ZPA Authentication through Client Connector

End-users allowing their ZPA session to timeout and receives the message to re-authenticate prior to using services. Clicking the re-authenticate button ends up with a white screen as such:
Screen Shot 2020-07-01 at 2.28.08 PM

It never makes it to the IdP screen and requires an exit of the Client Connector and relaunch to authenticate into services. Has anyone experienced this issue?

I can’t say I’ve seen this before. I think there’s a need to look into the underlying Client Connector logs. Do you have a case open with our support team?

This would likely be because of one of the following

  1. Client cannot reach the IDP
  2. Client cannot authenticate to the IDP
  3. Client cannot reach Zscaler SP

It’s less likely to be #3 because the client is triggering the reauthentication. Check if they can resolve samlsp.private.zscaler.com. You could also have the user perform the authentication check at https://samlsp.private.zscaler.com/auth/v2/login?domain=company.com&ssotype=test to see the flow in the browser.
Doing the authentication check in the browser would also pinpoint if it’s #1 or #2. You’d see the flow (use Web Developer Inspector in Safari/Chrome/IE/Firefox).
Since this is a reauthentication issue - check that the IDP is not falling into a “reauthentication” application segement. i.e. if you have a wildcard *.company.com application segment, and the idp is https://idp.company.com, then you’d need to ensure that the IDP is accessible DIRECT or has a “no re-authenticate” policy in ZPA.
Secondarily to this - if the IDP is accessible THROUGH ZPA, and the IDP is performing IWA, then the user would also need to get a Kerberos ticket in order to authenticate TO the IDP.

Check the IDP Application Segments in ZPA. Test by defining the IDP as an “always bypass” which should enable the re-authentication to occur against the external IDP. If this resolves the issue, look at the Application Segments relating to authentication against the internal IDP (i.e. Active Directory Domain Controllers for Kerberos ticketing).

2 Likes

The issue has been fixed, we recently switched our IdP from on-prem to cloud provider hosted and since there was an app segment for the IdP to leverage ZPA “always” it was blocking the auth request. Switched the app segment logic to “never” and the re-authenticate succeeds. I am going to look into the “no re-authenticate” policy.

Thanks for the help.