[VIDEO] ZIA Identity Proxy and ServiceNow

The Zscaler Identity Proxy forces users to access cloud applications through Zscaler. You can configure Zscaler as an Identity Provider (IdP) for the following cloud apps:
When users try to access the cloud apps using their corporate accounts, but without going through the Zscaler service, authentication fails, and the users won’t be able to log in.
To configure Identity Proxy settings for cloud applications in the ZIA Admin Portal see 1. Configure Identity Proxy Settings for each Cloud App.
The following diagram shows how the authentication process works when the Zscaler service is set up as the IdP for a cloud app. The cloud app used in this example is ServiceNow:

  1. The user opens a browser and authenticates with Zscaler using SAML
  2. Zscaler syncs the ID from the customer’s IdP.
  3. Zscaler sets an authentication cookie on the user’s system.
  4. The user goes to the service-now.com instance and clicks the SSO button (with the authentication cookie).
  5. ServiceNow redirects to a Zscaler Public Service Edge to confirm the identity.
  6. The Public Service Edge transforms the cookie and authenticates the user with ServiceNow. The user is logged into Salesforce.

Zscaler Help Portal

In this video, we’ll explore

Timeline:
0:00:04;00 – 0:00:33;00 – Introduction
0:00:34;19 – 0:01:22;19 – Introduction to Identity Proxy Use Case for ServiceNow
0:01:30;22 – 0:03:08;50 – Identity Proxy and ServiceNow Workflow
0:03:09;00 – 0:06:15;07 – Configure ServiceNow Identity Proxy in ZIA
0:06:33;19 - 0:10:47;24 – Configure Service Idp Oauth Plugins
0:10:52;19 – 0:12:25;10 – Testing ServiceNow SAML Redirection to Identity Proxy
0:12:25;25 – 0:13:03;20 – Summary

Transcript

Part 1 - Introduction
Hi, my name is William Guilherme, and I am a Solutions Architect with the Zscaler Technology Alliances team.
In this video, we’ll show how Zscaler Internet Access Identity Proxy can help you protect your ServiceNow instance from unwanted and unauthorized access. We’ll also show how identity proxy can optionally help you protect your ServiceNow instance by redirecting BYOD/Unmanaged devices to Zscaler’s Cloud Browser Isolation to control access to data by preventing downloads, printing, as well as copy and paste actions.

Part 2: Identity Proxy Support
With Zscaler’s Identity Proxy, organizations can gain control over the access rights of their unmanaged and BYOD devices when accessing their ServiceNow instance.
By redirecting access from the ServiceNow application with Zscaler Identity Proxy, these devices can only access ServiceNow through Zscaler, where security policies and access controls are enforced.
In addition, Identity Proxy can be integrated with Zscaler Cloud Browser Isolation so that the isolated browser is always proxied to send the traffic via the Zscaler Enforcement Nodes. Hence, all traffic from the isolated browser is enforced with the policies defined in ZIA.
This ensures that the users using unmanaged endpoints can still access the ServiceNow application securely, with all the defined ZIA policies being applied and transactions being recorded.

Part 3: Identity Proxy Traditional Workflow
In an Identity Proxy environment, Zscaler is set up to operate as an Identity Provider for your ServiceNow instance. This helps ServiceNow customers to remove risks associated with BYOD and unmanaged devices who attempt to access ServiceNow data.

In this first workflow:

  1. The user opens the browser and attempts to access the ServiceNow instance.
  2. Notice that Zscaler identity proxy works as a proxy between the ServiceNow instance and any of the onboarded Identity Providers like Okta, Azure, PingID and many others.
  3. For this reason, when the end user tries to authenticate to ServiceNow, the request is redirected to the Zscaler Identity Proxy.
  4. If the user attempt is coming via the Zscaler Service, meaning the user is connected with Zscaler Client Connector agent, the Identity Proxy service then go ahead and authenticates the user against the IDP to ascertain the identity of the user; otherwise, the user authentication attempt is denied.
  5. It is important to note that in this workflow the user device must have the Zscaler Client Connector installed, enabled, and connected to the Zscaler Cloud.

Part 3: Identity Proxy with Browser Isolation

  1. Optionally, customers who have Zscaler Cloud Browser Isolation, can stream data to their unmanaged devices in the form of screen pixels, which prevents downloading, copy and paste operations and printing.
  2. In this scenario, if the IDP indicates that the authentication request is originating from an unmanaged end point for example (based on device identity) or if the original request was not originated via a Zscaler Enforcement node, the Identity proxy redirects the user to an isolation browser session
  3. The browser would then make a request to ServiceNow and allow the user to access the ServiceNow instance from the isolated browser.

Part 4: Configure the ZIA Admin Portal for the SaaS Identity Proxy

To start with the Identity Proxy configuration, make sure you have administrator access to the ZIA portal.

  1. Login with your administrator credentials to the ZIA portal.
  2. Once you’re logged in, Navigate to “Administration”
  3. Click in “Identity Proxy Settings”
  4. Then, select “Add Cloud Application”
  5. Then provide a “name” to the application, in this case we’ll name it ServiceNow and make sure it is enabled.
  6. In the Cloud application dropdown menu, select “ServiceNow”
  7. In the “ACS URL”, provide your ServiceNow instance address followed by the “URI navpage.do” - Instance Hibernating page
  8. In “Entity ID”, provide your ServiceNow instance address https:// dev111111.service-now.com
  9. In “Identity Proxy Settings” section, select the SAML certificate under “Response Signing SAML Certificate”. Such as SAML_2023 or later.
  10. Then select “Pass-through Zscaler Identity” for the identity Transformation
  11. In the Pass-on-Group details section, if you want to send all groups the user belongs to in the response, then you need to provide the Group Identifier Name, in this example, we’ll use the identifier memberOf.
  12. In the “Managed Device Settings” section, we’ll leave the default option Proxied via Zscaler selected. In this case, Zscaler identifies that the device is a managed device if its traffic is proxied via one of the available forwarding methods, such as Zscaler Client Connector, PAC File, GRE or IPSec tuneling.
    a. Notice that the option “Proxied via Zscaler with IdP attribute” identifies the user’s device if their traffic is proxied via Zscaler with at least one of the IdP managed attributes.
    b. For purposes of this video, we’ll use the default option Proxied via Zscaler
    c. We can then select the action Zscaler should take when traffic from an unmanaged device is redirected to the Identity Proxy service. In this example, we’ll select the action of “Browser Isolate”
    d. Notice that this action is optional and requires you to have a Zscaler Cloud Browser Isolation subscription, as well as an Isolation Profile created via the Cloud Browser Isolation portal.
    e. If you don’t have a Cloud Browser Isolation subscription, you can still benefit from all other capabilities provided by the Identity Proxy service discussed in this video by simply selecting the action of “Block”
    f. In this case, the users are presented with a block page indicating that they must be connected to Zscaler via one of the traffic forwarding methods discussed previous such as via Zscaler Client Connector.

For purposes of this video, we’ll select “Browser Isolate” and the “Isolation Profile”
13. Then, click Save and Activate your changes.

Part 5:
The complete identity Proxy configuration will be displayed.

  1. We need to copy and save the “Identity Proxy URL”
  2. And The “Issuer Entity ID” for later when we configure the ServiceNow Instance.
  3. Finally, download and save the Signing Certificate.

Part 6: Configure the ServiceNow Instance to Use the Zscaler identity Proxy Service

We are now ready to start with the ServiceNow configuration, so our instance can use
Zscaler’s identity Proxy service as its IdP. First, you must login to the ServiceNow instance with administrator credentials.

This procedure requires you to install the Multi-IdP plugin offered by ServiceNow.

In order to install the IdP plugin:

  1. Go to the Filter Navigator and search for All Available Applications
  2. Then, select All to display all available plugins
  3. In the search bar, type multiple provider
  4. Then, click Install for the Integration – Multiple Provider Single Sign-On Enhanced UI.
  5. Then click Activate

Notice that, both the Multiple Provider Single Sign-On Enhanced UI and the Multiple Provider Single Sign-On Enhanced plugins are installed, which must be configured for the Zscaler Identity Proxy service.

This process may take a few minutes.

Part 7: Configure ServiceNow Tenant to use Zscaler’s Identity Proxy Service.

With the Multiple Provider plugin installed, we must configure it, so that Zscaler is added as the Identity Provider.

To accomplish that, let’s go to the:

  1. Filter Navigator search for multi
  2. Then select Properties to display the Customization Properties for Multiple Provider SSO page
  3. Then select, enable multiple provider SSO.
  4. Enable Auto Importing of users from all IdPs into the user table
  5. And Enable debug logging for the multiple provider SSO integration.
  6. For purposes of this video, we’ll leave the “User Identification” blank
  7. Finally click Save.

Part 8: Add Zscaler as an identity Provider

The next step is to add the Zscaler Identity Proxy service as an identity Provider.
To complete this step:

  1. Select Identity Providers in the configuration pane
  2. Then select New
  3. And in the ServiceNow Identity Providers section select SAML.
  4. In this page we will use the values created in the Zscaler tenant, when we added our ServiceNow instance as one of the supported cloud applications

5. To get started:
a. Give it a name to the record, in this example, we are calling it “Zscaler”
b. In the Identity Provider URL paste the Issuer Entity ID information from the Zscaler config
c. In the Identity Provider’s AuthnRequest URL, paste your Identity Proxy URL
d. In ServiceNow Home Page enter your ServiceNow instance address followed by the URI navpage.do Instance Hibernating page
e. For the Entity ID/Issuer and Audience URI enter your ServiceNow instance address https:// dev111111.service-now.com
f. In the NameID Policy enter the following SAML attribute value urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
i. This tells the ServiceNow instance, that is up to Zscaler Identity proxy Service to determine the name identifier format to use. Notice, that you can select the format that is more appropriate for your organization.

  1. Then select the Advanced Tab
  2. And in the Single-Sign-on Script select MultiSSOv2_SAML2_custom Script.
  3. Finally, select Force AuthnRequest
  4. And click submit

Part 9: Add the Identity Provider Certificate and Additional Settings

Now that we have the necessary IdP settings configured, we need to add the Identity Provider Certificate and configure some additional settings. This is the certificate we’ve downloaded from the ZIA portal when we configured ServiceNow as the supported cloud application.

For that:

  1. Select the newly configured IdP. In this case “Zscaler”
  2. The option to add the Zscaler Certificate becomes available at the bottom of the configuration screen.
  3. Select New
  4. Provide a name to the certificate. In this case, we are calling the certificate Zscaler
  5. We now need to paste the content of our certificate downloaded from the ZIA portal during the initial configuration.
  6. Notice that the certificate is one continuous line, so remove any carriage returns.
  7. Then click Submit
  8. Then select Default.

We can then select Test Connection. In this case we expect the test to fail, as I am currently not connected to the Zscaler Service via Client Connector, and the Identity proxy configuration is set to block traffic instead of redirecting to Browser isolation.

However, if we set the identity Proxy action to Browser Isolate, the test will automatically redirect traffic to Zscaler’s Cloud Browser Isolation, where the user will be required to authenticate.

With everything configured correctly, and now connected to the Zscaler Service via Client Connector, the following screen is displayed when testing.
The SSO Login Test Results display successful test results; however, the SSO Logout Test Results are expected to fail.
If everything worked as expected, we can click “Activate”
And then, configure the IdP to Auto Redirect anytime a new request is received.

Part 10: User Experience with Block Action

For managed devices with the Zscaler Client Connector installed and connected to the Zscaler Service, the experience is seamless. Whenever the user attempts to connect to the ServiceNow instance, they will be automatically redirected to the organization’s IdP portal for authentication.

However, for users or un-managed devices without the Zscaler Client Connector, or that are simply not connected to the Service at the time of access, a block page is displayed informing that they must be connected to the service in order to access the ServiceNow instance.

Finally, if your organization is subscribed to Zscaler’s Cloud Browser Isolation, you can optionally set the Identity Proxy Action configuration to “Browser Isolate”. In this case, unmanaged devices in your organization which require access to the ServiceNow instance, will be automatically redirected to the IdP and subsequently Zscaler’s Cloud Browser Isolation, where you will be able to control what actions those users can take within the SNOW instance, such as copy, and paste, printing, download and upload of confidential files.

Part 11:

In summary

  1. Zscaler’s Identity Proxy service helps organizations to remove risks associated
    with BYOD and un-managed devices attempting to access ServiceNow data.
  2. It also helps organizations to gain control over access rights of these devices.
  3. Since, these devices can only access the ServiceNow instance through the
    Zscaler Service.
  4. It can optionally be combined with Zcaler’s Cloud Browser Isolation for further
    access control, and to help preventing downloading, copy & paste and printing
    actions.
  5. In an Identity Proxy environment, Zscaler operates as an Identity Provider
    within the ServiceNow instance
2 Likes

Nice! Great video about Zsscaler and Service Now and maybe in the future show the CASB inline and out-of-band options.