Zscaler App SSO

zscalerapp
sso
adfs

(Lior) #1

Hello,
We are trying to achieve single-sign-on with ADFS authentication using Zscaler app.
Users accessing from external networks are prompt for credentials upon z-app login, however sso works fine when the same are accessing from an internal network.

I was able to get this to work with ADFS2.0 , however not in ADFS 3.0.
Anyone come across a similar scenario and can advise?

Thx


(Nick Morgan) #2

Have you confirmed whether Zscaler App is added as a WIASupportedUserAgent?

The Zscaler App User agent is: Ztunnel


(Lior) #3

Hi Nick,
Yes, it is enabled. the question is whether adfs3 can do SSO without any prompts, when the request comes from external networks…

As for the addition of the user-agent, this is how it’s added (not listed anywhere in Zscaler KB):
Set-ADFSProperties -ExtendedProtectionTokenCheck None

Set-ADFSProperties -WIASupportedUserAgents @(“MSIE 6.0”, “MSIE 7.0”, “MSIE 8.0”, “MSIE 9.0”, “MSIE 10.0”,“MSIE 11.0” , “Trident/7.0”, “MSIPC”, “Windows Rights Management Client”, “Mozilla/5.0”,”Edge/12”,”Edge/13”,”Edge/14”, “Ztunnel”, “Safari/6.0?", “Safari/7.0?")


(Rajeshkumar Chemalli) #4

In my experience never seen ADFS doing SSO while connecting from external
networks.

ZAPP uses IE user agent to connect to the ADFS, hence it uses the IWA
setting at IE.

If the IE can do SSO with ADFS while the user is connected to external
network, ZAPP should also be able to do.


(Nick Morgan) #5

Ok I agree with Rajeshkumar around ‘transparent’ ADFS SSO for external
users.

It is unlikely to be possible due to fact the user is unlikely to be able
to pick up a Kerberos ticket from the corporate AD. Hence your ADFS will
provide a web form instead regardless of whether you are using a browser or
ZApp. This technet thread also discusses this in more detail:
https://social.technet.microsoft.com/Forums/lync/en-US/7afd482f-b80f-4906-964c-c4049c1102de/using-windows-integrated-authentication-through-adfs-proxy?forum=ADFS

In the meantime I have requested that our documentation provide detail
around adding ‘ZTunnel’ as a *WIASupportedUserAgent *within our ADFS KB
article to ensure WIA/IWA is effective for users that are on the corporate
network.


(Ramesh M) #6

Hi Team,
Same requirement came from one of our customer.
We are using SAML ADFS.
ZAPP users receiving form to fill in username and password. But on the browser SSO is happening. Please let me know if possible to achieve SSO on ZAPP as well.

Could be better if you can share some documentations.

Regards / Ramesh M


(Nick Morgan) #7

@ramesh I can confirm that SSO is possible with ZApp.

In addition to ensuring that ‘ZTunnel’ is added as a WIASupportedUserAgent in ADFS. You will need to be sure the user is already logged onto the domain on their machine and they are on the corp network.

You also need to install Zapp with specific MSI parameters for cloud name and user domain to ensure the experience is as transparent as possible when enrolling into ZApp:
https://help.zscaler.com/z-app/customizing-zscaler-app-install-options-msi

If all those steps are followed but still users are being prompted you may wish to open a support case for further investigation.


(Ramesh M) #8

Thanks for your kind explanation. I was missed the packaging. Will do the same and come back to you if any concerns.

Thanks
Regards
Ramesh M