[VIDEO] Okta Integration

By default, the Cloud Connector portal provides a simple username and password mechanism as the primary authentication option for admins. However, the Cloud Connector portal also supports SAML version 2.0 and, as such, Zscaler recommends that organizations leverage SAML instead. SAML is a more secure option that allows for integration with multi-factor authentication wherein an admin can log in to the Cloud Connector Portal directly via single sign-on (SSO) by clicking the appropriate application icon within the Okta portal. In this video, we’ll discuss how to integrate Zscaler Cloud Connector portal with Okta.

We’ll explore:
[0:00 to 0:57] Overview and nuances of using SAML with Cloud Connector portal
[0:57 to 3:18] Deploying SAML using Okta
[3:18 to 3:32] Testing the integration
[3:32 to 4:13] Key takeaways


Hello, my name is Aaron and I’m one of the Principal Technical Product Specialists for Zscaler Cloud Workload Protection. In this video, we’ll explore how the Zscaler Cloud Connector administration portal can be provisioned with SAML authentication using Okta as the Identity Provider.

The Cloud Connector portal supports SAML version 2.0 and above… and while the portal, by default, provides a simple username and password authentication option for admins, Zscaler recommends that organizations leverage SAML instead for authentication. That said, it is also recommended that you have at least one locally defined super admin account with password authentication enabled to ensure access to the Cloud Connector portal even if SAML servers become unreachable.

With SAML authentication, an admin can log in to the Cloud Connector Portal directly via single sign-on (SSO) by clicking the appropriate application icon within the Okta portal. This feature also enables you to integrate admin authentication with your existing multi-factor authentication solution.

From the Okta portal, navigate to the Applications tab and click on the Applications link.

Click the Create App Integration button and select SAML 2.0…

Provide a name and choose a logo, then click next…

For the Single Sign-on URL, input the URL as shown on your screen, replacing the cloud name with your own, such as Zscaler, Zscalerthree, etc. Here, we will use https://connector.zscalertwo.net/bac-adminsso.do

Just below that, in the Audience URI, you’ll input a similar address. Here we’ll enter admin.zscalertwo.net, but again, replace the cloud name with that of your own

The next three dropdown menus define how the username will be presented to the Cloud Connector portal. We’ll leave them at default, but feel free to change them if you’d like to manipulate how that value is passed from Okta to the Cloud Connector portal during login.

Click the next button to proceed…

If prompted, choose the radio button “I’m an Okta customer adding an internal app…” and click the finish button.

Next, we’ll assign this new application to one of our users under the Assignments tab…

Click the Assign button. Under normal circumstances, you might assign this application to groups of users, such as groups of admins. In our demo, we’ll assign it to a single user…

As a last step in the Okta portal, we need to capture a few items to import into our Cloud Connector portal. Navigate to the Sign-on tab.

Scroll down and click on the “View SAML Setup Instructions” button.

Copy the Identity Provider Issuer URL provided and download the X.509 certificate. Note that, by default, Okta names their certificates with a .cert extension. The Cloud Connector portal accepts extensions in .cer or .pem only, so you will need to rename the extension of this file.

Navigate to the Cloud Connector portal… Administration… then Administrator Management.

It’s important to note here that although Okta provides authentication for the portal, it does not create accounts automatically within the portal. Hence, you must still create admin accounts on this screen in order for them to successfully authenticate. Here, our admin account has already been pre-created.

Click the Administrator Management tab.

Click the upload link to upload your Okta X.509 certificate.

Next, provide the Okta Issuer URL you copied from the Okta portal.

Click to enable SAML authentication, followed by the save button.

Then, activate the change.

As a test, from the user’s Okta dashboard, click on the Cloud Connector Admin icon. You should be redirected to the Cloud Connector portal.

Zscaler highly recommends implementing SAML authentication for Cloud Connector portal administrators

Be sure to leave at least one password-enabled administrator account to provide access to the portal, should SAML be unavailable

The Cloud Connector portal supports SAML authentication v2.0 and can easily integrate with Okta as an Identity Provider

SAML providers do not automatically provision accounts within the Cloud Connector portal. The administrator must configure an account name to match the IdP before the user can successfully log in via SAML