Zscaler Integration Guide Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Zscaler Integration Guide
Published: Jan 12, 2015   -   Updated: Jun 22, 2018

Before You Begin
Running the Zscaler Application Wizard
Configuring Zscaler for SAML
End-User Experience
Administrator Experience

You can configure single sign-on (SAML 2.0) for Zscaler so your users have the ability to authenticate with Zscaler when browsing the web from your company network. 

Okta supports both SSO and user provisioning for Zscaler. SSO is achieved by setting up a SAML 2.0 exchange with Okta as the identity provider. Provisioning setup enables Okta to automatically provision Zscaler accounts based on provisioning policies that you define in Okta which can be tied to Active Directory users and AD security groups. For Zscaler, automated provisioning is SAML-based.


Before You Begin

To configure SSO for Zscaler, you must first set up Active Directory integration and optionally Desktop SSO. See the following sections:

If you have configured sign-on or MFA policies based upon on/off network zones, please consult Zscaler's Advanced Settings guide to enable Internal IP Logging.  This will ensure that Okta will be able to evaluate a client's on or off network presence properly.


Running the Zscaler Application Wizard

Zscaler provides a self-service administration interface for SAML configuration. Following are the instructions for configuring the SAML integration with Okta. As part of this setup, we also configure the necessary pieces for SAML-based account provisioning into Zscaler.

  1. Click on Applications  > Add Application, enter Zscaler in the search field, and select it.

    This starts the application wizard
  2. On the General tab, enter a label (this is what displays on your user's homepage) and your Zscaler subdomain. For example if you log into https://admin.zscaler.net/, enter zscaler.net. Then click Next.
    User-added image
  3. On the User Display Name drop-down menu, select Push Okta First & Last name to enable Okta to include the user's first name and last name as part of the SAML assertion.

  4. On the Department Name drop-down menu, select Push AD Department to enable Okta to include the department of the user from Active Directory in the SAML assertion. Zscaler uses the department information for reporting purposes. 

  5. Configure the Group Name and Group Filter settings to enable Okta to include AD group information about the user in the SAML assertion. The list of groups that a user is a member of are included as part of the assertion. These groups are used in Zscaler to connect authorization policies to users. Select Push Okta Group Name from the Group Name drop-down menu and enter an expression in the Group Filter field to specify the set of groups that you want propagated to Zscaler.

    We recommend that you define your AD groups with names that can be filtered for Zscaler usage. This helps to prevent unnecessary groups from being pushed to Zscaler.

  6. Select the Application visibility check box to hide the Zscaler application icon on the user’s home page. Since users do not actually have a Zscaler app to access, we recommend that you check this box. Then click Next.

  7. Under Sign-On Options, select SAML 2.0. Click the SAML 2.0 setup instructions for Zscaler and follow the instructions by signing into the Zscaler administration user interface. After you finish, click Next.

  8. You can assign a test user now or come back to this page at a later time to add additional users. Click Next on the Assign Zscaler to your users page and then click Done. Alternatively, you can set up a group assignment to have Zscaler assigned to users via an AD group.


Configuring Zscaler for SAML

For SAML to work, ZScaler must allow the browser to reach your Okta org so it can authenticate users. When you set up proxy or PAC files, work with your Zscaler representative to ensure that Okta is reachable so it can provide authentication for Zscaler.

To test SAML for SSO, assign an existing Zscaler account to an Okta user. To trigger authentication, use a browser that has been configured to redirect web traffic to Zscaler (e.g., via a PAC file). Make sure you have cleared the cookies from any previous access through Zscaler. When you open a web site that requires authentication through Zscaler, the user is prompted to enter a Login Name.

User-added image

After you enter the username, SAML redirection occurs. If the user is set up for Desktop SSO, authentication automatically occurs and the user is taken to the website after authentication. If this is a new user, go to the Zscaler administrator console to make sure that the new user was created and the correct set of groups was populated during provisioning. We recommend that you perform this test with an existing user first to make sure that SSO is working. Then perform the test again with a new user to make sure SAML-based provisioning is working. 


End-User Experience

The authentication with Zscaler occurs when a user tries to access the web where network access is protected by Zscaler. Depending on the settings in Zscaler, users might be prompted after they use a new browser or if they have cleared their cookies and removed an existing Zscaler token. Authentication policies might also force users to authenticate each time they start a new browser session.

The authentication flow occurs as follows:

  1. A user opens a browser to access a resource.
  2. The browser goes to Zscaler which detects that the user does not have a cookie.
  3. Zscaler, in an attempt to authenticate the user, prompts the user for a username.
  4. Zscaler redirects to Okta which acts as the SAML identity provider.
  5. Depending on the setup, users might then be prompted for their Okta usernames and passwords. If Desktop SSO is configured, users are automatically signed in with their desktop sign-in credentials.
  6. After completion, Zscaler determines whether the resource is allowed to be accessed. If the answer is yes, the browser takes the user to the resource. Otherwise, the user might receive an Internet access notification from Zscaler that access is blocked.


Administrator Experience

After you have integrated AD with delegated authentication, configured Desktop SSO, and set up Zscaler for SAML, you can introduce this integration as follows:

  1. Import from Active Directory to populate Okta with users and groups.
  2. If you want group-based provisioning, associate Zscaler with the appropriate AD security groups so you can assign the Zscaler application in Okta to the appropriate users. This is necessary to ensure that SAML authentication is enabled for the appropriate users.
  3. Authorization within Zscaler is also managed by AD groups. Zscaler allows web access policies to be tied to groups. Users are granted access via group memberships. The AD group used for app assignment in Okta is different from those being sent to Zscaler in the SAML assertion, which is configured by the group filter in the Okta Zscaler app configuration. In Zscaler, the group names show up as distinguished names (DNs) of the groups they are represented by in AD.
  4. After the AD Security Groups are arranged, new users imported from AD are evaluated based on AD security group memberships to determine whether a Zscaler account is required. In addition, when SAML assertion is sent to Zscaler, a corresponding set of AD group names is included in the assertion. Zscaler automatically provisions users who did not previously exist in Zscaler.
  5. To fully automate this process, select Auto-Confirmation and Auto-Activation on the Active Directory setup page.