This would likely be because of one of the following
- Client cannot reach the IDP
- Client cannot authenticate to the IDP
- Client cannot reach Zscaler SP
It’s less likely to be #3 because the client is triggering the reauthentication. Check if they can resolve samlsp.private.zscaler.com. You could also have the user perform the authentication check at https://samlsp.private.zscaler.com/auth/v2/login?domain=company.com&ssotype=test to see the flow in the browser.
Doing the authentication check in the browser would also pinpoint if it’s #1 or #2. You’d see the flow (use Web Developer Inspector in Safari/Chrome/IE/Firefox).
Since this is a reauthentication issue - check that the IDP is not falling into a “reauthentication” application segement. i.e. if you have a wildcard *.company.com application segment, and the idp is https://idp.company.com, then you’d need to ensure that the IDP is accessible DIRECT or has a “no re-authenticate” policy in ZPA.
Secondarily to this - if the IDP is accessible THROUGH ZPA, and the IDP is performing IWA, then the user would also need to get a Kerberos ticket in order to authenticate TO the IDP.
Check the IDP Application Segments in ZPA. Test by defining the IDP as an “always bypass” which should enable the re-authentication to occur against the external IDP. If this resolves the issue, look at the Application Segments relating to authentication against the internal IDP (i.e. Active Directory Domain Controllers for Kerberos ticketing).