Zapp using ADFS / SAML has massive delay during first time authentication

zapp
saml
authentication
adfs

(Alex Fray) #1

We are using ADFS/SAML to authenticate and provision users for Zscaler. We use a mix of Zscaler App for laptops and Pac File only for desktops. Everything is working fine, in that users can authenticate and use the Zscaler service. However new laptop users using Zapp, the first time they login to their device it takes Zapp 3-5 minutes to authenticate against ADFS. It eventually logs the user in successfully but concerned over the delay. If I logout of Zapp and log back in authentication is instant so it is only the first time login. Pac File only users authenticate instantly so there can’t be anything wrong with ADFS it is specific to Zapp.

To add to my confusion, when on the LAN the Zapp forwarding profile is set to tunnel with local proxy mode. If I change this to tunnel mode, the user is authenticated instantly. So there is something different between these Zapp forwarding modes which impact SAML authentication. I have a PAC file exception for our ADFS URL so not sure what it could be. I can’t change the forwarding mode to tunnel as it causes issues and breaks certain proxy chaining we are doing so need to resolve the issue.

I have opened a case but have had limited feedback on the Wireshark traces I provided.

Anyone else experienced and resolved this issue?


(Yogi Chandiramani) #2

Hi @fraya

Can you share the case number along the PCAP ?
You may want to look into the logs of the client of ZAPP client as well located under ProgramData\Zscaler


(David Creedy) #3

Hi @fraya

It doesn’t sound like expected behavior at all. Can you please provide the ticket number that you’d opened?


(Alex Fray) #4

Hi both,

Case number is 545236. I uploaded the PCAP to your portal which looked fine from a TCP perspective. As the Zscaler engineer couldn’t see inside the TLS encrypted SAML traffic he wasn’t able to provide any more info on the trace.

thanks
Alex


(David Creedy) #5

Hi Alex,

Thanks for raising this. It doesn’t seem normal that tunnel with local proxy introduces such a delay. I’ll have some resources look over the ticket and have them update there.


(Alex Fray) #6

Update. Unfortunately support haven’t made any progress on this but I do have a workaround, not fix.

When I deploy the Zscaler app via SCCM I use the MSI script to point at a policy token (among other settings). I have set the policy token to look for an app profile which is for initial login, so has forwarding on LAN set to tunnel mode with a system of proxy of a PAC file which excludes our ADFS URL.

So pre-login the user logs in for the first time gets this policy which forwards them to ADFS almost instantly. When the user is logged in using SSO I have post-login app profile for all users which sets the forwarding to tunnel with local proxy.

I’ve tested this on multiple W10 devices and also with multiple users logging onto the same machine and seems to work well. First time login is now instant and it means we can roll the app out to host-desk devices which are used by multiple users without them have to wait 3-4 minutes for the app to load.

Pre-Login App Profile - Tunnel mode with system proxy to exclude ADFS URL
Post-Login App Rofile - Tunnel mode with local proxy
Note. Post-Login App Profile is set to Priority 1 to catch All Users once they login.

Again this is a work around which works in my scenario, not a fix.


(David Creedy) #7

Hi Alex,

The work around seems to make sense. I was wondering if you tried the VPN gateway bypass suggestion from the support ticket? Tunnel Mode, with no system PAC, but in the App Profile define the VPN Gateway Bypass to include ADFS. This will tell Z App to send the traffic direct, and shouldn’t require the System PAC configuration.


(Alex Fray) #8

Hi David,

Yes I did try the VPN gateway bypass suggestion (tunnel mode, no system pac, vpn gateway defined for ADFS) but this did not work unfortunately. I also had issues with tunnel mode (proxy chaining didn’t work and bizarre HTTP to HTTPS issues which tunnel with local proxy mode resolved.