ZScaler options for onprem AD authentication


(Alex) #1

We have all our users migrated into Okta SSO. ZScaler integration with Okta works well. We just have an issues with authenticating service accounts (on AD) for not Cloud aware applications.
Is there any option to authenticate AD service accounts (application accounts) to ZScaler? Okta seems have an issue with service accounts (application accounts) typically used for applications updates from the internet.


(Will Irace) #2

Welcome Alex! Glad you’re having a good experience with Okta. The challenge is that authentication tends to be an interactive affair, and service accounts aren’t so good at that. Have you considered using locations or sublocations? My angle here is that if your service accounts live on hosts that are in an IP range that’s distinct from your users, you could put those addresses into a sublocation and turn off authentication for those hosts. They’d still be protected and you’d still be able to attribute traffic to them, but it would be by way of their static IP addresses as opposed to their identities.

Could be other Zscaler folks have suggestions too. Does this help at all?


(Alex) #3

Unfortunately, this does not help. This is just a work around to bypass 2FA for service accounts, which forces us to keep BlueCoat proxies just for service/application accounts.


(Patricia Gonzalez-Clark) #4

Have you looked at Zscaler Authentication bridge?
https://help.zscaler.com/zia/about-zscaler-authentication-bridge


(Alex) #5

I will check it out. Thank you for the suggestion!


(Alex) #6

Looks like ZAB is 10K per year, which is very expensive considering the commitment we made to zScaler for the other licenses.


(Scott Bullock) #7

Hi Alex,
Have you considered Kerberos authentication, it is documented here -->
https://help.zscaler.com/zia/about-kerberos-authentication

Another thgouth, are you using Zscaler DAS (Deployment Advisory Services)
and/or a Zscaler Certified Partner to assist you with your Zscaler setup?
They have deep experience with implementation questions such as this.

Many thanks,
Scott-