Zapp adfs transparent


(Derek Mayberry) #1

I called in to support yesterday and have an open ticket. The support person didn’t seem to know answers to some of my questions so I want to confirm here…

  1. We want to use the zscaler app universally rather than browser pac file. So knowing that, how can we force people to have to authenticate before they can browse the web? Currently you could just ignore the app and not ever sign in and your browsing seems unaffected (which makes sense as nothing is sending your traffic to zscaler)

  2. We are using ADFS as authentication method. Currently if you try to sign in to the app, what happens is that you are redirected within the app to the ADFS portal and then a pop up box shows up and you have to put in your credentials. I was under the impression that this is not right and it should be automatic sign in. The support person told me this is normal behavior and you have to sign in once to ADFS and then you are OK after that. I don’t see what the point of using ADFS over the directory sign in method if this is the case.


(David Creedy) #2

Hi Derek,

For point #1, I think you are looking for ‘strict enforcement’, see details about the CLI parameters here - https://help.zscaler.com/z-app/customizing-zscaler-app-install-options-exe

Essentially what this does is stop any internet traffic until the user is logged in to Z App. If they visit an HTTP page in their browser, they will get a block page telling them to login to Z App.

For point #2 - SSO or IWA will work, but there’s little you can do to configure this specifically. We load the IDP page in a native web view controller. What this means is that if for example the user was to go to outlook.com in Internet Explorer, and they are automatically logged in, then Z App should automatically login when it loads the IDP page. If you can get the SSO working without Z App, then Z App should just work with this.

Regards

David


(Derek Mayberry) #3

David,

For point 1— does strict enforcement also block background processes or things running as a service that talk to the internet? Or is it limited to web browser traffic only?


(David Creedy) #4

Hi Derek,

Today, web traffic only yes (e.g. HTTP/HTTPS. It doesn’t necessarily need to be from the web browser)


(Derek Mayberry) #5

David,

Thanks for your response.

One more question.

This seems like a big issue because for example what if you push out the zscaler app to hundreds of pcs, and then windows updates itself is blocked because there is not users signed into those pcs or to the zscaler app?

So my question is… In these kind of scenarios where the app is not yet authenticated, is the PAC file still utilized, so that for example if we put in exceptions for windows update and dropbox and other various cloud services that may need 80/443 traffic, they would still work while the pc is not signed into the app?

If the pac file is not used in that scenario, is there any option for allowing those things to still work?


(David Creedy) #6

Bypasses defined in the app profile and app profile PAC should still work, so you can still bypass some traffic while the device is in lock down.