Zscaler is picking up different ID

Hello Techies,
My user is unable to access Microsoft applications because she uses Fname.Lname@xyz.com for logging in to MS Applications where as ZAPP is logged in for that user via Fname.Lname@abc.com domain. I tried to logout user from ZAPP forcefully from ID: Fname.Lname@abc.com as I had to try with another ID from which MS Apps could be logged in but after logging in again( after selection of cloud), ZAPP was not asking her to log in via the ID:Fname.Lname@xyz.com. Rather it turned ON automatically with old ID which is Fname.Lname@abc.com.
This is causing issue to login to her other applications like Teams,outlook. Need assistance in this please!

Hi Shreya,
Do you have Integrated Windows Authentication (IWA) configured? Using a mechanism like Integrated Windows Authentication (IWA), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.

We are using SAML with ADFS server only. No other IDPs are being used. ZAPP doesnt ask user to go for other login(for eg., Okta/onelogin ). It loggs in user with old id only though.And if I ask user to try with abc.com for MS Apps by adding another account as a workaround, she gets redirected to abc.com domain. Quite confusing! Can someone please suggest on this…

Shreya - this sounds like the Microsoft “Keep-Me-Signed-In” (KMSI) feature. I see this behavior a lot with Azure AD but not as frequently with ADFS. KMSI will provide a user with a 24-hour cookie, allowing for logins to persist across browser sessions for up to a day. The Zscaler Client Connector (Zapp) will pick up these session cookies and proceed to log the user in without asking for new credentials (SSO).

2 Likes

Hello people, thanks for your time on this topic.
In short, Zscaler is not allowing to logging in via xyz.com ID; outlook is not allowing to add/logged in via abc.com ID…I’ll check this with MS team if they can select ID of Zscaler instead.
Thanks for your help!

I agree with @rjohnson , If the “Remember me” box was checked, it will default to those credentials. Try to clear cache on the machine.

1 Like