We are using ADFS/SAML to authenticate and provision users for Zscaler. We use a mix of Zscaler App for laptops and Pac File only for desktops. Everything is working fine, in that users can authenticate and use the Zscaler service. However new laptop users using Zapp, the first time they login to their device it takes Zapp 3-5 minutes to authenticate against ADFS. It eventually logs the user in successfully but concerned over the delay. If I logout of Zapp and log back in authentication is instant so it is only the first time login. Pac File only users authenticate instantly so there can’t be anything wrong with ADFS it is specific to Zapp.
To add to my confusion, when on the LAN the Zapp forwarding profile is set to tunnel with local proxy mode. If I change this to tunnel mode, the user is authenticated instantly. So there is something different between these Zapp forwarding modes which impact SAML authentication. I have a PAC file exception for our ADFS URL so not sure what it could be. I can’t change the forwarding mode to tunnel as it causes issues and breaks certain proxy chaining we are doing so need to resolve the issue.
I have opened a case but have had limited feedback on the Wireshark traces I provided.
Anyone else experienced and resolved this issue?