Just a quick note. If you are unfamiliar with using the Z-App Portal IdP it can be a very useful tool. It has saved me in 2 accounts and potentially 21k of ZIA seats in the last 2 months. With the release of 6.0 and multiple IdP support, it has made the IdP even more powerful because now you can use it for a subset of users in an organization.
What is it? It is our own built in IdP, but instead of creating credential for each user, you use a device token that is loaded with Z-App installation switches. Z-App will then automatically authenticate when the device enrolls to the Z-App portal. It is completely transparent to the users.
If you have accounts that talk about no IdP availability or absolutely no prompts for credentials, or my users are not technical enough to authenticate (No Kidding). This may help. It is probably the easiest deployment we have available.
The two circumstances I recently used it for were, One of my customers purchased an 8k person company, they would not deploy ZIA to that group until they were all entered into their Okta instance. Lots of going back and forth with solutions, but with the Z-IdP they were easily able to deploy ZIA and get around that limitation.
Customer 2, bought 14000 seats of ZIA for their Android devices (from a former SE), but they couldn’t get the users to authenticate and use ZIA. With Intune, Android Enterprise and Z-IdP, they now have one button to push and they are protected. Once Z-App brought up it is persistent as well. We are looking at an installation script to launch it automatically, but the customer now has a useable solution and is moving forward once again.
I just wanted to pass on some recent tribal knowledge, and encourage you to take a look.
There are a some limitations, because you do not have groups, or potentially users to assign policies to. I typically tell the customer this will use the default policy and it has not been an issue to this point.
Thank you and best regards,
Z-App Portal IdP