Zscaler App SSO

Hi Neil,

Thanks for the advice it’s very much appreciated because up to now we’re on ping-pong discussion with support on how to make things work and somehow the most logical instruction came not from support but from you as we’ve the same setup.



Hi Montgomery,

Yes - I found the same too. I got the most helpful information here from @Jones_Leung and his comments about enabling seamless SSO. With the Azure Hybrid Join you get true seamless SSO and this, really, is what made the decision for us. But, honestly, ripping out ADFS and moving from a federated to managed domain was just the best thing we ever did! It was do complicated to manage and didn’t give us anything over what we would get from just AADConnect and password hash sync. We now only have the one AADConnect box to look after instead of the 5 boxed we had for ADFS.

Do note that with the Seamless SSO config, you’ll need to roll over the Kerberos decryption key at least every 30 days.

This is an annoyance, but much less hassle than looking after ADFS.

If you do go down this route, it’s really nice to be able to deploy the ZScaler client and watch it install, start and login without any intervention from the user at all.

Just make sure that you do read the MS Docs about Hybrid Azure Join very carefully so that you don’t miss anything.