Zscaler APP Authentication


(Rajeev Srikant) #1

I was testing Zscaler App with ADFS authentication.
It works fine. But the issue i found is that, even when the PC in which the Zscaler App is installed reboots when the PC comes back again it is not prompted for the authentication.
Would like to know if this the normal behaviour. Once the PC reboots the Zscaler APP should reauthenticate.


(Scott Bullock) #2

This is normal behaviour, the login for Zscaler App will persist across reboots. Please note:

  • Login in tied to the user profile, login in a another user will require seperate auth
  • ZPA re-auth intervals are defined as part of the ZPA policy structure.

Cheers,

@skottieb


(Rajeev Srikant) #3

Thnx.
But i am not clear why the reboots does not disconnect the session & asks to re-authenticate.

Is there any work around or solutions to this.


(Jones Leung) #4

The authenticated result is written as a token and stored in the user profile, so reauthentication is not required

Best Regards,

Jones Leung

SE Manager, Greater China

Zscaler


(Rajeev Srikant) #5

Thanks.
So does this mean, the token expiry is dependent on the settings in the ADFS time out value ?
In ADFS side if it is set to 5 hrs then the token value will expire & it requires re-authentication
Let me know if my understanding is right.


(Scott Bullock) #6

Hu Rajeev,
There’s two ways we look at authentication on Zscaler App:

ZPA

Zscaler Private Access has a re-auth internal set in policy, re-auth timers are super-granular and can be set on a per-application basis in a policy construct.

https://help.zscaler.com/zpa/about-reauthPolicy

ZIA

Zscaler Internet Access with Zscaler App is designed to have persistent authentication, I.e. it’s a login once solution so as to provide the optimal end-user experience. After a login a unique registration identifier is set for the particular user profile on the machine, this remains persistent. Do you have a use-case that differs from this approach? Any particular reason you’d like to re-auth the user to ZIA on reboot?

Cheers,

Scott-


(Rajeev Srikant) #7

Hi Scott

Thank you for your quick reply.
I am looking for ZIA
I am looking at the below scenario:

User A uses ZIA & authenticates 1st time.
The user A resigns & leave the company. But since the user still have the machine with him (BYOD) he will be still able to use the Zscaler APP
In this case even when the user is not available or valid he is still able to access the Zscaler which he is not supposed to access since he has left the organization.


(Scott Bullock) #8

Hi Rajeev,
We actually look at this with a different lens. With regard to access to private applications, you are totally correct. ZPA has the inbuilt tooling to active these outcomes.

With ZIA, you can achieve the outcome for this use-cases using a different method:

  1. If this is company owned asset you would be able to track usage even after there departure of said employee, having Zscaler App be sticky makes much sense in this scenario

  2. you can delete the user/device registration in the Zscaler App portal, you can do this at any time including the moment an employee leaves the business. This would invalidate the Zscaler App login and force re-auth.

Cheers,

Scott-


(Rajeev Srikant) #9

Hi Skottieb

Thanks. Got it.
From your explanation my understanding is as below.
It is BYOD PC, the user owns it. Once the user leaves the organization we should manually delete the user/device from the Zscaler App portal.

I got this point.

What I was looking is as below.
Whenever any user leaves our organization we normally, deletes the user from our Active Directory.
So in this case if the user is removed from the AD, if the Zscaler App tries to connect & if it looks for authentication then it will fail.

So no need to do anything in the ZApp portal, we need to just follow the existing process which we are following now to delete it only from the AD.