outside web browsers.

Any help is greatly appreciated!

Thank you!


(David Creedy) #2

Hi,

Is there a specific reason you wanted to use Zscaler App as IDP? Just in case there is a misunderstanding, you should be able to authenticate with Z App against your current configuration.

If there’s a reason you need to use our service as IDP, you can’t do this without changing it for other users, just think of it as the authentication source, it will either authenticate against our service as IDP, or against ADFS as IDP.

If you are happy for Z App to authenticate against ADFS this should already be mostly configured. You would just need to customize the configuration (if needed) as outlined here - https://help.zscaler.com/z-app/zscaler-app-step-step-configuration-guide Apart from that, if Zscaler is already configured with your IDP, users should be able to enroll with Z App. You would just need to make sure the PAC file is not deployed to those machines to prevent any confusion.


(obi-wan) #3

So, to use Zscaler App with our current configuration (ADFS), I would need to remove the PAC file from the current workstation? The reason we’re looking at using Zscaler App is due to many workstations not having an identity.

All workstations are going through Zscaler to access 80/443 based traffic, however, a huge potion of that traffic doesn’t have an identity associated with it. We’d like to have all 80/443 traffic in our Zscaler logs to have an identity "some.user@company.com" not “Office Location->Other”.

Thanks.


(David Creedy) #4

Hi,

You don’t necessarily need to remove the PAC, but keep in mind, today - your pack file is routing traffic to the cloud. When you use Z App, it will take over the this role. So the PAC file becomes redundant (and depending on the configuration of Z App might cause some conflict).

I would suggest targeting a user or small group of users. Remove the existing PAC logic from their machines, deploy Z App and have them enroll through Z App. The configuration of Z App and it’s profiles will differ depending on your environment, but this should be covered in the document linked above.

Assuming you use Z App in Tunnel or Tunnel with Local Proxy mode, you will get that user attribution. Z App sends an authorization token with each request, and that is used to log against a specific user in the web logs. So this will meet your requirement for that, yes.

Regards

David


(obi-wan) #5

Hi @dcreedy,

I’ll give it a try today and let you know if I was successful or not. This might fall into the realm of a ticketed support request, so if you prefer me to go that route just let me know.

Thanks!