Zapp authentication frequency

Hi, we are using Zapp on Windows 10 devices to forward traffic to Zscaler. We use SAML for provisioning and authenticating users against our Microsoft ADFS service.

We use a custom msi to provide SSO for the user using their integrated windows authentication credentials so they never have to enter creds into the Zscaler app.

The issue we have is that users are added to AD groups regularly which we have Zscaler URL and and cloud app rules for. currently to update the zscaler user database so rules work correctly we ask the user to logout of the Zapp to generate a new SAML assertion which updates the Zscaler user database with the user’s updated groups, however this doesn’t scale for a lot of users.

Best practice says to only authenticate once, if we changed this to daily or weekly for example does this work for Zapp users or does this authentication frequency setting only apply to web browsers, or is there another scalable way to regularly update the user database. Note we aren’t going to change from using SAML, ADFS or the Zscaler app. Thanks

Hi @fraya,

There’s a few options at your disposal…

  1. If you have system capable of doing SCIM, that could be used for the provisioning piece:
    https://help.zscaler.com/zia/about-scim

  2. Alternatively, we have the option of using LDAP. The can be done direct from the cloud, or with an add-on component called Zscaler Authentication Bridge:
    https://help.zscaler.com/zia/documentation-knowledgebase/authenticating-and-managing-users/ldap
    https://help.zscaler.com/zia/about-zscaler-authentication-bridge

Hope this helps.

Cheers,
@skottieb

Thanks for the response Scott.

Unfortunately SCIM is not available for ADFS so that’s not an option. perhaps Microsoft may integrate it in the future.

I wanted to avoid linking Zscaler to our AD directly using LDAPS and ZAB has additional costs attached.

I was hoping for an answer for the following:
Would changing the authentication frequency from “only once” to “daily” for example, work for Zscaler app clients or does this just work for browser based users (cookie)? So a new SAML assertion would be generated daily updating the user’s groups, resolving the issue with no on-premise (LDAP/ZAB) integration required.

Hi Alex,

The re-auth interval for ZIA does not apply to Z App no. Only cookie based auth/non-zapp.

We do have an enhancement tracked to add re-auth prompts to Z App for ZIA, which I can add you too. But this isn’t planned for a specific release yet.

Regards

David

1 Like

Thanks for the confirmation David.

Very interested in the enhancement if you can add me to this please.

Thanks
Alex

Hi Alex,

I’ve added you. If you need a reference for this in the future when talking to anyone at Zscaler, this is tracked under - ER-4438

Regards

David

1 Like

Hi Alex,

To prevent future confusion about this, I also updated the ZIA Authentication Profile article to clearly state that the Authentication Frequency option doesn’t apply to Z App.

Thanks!

2 Likes