Zscaler App SSO with Azure AD


(Derek Mayberry) #1

https://help.zscaler.com/zia/saml-scim-configuration-example-microsoft-azure-active-directory

I’ve followed the steps on this page and I’ve configured SSO in the Azure portal as well as Zscaler portal. it “works” in that if you enter an email address into the zscaler app you can then click login and it will sign you in without a password.

However, when I used ADFS there was no need to even enter an email address. It would just have a login button and the whole thing was seamless.

What am I missing? Why wouldn’t it be completely seamless. I’ve added the Azure sign in url to intranet zone on our pcs and enabled the “allow script to update address bar” feature that Microsoft recommends. I just want the same experience where a pc that is currently connected to the corporate network will not require an email or password to sign on.


(David Creedy) #2

Hi,

So that first username prompt is required so that Z App can find where your zscaler cloud and IDP configuration is set.

If you pre-install the app using the “userDomain” and “cloudname” parameters, you shouldn’t be prompted for the user name and it should just take you straight to the IDP for SSO.

https://help.zscaler.com/z-app/customizing-zscaler-app-install-options-exe


(Derek Mayberry) #3

Ok awesome, thank you! That is easy enough.


(Timothy Shaughnessy) #4

One other caveat requires your Azure AD synchronizes with an AD FS instance. It sounds like that is the case.


(Derek Mayberry) #5

It does not actually that I am aware of. We had internal ADFS running on Windows server, but we have moved to doing SSO without using ADFS via Azure AD SSO.

So I’m not clear on what you are saying. I use Azure SSO with other apps and they can SSO and this is all without any ADFS other than what is built into the free version of Azure AD. Basically same setup steps as Zscaler–>Azure SSO on your site.


(Timothy Shaughnessy) #6

My experience was with SSO where Azure AD was synchronizing with a domain Active Directory. Users where consistently challenged for Z-App registration challenge for first time access. SSO was transparent after Z-App challenge. We then federated AD and the initial challenge was suppressed. If you are not synchronizing into AD you might have success. This scenario was not tested.


(Derek Mayberry) #7

We do sync local AD up to Azure via Azure AD Connect software. Ok so I should expect the same as you saw then. It should be OK for the first time registration as long as seamless after that. Thank you!