Zscaler App SSO


(Lior) #1

We are trying to achieve single-sign-on with ADFS authentication using Zscaler app.
Users accessing from external networks are prompt for credentials upon z-app login, however sso works fine when the same are accessing from an internal network.

I was able to get this to work with ADFS2.0 , however not in ADFS 3.0.
Anyone come across a similar scenario and can advise?


(Nick Morgan) #2

Have you confirmed whether Zscaler App is added as a WIASupportedUserAgent?

The Zscaler App User agent is: Ztunnel

(Lior) #3

Hi Nick,
Yes, it is enabled. the question is whether adfs3 can do SSO without any prompts, when the request comes from external networks…

As for the addition of the user-agent, this is how it’s added (not listed anywhere in Zscaler KB):
Set-ADFSProperties -ExtendedProtectionTokenCheck None

Set-ADFSProperties -WIASupportedUserAgents @(“MSIE 6.0”, “MSIE 7.0”, “MSIE 8.0”, “MSIE 9.0”, “MSIE 10.0”,“MSIE 11.0” , “Trident/7.0”, “MSIPC”, “Windows Rights Management Client”, “Mozilla/5.0”,”Edge/12”,”Edge/13”,”Edge/14”, “Ztunnel”, “Safari/6.0?", “Safari/7.0?")

(Rajeshkumar Chemalli) #4

In my experience never seen ADFS doing SSO while connecting from external

ZAPP uses IE user agent to connect to the ADFS, hence it uses the IWA
setting at IE.

If the IE can do SSO with ADFS while the user is connected to external
network, ZAPP should also be able to do.

(Nick Morgan) #5

Ok I agree with Rajeshkumar around ‘transparent’ ADFS SSO for external

It is unlikely to be possible due to fact the user is unlikely to be able
to pick up a Kerberos ticket from the corporate AD. Hence your ADFS will
provide a web form instead regardless of whether you are using a browser or
ZApp. This technet thread also discusses this in more detail:

In the meantime I have requested that our documentation provide detail
around adding ‘ZTunnel’ as a *WIASupportedUserAgent *within our ADFS KB
article to ensure WIA/IWA is effective for users that are on the corporate

(Ramesh M) #6

Hi Team,
Same requirement came from one of our customer.
We are using SAML ADFS.
ZAPP users receiving form to fill in username and password. But on the browser SSO is happening. Please let me know if possible to achieve SSO on ZAPP as well.

Could be better if you can share some documentations.

Regards / Ramesh M

(Nick Morgan) #7

@ramesh I can confirm that SSO is possible with ZApp.

In addition to ensuring that ‘ZTunnel’ is added as a WIASupportedUserAgent in ADFS. You will need to be sure the user is already logged onto the domain on their machine and they are on the corp network.

You also need to install Zapp with specific MSI parameters for cloud name and user domain to ensure the experience is as transparent as possible when enrolling into ZApp:

If all those steps are followed but still users are being prompted you may wish to open a support case for further investigation.

(Ramesh M) #8

Thanks for your kind explanation. I was missed the packaging. Will do the same and come back to you if any concerns.

Ramesh M

(Neil Wright) #9


I’m trying to do something similar as we have the exact same issue. However, we are using Azure AD instead of ADFS. Is there a way to make this seamless using Azure AD?

(Jones Leung) #10

Hi Neil,

The transparent auth process also supports Azure AD, you need to make sure that either your Azure login link is in your intranet zone, or you have added Azure AD logon link to your IE trusted zone and enabled auto logon in the trusted zone. It also requires your Azure AD to enable seamless SSO which maybe disabled currently, this may require your current Azure solution provider to check.

Best Regards,

Jones Leung

SE Manager, North Asia

Zscaler, Inc

(Neil Wright) #11

Thanks Jones,

We don’t currently have seamless SSO enabled so we’ll look into that. Thanks!

(Jones Leung) #12

No problem, always happy to help :slight_smile:

Best Regards,

Jones Leung

SE Manager, North Asia

Zscaler, Inc

(Neil Wright) #13

Hi Jones,

Just an update. We finally managed to sort this. We ended up upgrading ADConnect to the latest version, using password hash sync and enabling Hybrid Azure AD Join for Windows 10 and down-level devices. Enabled SSO and configured the GPOs necessary for the Azure Join. Set up firewall rules to allow access to the MS login etc etc.

Once machines started joining we then had to remove their previous status of ‘Registered’ from within Azure as this messes with the Hybrid true SSO. Once we’d done this, via Powershell, we deployed ZScaler using a scheduled task with command switches tagged onto the EXE.

Sounds complicated and, tbh, it was quite a lot of learning and hard work but it was worth it. We now have a far simpler setup and the majority of domain joined machines had ZScaler deployed to them and users silently enrolled and using it without them even knowing. (Over 700 in a week).

To anyone else looking into this - read the MS docs over and over about Hybrid Azure Join and don’t miss a step. For anyone using ADFS - if you can, get shot of it and use ADconnect with either password hash or pass-through authentication. Your environment will end up much simpler to administrate and ZScaler will deploy like a dream.

(Jones Leung) #14

Congrats Neil! Thanks for posting the update here as well!

Best Regards,

Jones Leung

SE Manager, Greater China


HK: +852 9463 6204

TW: +886 983 904 288

China: +86 186 8156 3905