• Overview
• Who will be impacted, and what is the impact?
• Next Steps
• Feature Comparison
• Migration Steps

Overview

With the recent release of the new Zscaler 2.0 app integration (built and maintained by Zscaler) in the Okta Integration Network (OIN) that supports SSO and SCIM provisioning functionality, Okta is officially ending support for the Okta-built Zscaler app integration on 11/30/2019. 

The new Zscaler 2.0 app integration is a one-stop shop to enable SSO and manage users in the Zscaler environment. It provides enhanced provisioning functionality and a better user experience when setting up SAML. The new app integration will receive future enhancements and will be maintained by Zscaler and customers are encouraged to upgrade at their earliest opportunity. 

Who will be impacted, and what is the impact?

If using the Okta-built Zscaler app integration and currently have an active instance, the org will be impacted (the label of the app may have changed when it was added to the org). NOTE: The Zscaler Private Access and Zscaler Admin Login applications are not affected by this migration. No action is required for these apps if using them.

After 11/30/2019 (EOL date), the Okta-built Zscaler app integration will no longer be supported by Okta. Instances of this app integration in the Okta environment will continue to function after the EOL date since we are not disabling them as part of the deprecation; however, Okta will no longer make any fixes or updates to these app instances after the EOL date.

Next Steps

• Budget at least 1-2 weeks for the migration, including planning, testing, and rollout
• Review the migration steps below to understand the available SSO and SCIM functionalities
• Set up and test the new Zscaler 2.0 integration available in the OIN
• Migrate all users to the new Zscaler 2.0 integration before the EOL date
• For questions on the EOL of the Okta-built Zscaler app integration, contact Okta Support
• For questions about Zscaler's products, the new Zscaler 2.0 integration, or migration, contact Zscaler support

Feature Comparison

	Zscaler	Zscaler 2.0
SWA
OMM
SAML
Push User Deactivation
Reactivate Users
Push Profile Updates
Push New Users
Push Groups
Import New Users
Import Profile Updates
Push Password Updates

Migration Steps

A brand new Zscaler application called Zscaler 2.0 has been added to the Okta Integration Network to provide a better overall experience to Okta customers. This new application supports more Lifecycle Management features and takes advantage of the updated Okta UI for SAML setup. Here is a summary of the changes:

• The following custom fields used for SAML have been removed under the General tab as they are now sent via the SAML assertion (see the Zscaler 2.0 SAML configuration guide for more information):

• • User Display Name
  • Department Name
  • Group Name
  • Group Filter fields

• Zscaler 2.0 now supports the following features (the Okta-built Zscaler application only supported user deactivation):

• • Create users
  • Update user attributes
  • Deactivate users
  • Group push

To take advantage of these updates, add a new instance of Zscaler 2.0 in the Okta org. If there is an old Zscaler application previously added, follow the steps below to migrate from the Okta-built application to the new Zscaler 2.0 application:

1. Log in to the Okta org as an Admin.

2. Open the Admin Dashboard.

3. In the Shortcuts pane on the right side of the screen, click Add Applications.

4. Add a new instance of Zscaler 2.0.

5. Configure the application with the features required (SWA, SAML, OMM, Provisioning):

   1. SWA - under the Sign On tab, select Secure Web Authentication as the sign-on method, select the desired option for saving user credentials, and then click Save.

   2. OMM - under the Mobile tab, enable all desired Mobile applications that the end users will have access to and for download in the Okta Mobile App Store.

   3. SAML - under the Sign On tab, select SAML as the sign-on method. Click on the View Setup Instructions and follow all the steps to configure SAML for the new Zscaler 2.0 app.

   4. SCIM - Follow the steps outlined in the Zscaler 2.0 SCIM Configuration Guide.

6. Go to the Assignments tab of the new Zscaler 2.0 application. Click Assign and start assigning the same users/groups that are assigned to the old Zscaler application. Make sure to assign all the users to the new Zscaler 2.0 instance to avoid any accidental de-provisioning/loss of access to the users.

7. Open the Admin dashboard.

8. Open the old Zscaler application. This is the previous Zscaler application that was used before adding a new one in Step 4.

9. Optional: If Provisioning was previously used for the Zscaler app.

   1. Go to the Provisioning tab.

   2. In the Settings section, click API Integration.

   3. Click Edit, uncheck Enable API Integration, then click Save.

10. Deactivate or delete the old Zscaler application and continue using the new Zscaler 2.0 application. Follow the steps below:

    1. Deactivate the old Zscaler app - click the Active status drop-down menu under the Zscaler app label, then click Deactivate.

    2. Delete the old Zscaler app - follow Step 1 above. After the app has been deactivated, click the Inactive status drop-down. Select the option to Activate or Delete the app. Choose Delete.  Click Delete Application.

 Things to Remember

• If using SAML as the sign-on mode for the old Zscaler application, set up SAML on the new Zscaler 2.0 application in Okta (recommended) or maintain the old Zscaler application to ensure that the SAML functionality continues to work. The custom SAML fields in the old Zscaler application have been removed and are now integrated with Okta's UI. Here is a summary that shows what the old custom fields are equivalent to in the new application:

  • User Display Name, Department Name

 These attributes are automatically sent via the assertion. To turn off support for these attributes, do it via the Zscaler UI. See the Zscaler 2.0 SAML configuration guide for more information.

• • Group Name, Group Filter fields

These can now be configured under the Sign On tab of the new Zscaler 2.0 application. Groups will automatically be sent if criteria are added for the memberOf field under the SAML settings:

• If using Active Directory and have integrated it with the old Zscaler app instance for SAML auto-provisioning with the following settings:
  a. User Display Name (optional) - Do not push
  b. Department Name (optional) - Do not push
  c. Group Name (optional) - Do not push
  These attributes can be overwritten during user assignment in the new Zscaler 2.0 app because the display name and department name values are automatically sent via the SAML assertion. If the information does not need to be consumed by Zscaler, turn off this setting from the Zscaler UI. See the SAML configuration guide for details.

• If using the SWA sign-on mode for the old Zscaler application, the credentials for all users who will be assigned to the new Zscaler 2.0 application need to be re-entered. If users need to retrieve their passwords, they can do so by following the steps below:

  • On their Okta homepage, hover over the old Zscaler tile and click on the gear icon.

  • On the See Password tab, click Reveal Password. Users are prompted to re-authenticate to see the credentials.

• Before deactivating/deleting the old Zscaler app instance, make sure that all users who need to retrieve their passwords have done so to avoid resetting their passwords via Zscaler.

• If the Zscaler OMM application is activated in the old Zscaler application, re-activate these again after adding the new Zscaler 2.0 application.