Hi, we are using Zapp on Windows 10 devices to forward traffic to Zscaler. We use SAML for provisioning and authenticating users against our Microsoft ADFS service.
We use a custom msi to provide SSO for the user using their integrated windows authentication credentials so they never have to enter creds into the Zscaler app.
The issue we have is that users are added to AD groups regularly which we have Zscaler URL and and cloud app rules for. currently to update the zscaler user database so rules work correctly we ask the user to logout of the Zapp to generate a new SAML assertion which updates the Zscaler user database with the user’s updated groups, however this doesn’t scale for a lot of users.
Best practice says to only authenticate once, if we changed this to daily or weekly for example does this work for Zapp users or does this authentication frequency setting only apply to web browsers, or is there another scalable way to regularly update the user database. Note we aren’t going to change from using SAML, ADFS or the Zscaler app. Thanks
Thanks for the response Scott.
Unfortunately SCIM is not available for ADFS so that’s not an option. perhaps Microsoft may integrate it in the future.
I wanted to avoid linking Zscaler to our AD directly using LDAPS and ZAB has additional costs attached.
I was hoping for an answer for the following:
Would changing the authentication frequency from “only once” to “daily” for example, work for Zscaler app clients or does this just work for browser based users (cookie)? So a new SAML assertion would be generated daily updating the user’s groups, resolving the issue with no on-premise (LDAP/ZAB) integration required.
The re-auth interval for ZIA does not apply to Z App no. Only cookie based auth/non-zapp.
We do have an enhancement tracked to add re-auth prompts to Z App for ZIA, which I can add you too. But this isn’t planned for a specific release yet.
Thanks for the confirmation David.
Very interested in the enhancement if you can add me to this please.
I’ve added you. If you need a reference for this in the future when talking to anyone at Zscaler, this is tracked under - ER-4438
To prevent future confusion about this, I also updated the ZIA Authentication Profile article to clearly state that the Authentication Frequency option doesn’t apply to Z App.
I have similar query. will the new group be updated when the user restarts their laptop ?
As I see it there is ER-4438 that Zscaler at some point may add so the ZIA also to have the same auth policy like ZPA but the only way for now seems to just make certain that ZAB or SCIM or LDAPS is used and to have policies based on groups and a default last policy for anyone not in an AD group, so that when a user is removed they will not be member of any group and they will be blocked. Maybe then every week the user devices can be removed from the client connector portal.