ZApp - Users are receiving a SAML 400 Error

When the authentication expires, users will click “Re-Authenticate” within the Private Access service of the ZApp. If the user logs out of the app, and logs back in, the error doesn’t show. It’s only when they select “Re-Authenticate”. This happens to only a handful of users. Not all.

Anyone experience the same issue?

1 Like

I’ve not seen this problem before and we are using AAD.
What SAML provider are you using?

We’re using Okta. Thinking maybe the SAML assertion is timing out, but it only happens during the re-authentication. No issues when logging in to the app.

Currently the authentication timeout policy is set to 30 days. Okta spits out the Failed SAML Request 400 Error. The thing is that after clicking “re-authenticate” , the okta prompt for username and password isn’t presented. It goes straight to the Failed SAML Request.

Correction. Users see a “400 Bad Request” error.

The workaround is to have the users log in and log back out of the Zapp.

The behavior suggests the Okta SSO process is being sent through ZPA, resulting in an authentication loop - ZPA is capturing the traffic for reauthentication and asking it to reauthenticate, too. Is Okta setup to perform transparent authentication using IWA/IIS?

Sorry I’m arriving late to the party, have you turned off the option to sign SAML request? I had the same issue but recalled a comment about this in one of the docs, turned off and Boom, all working

2 Likes

Thanks Mark, this is what we experienced as well and by selecting unsigned SAML request fixed the issue.
But still curious what actually fixed it. i was looking in to Okta community and found they have similar error from other applications too, specially IE as they mentioned there is certain character limit in url, which is not sending complete url to Okta and causing 400 error. i wonder that may be the case here, possibly samlsp.private.zscaler.com has limitation with number of character in url to be forwarded to Okta, due to which Okta not getting complete url. when SAML request is selected as unsigned, it may not be hitting this limit and fixing the issue.
i would love to understand more on this if any Zscaler team can help!