I have the following question around SAML Auth with Org2Org integration.
We have configured Zscaler for SAML authentication via Okta and this one works well with SSO. Users onprem are redirected to IWA and are authenticated transparently - no user/Zapp interaction is needed. We then moved further and tried extending this to Org2Org (Okta “federation”).
Org2Org integration works well - users are populated from Okta Tenant B into Okta Tenant A and from there are provisioned into Zscaler. There’s only one thing which we don’t like and I am not sure if Zscaler can help resolving it at all…
Users in Tenant B use different domain (it is provisioned on Zscaler cloud). To be able to redirect them to Tenant B IdP in Okta we had to configure Authentication Rule to look for @domain-B and in this case redirect to Okta in Tenant B.
IWA works well for Tenant A, as well as standard SAML flow
IWA works well for Tenant B, as well as standard SAML flow
The difference is that when Zscaler redirects user who belongs to Okta Tenant B to Okta Tenant A (initial auth), a blank username prompt appears because IWA rule is not being hit in Okta Tenant A… so user MUST enter full UPN/email to make sure Okta Tenant A can detect he belongs to Okta Tenant B, once user puts the username and presses Enter, user is redirected to Okta Tenant B and IWA sequence in Okta Tenant B kicks in and user is seamlessly authenticated (no password prompt)
Is there anything at Zscaler end (App specifically) that can help to populate full username into IdP username prompt and submit it transparently on user’s behalf?
I’ve noticed there’s feature
Automatically populate Username field for IDP Authentication
But it is only available starting from App v2.1 (we are on 1.5) and I am not even sure if this is what I am looking for