By default, the Cloud Connector portal provides a simple username and password mechanism as the primary authentication option for admins. However, the Cloud Connector portal also supports SAML version 2.0 and, as such, Zscaler recommends that organizations leverage SAML instead. SAML is a more secure option that allows for integration with multi-factor authentication wherein an admin can log in to the Cloud Connector Portal directly via single sign-on (SSO) by clicking the appropriate application icon within the Microsoft Azure AD portal. In this video, we’ll discuss how to integrate Zscaler Cloud Connector portal with Azure AD.
[0:00 to 0:57] Overview and nuances of using SAML with Cloud Connector portal
[0:57 to 2:56] Deploying SAML using Azure AD
[2:56 to 3:11] Testing the integration
[3:11 to 3:50] Key takeaways
Hello, my name is Aaron and I’m one of the Principal Technical Product Specialists for Zscaler Cloud Workload Protection. In this video, we’ll explore how the Zscaler Cloud Connector administration portal can be provisioned with SAML authentication using Microsoft Azure AD.
The Cloud Connector portal supports SAML version 2.0 and above… and while the portal, by default, provides a simple username and password authentication option for admins, Zscaler recommends that organizations leverage SAML instead for authentication. That said, it is also recommended that you have at least one locally defined super admin account with password authentication enabled to ensure access to the Cloud Connector portal even if SAML servers become unreachable.
With SAML authentication, an admin can log in to the Cloud Connector Portal directly via single sign-on (SSO) by clicking the appropriate application icon within the provider’s portal. This feature also enables you to integrate admin authentication with your existing two-factor authentication solution.
From your Azure portal, navigate to Active Directory, followed by the Enterprise Applications blade.
Click the new application button.
Select the Create your own application option… Provide a name for your application, such as Cloud Connector Admin.
Click on the Single Sign-on blade. Enable the SAML option by clicking on the tile.
Under Basic SAML configuration, click the Edit link.
In the Entity ID field, click the Add Identifier link. Input the URL as shown on your screen, replacing the cloud name with your own, such as Zscaler, Zscalerthree, etc. Here, we will use admin.zscalertwo.net.
Under the Reply URL field, click the Add Reply URL. Input the URL as shown on your screen again, replacing the cloud name with your own. Here, we will use connector.zscalertwo.net/bac-adminsso.do, with an index of 1.
Click the Save button.
If prompted to test, click No, I’ll test later, since we must still configure the Cloud Connector portal.
Optionally, if you’d like to change the username identifier sent to the Cloud Connector portal, you can change it within the Attributes and Claims pane. Here, we will use the default.
Next, in the SAML Signing Certificates pane, download the base64 signing certificate.
In addition, copy the Azure AD Identifier URL to your notepad.
Navigate to the Cloud Connector portal, Administration, Administrator Management.
It’s important to note here that although Azure AD provides authentication for the portal, it does not create accounts automatically within the portal. Hence, you must still create these accounts on this screen in order for them to successfully authenticate. Here, our admin account has already been pre-created.
Click the Administrator Management tab.
Click the upload link to upload your Azure AD signing certificate.
Next, add in the Azure AD Identifier URL under the Issuer field.
Click to enable SAML authentication, followed by the save button.
Then, activate the change.
Before we test, let’s head back into the Azure portal to assign our app to our users.
Now, let’s test! From the myapps.microsoft.com dashboard, click on the Cloud Connector Admin icon. You should be redirected to the Cloud Connector portal.
Zscaler highly recommends implementing SAML authentication for Cloud Connector portal administrators
Be sure to leave at least one password-enabled administrator account to provide access to the portal, should SAML be unavailable
The Cloud Connector portal supports SAML authentication v2.0 and can easily integrate with Microsoft Azure AD
SAML providers do not automatically provision accounts within the Cloud Connector portal. The administrator must configure an account name to match the IdP before the user can successfully log in via SAML