Currently working on a pilot of ZPA and would love to get some feedback from the community.
First, what authentication timeout value are you using? The default is 7 days and there are pros and cons of leaving that or shortening it. Curious what other organizations are doing.
The second thing is more an issue that I’m wondering if anyone has run into. We use Azure AD for SSO and with the SAML App excluded from the MFA policy, re-authentication does not prompt for credentials, as it uses IWA. On macOS, the pilot users are prompted for creds for each re-auth attempt, which is what we want.
Zscaler’s suggestion to force this on Windows was to enforce MFA for the app or disable IWA (laughed at this suggestion!). I worked with the IAM team to add Zscaler to the MFA conditional access policy for VPN, which should trigger an MFA prompt every hour. However, once this was enabled and my ZPA access timed out, I started receiving a TLS error when the client tried to hit login.microsoftonline.com.
I validated the traffic going out to the SAML URLs and Microsoft are bypassed from SSL inspection, so I’m not sure what else could be causing this problem. Again, it’s only when the conditional access policy hits the ZPA SAML app. When it’s removed from that, the error goes away post reboot. Any insight/assistance would be appreciated!!
We really need to ensure there is some level of authentication on ZPA, otherwise a compromised laptop will have access with the click of a button and no auth challenge.
Also there are other posts for such issues as I think that Zscaler tries to use the old saml tolken and this could be why you get the error but still check also the Microsoft logs and clear the cookies and data from the web browsers to see if this resolves the issue:
We’ve tried bypassing login.microsoftonline.com previously for other reasons and it ended up breaking Microsoft Teams and Office suite authentication. It was a bit of a disaster. Our TAM said this was the result of some MS traffic being sent direct and the rest continuing to go to Zscaler, resulting in various Source IP addresses.
I’ll read through these other posts, thanks for sharing!
I ended up figuring this out accidentally. Turns out our adfs proxy was being intercepted by ZPA due to the discovery app segment with our wildcarded domain! Worked with the IDM team to identify our SSO URLs and once we bypassed those completely from ZPA, the re-auth with enforced MFA worked like a charm.