ZPA Authentication timers

Hello community,
What is the default behavior regard ZPA Authentication? Timeout Policy defaults to 7 days. Does it mean that users will be prompted to authenticate every 7 days no matter what? Even if for example they turn off and back on their computers every day? Or every time users turn off/on computers ZCC has to re-authenticate again?
Also what is the effect of having Automatic ZPA reauthentication switch turned on?

Hi Xavier,
The reauthentication timer checks the timestamp of the SAML assertion that was sent to Zscaler and compares that with the re-authentication timer. If the user logged in 7 days ago, they will need to re-authenticate even if they turn their machine on and off. If they fully log out and log back in, they get a fresh SAML assertion and the 7-day timer restarts.
You can enable the Zscaler Client Connector to automatically attempt reauthentication for users with ZPA. Successful authentication allows users to continue accessing ZPA. If unsuccessful, users are prompted to reauthenticate with their credentials using the Zscaler Client Connector.
It essentially uses IWA or single-sign on to not require the user to manually re-authenticate if auto login is enabled. It acts as a convenience for the user.

Warm Regards,
Chris

1 Like

Thank you Chris for the answer, it clarifies a lot for me.
Just one thing, if we are already using Azure/SAML SSO, and we have the
Automatically Attempt ZPA Reauthentication option enabled in the client connector portal, will that be enough to have the ZPA Re-authentication fully working? Do we need to do something else?

Hi Xavier,
Please see page 140 of our Azure AD deployment guide for transparent SSO.

Actually, rather than have you download the entire file, I uploaded the one page you will need for the transparent SSO.
Azure AD SSO.pdf (70.6 KB)

Warm Regards,
Chris

1 Like

Thank you again Chris !!!
I really appreciate your time and help with this.