Introduction

Zscaler Overview

Zscaler (Nasdaq: ZS), enables the world’s leading organizations to securely transform their networks and applications for a mobile and cloud-first world. Its flagship Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services create fast, secure connections between users and applications, regardless of device, location, or network. Zscaler delivers its services 100% in the cloud and offers the simplicity, enhanced security, and improved user experience that traditional appliances or hybrid solutions can’t match. Used in more than 185 countries, Zscaler operates a massive, global cloud security platform that protects thousands of enterprises and government agencies from cyberattacks and data loss. For more information on Zscaler, visit www.zscaler.com or follow Zscaler on Twitter @zscaler. 

 

About This Guide

This guide provides information on how to:

• Set up Beyond Identity as a passwordless authentication solution for your Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services.
• Set up Beyond Identity to enforce corporate Zero Trust policies by using Zscaler Mobile Portal APIs.

Notes

• For passwordless authentication, the customer may decide to integrate Zscaler with Beyond Identity, either directly or via their existing SSO. This document describes the direct integration between Zscaler and Beyond Identity. For integration via SSO, please contact Beyond Identity.
• Zscaler’s direct integration with Beyond Identity is applicable to Zscaler Client Connector for ZIA and ZPA, and ZPA Admin Console. It’s not applicable to ZIA Admin Console because ZIA Admin Console does not support SP-initiated SAML flow and Beyond Identity does not support IdP-initiated SAML flow.
• Both ZIA and ZPA Provisioning is supported with SCIM supported directory or SSO while supporting Authentication directly with Beyond Identity as the IdP.

Prerequisites

Ensure that you have the following:

1. A Zscaler account with “Super” admin privileges to configure SAML IdP.
2. Zscaler Mobile APIs enabled for your tenant (mobileadmin.<Zscaler cloud>.net). Look for Administration tab and “Public API” on the left side menu.

ZPA Admin Authentication Configuration

To configure Beyond Identity as the IdP for ZPA Admin Login, follow the steps below. Once these steps are taken, you will be ready to enable Beyond Identity for Admin Login to ZPA Console.

1. Sign into the ZPA Admin Console as Administrator.
2. In the side menu select “Administration” -> “IdP Configuration”.

 

3. On the IdP configuration tab select the Add IdP Configuration blue plus sign. 
4. In the IdP Information tab provide following Information.
   1. Name: Beyond Identity Admin SSO
   2. Single Sign-on: Select “Admin”.
   3. Pick the correct certificate for the Admin SP Certificate Rotation
   4. Domains: Select the appropriate domain from the pull-down menu.
   5. Click Next.
5. On the SP Metadata Tab download Service Provider Metadata to be used in the following steps and Click on Next.

6. Once logged into Beyond Identity Admin Console UI, click on “Integrations” tab and then click on SAML tab and then click on “SAML Connections”. Click on “Add SAML Connection” and update the fields as following:

1. Upload “SP Metadata” xml file downloaded in the previous step.
2. Name: “Zscaler Private Access Admin SSO”
3. Click on “Save Changes”.

 

2. Note down the following fields from the recently created SAML Connection. This will be required in the next step.
   1. IdP Id (Beyond Identity Connection ID)
   2. IdP Single Sign-On URL: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso
   3. IdP Issuer: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso/metadata.xml
   4. Download IdP Signature Certificate

 

3. Switching back to Zscaler Private Access Admin Console, on the IdP Configuration tab configure following fields.
   1. IdP Certificate (Downloaded in previous step)
   2. Single Sign-On URL: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso (Recorded in the previous step)
   3. IdP Entity ID: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso/metadata.xml (Recorded in the previous step)
   4. Status: Enabled
   5. HTTP-Redirect: Enabled
   6. ZPA (SAML) Request: Signed
   7. Click on Save.

ZPA USER Authentication Configuration

To configure Beyond Identity as the IdP for ZPA User Login, follow the steps below. Once these steps are taken, you will be ready to enable Beyond Identity for User Login to ZPA Client Connector.

1. Sign into the ZPA Admin Console as Administrator.
2. In the side menu select “Administration” -> “IdP Configuration”.

 

3. On the IdP configuration tab select the Add IdP Configuration blue plus sign. 
4. In the IdP Information tab provide following Information.
   1. Name: Beyond Identity User SSO
   2. Single Sign-on: Select “User”.
   3. Pick the correct certificate for the User SP Certificate Rotation
   4. Domains: Select the appropriate domain from the pull-down menu.
   5. Click Next.
5. On the SP Metadata Tab download Service Provider Metadata to be used in the following steps and Click on Next.

6. Once logged into Beyond Identity Admin Console UI, click on “Integrations” tab and then click on SAML tab and then click on “SAML Connections”. Click on “Add SAML Connection” and update the fields as following:

2. Upload “SP Metadata” xml file downloaded in the previous step.
3. Name: “Zscaler Private Access User SSO”
4. Click on “Save Changes”.

 

7. Note down the following fields from the recently created SAML Connection. This will be required in the next step.
   1. IdP Id (Beyond Identity Connection ID)
   2. IdP Single Sign-On URL: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso
   3. IdP Issuer: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso/metadata.xml
   4. Download IdP Signature Certificate

 

8. Switching back to Zscaler Private Access Admin Console, on the IdP Configuration tab configure following fields.
   1. IdP Certificate (Downloaded in previous step)
   2. Single Sign-On URL: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso (Recorded in the previous step)
   3. IdP Entity ID: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso/metadata.xml (Recorded in the previous step)
   4. Status: Enabled
   5. HTTP-Redirect: Enabled
   6. ZPA (SAML) Request: Signed
   7. SCIM Sync: Disabled
   8. SCIM Attributes for Policy: Disabled
   9. Click on Save.

ZIA USER Authentication Configuration

To configure Beyond Identity as the IdP for ZIA User Login, follow the steps below. Once these steps are taken, you will be ready to enable Beyond Identity for User Login to ZIA Client Connector.

1. Sign into the ZIA Admin Console as Administrator.
2. In the side menu select “Administration” -> “Authentication Settings”.

3. Select the Identity Providers tab.

 

 

4. Select the “Add IdP” button.
   1. Download SP Metadata file and save it to use in the next step.
5. Logon to Beyond Identity Admin Console UI, and click on “Integrations” tab and then click on SAML tab and then click on “SAML Connections”. Click on “Add SAML Connection” and update the fields as following:

5. Upload “SP Metadata” xml file downloaded in the previous step.
6. Name: “Zscaler Internet Access User SSO”
7. Click on “Save Changes”.

 

 

6. Note down the following fields from the recently created SAML Connection. This will be required in the next step.
   1. IdP Id (Beyond Identity Connection ID)
   2. IdP Single Sign-On URL: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso
   3. IdP Issuer: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso/metadata.xml
   4. Download IdP Signature Certificate

 

7. Switching back to Zscaler Internet Access Admin Console, on the IdP Configuration tab configure following fields.
   1. IdP SAML Certificate: Upload (Downloaded in previous step)
   2. SAML Portal URL: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso (Recorded in the previous step)
   3. Status: Enabled
   4. Login Name Attribute: NameID
   5. Vendor: Others
   6. Sign SAML Request: Disable
   7. HTTP-Redirect: Enabled
   8. Enable SAML Auto Provisioning: Disable
   9. Enable SCIM Provisioning: Disable
   10. Click on Save.

 

 

8. To Enable the SAML configuration on Authentication Settings page: 
   1. Select the Authentication Profile tab.
   2. Select SAML as the Authentication type.
   3. Save and Active the configuration.

 

 

Mobile Portal Configuration To Enable API Access

This section describes changes required on Zscaler Mobile Portal to enable API access.

1. Sign into the Zscaler Client Connector (Mobile) portal from ZIA (Policy -> ZCC Portal) or ZPA Admin Console (Client Connector from Left Menu bar).
2. On ZCC portal click on Administration and look for Public API in the left menu bar.

 

 

3. Click on Public API and add new API key by clicking on “Add API Key” with following parameters.
   1. Name: Beyond Identity.
   2. Status: Enabled
   3. Role: Write
   4. Session Validity Interval in seconds: 31540000 (Approx. 1 year)
   5. Click on Save.

 

 

4. Note down following fields to be used in the next section.
   1. Client Secret
   2. Client ID 

BEYOND IDENTITY CONSOLE CONFIGURATION FOR ZSCALER API ACCESS

Beyond Identity supports continuous authentication and monitors device security posture even when the user is not actively trying to authenticate. Beyond Identity uses Zscaler Mobile APIs to force re-authentication of the Zscaler Client Connector in case the device security posture does not meet enterprise policies.

 

In this section, you’ll create a test group with a single user to test the Deny rule before configuring the policy to target all users.

 

Note: Before you start, you'll need the Client ID, Client Secret, and Zscaler Mobile Portal URL, which you should have copied from the previous section.

 

1. You will need Client ID, Client Secret and Zscaler Mobile Portal URL before proceeding with the next steps of configuring Beyond Identity Integration with Zscaler Cloud.

1. Sign in to the Login to Beyond Identity Admin Console and select navigate to Integrations > Endpoint Management > Zscaler > Edit Configuration.
2. Enter the Zscaler Mobile Portal URL (Host Url), Client ID, and Client Secret from the previous step. Then click Save Changes.

3. In the Admin Console, go to Groups > Add Group to create a test group with a single user added. You’ll use this group to test the new rule you’ll create in the next step.
4. Go to Policy > Edit Policy > Add Rule.
   1. Create a Deny rule to deny authentication and invoke Zscaler Force Remove Device API. 
   2. Add a custom notification saying Zscaler Client Connector will be logged out soon!!!
   3. Click Add.and create Add a new rule in the policy to force remove an authenticated device.

During the test phase:

Create a test group.

Add a single user to the test group.

Create a Deny Rule to deny authentication and invoke Zscaler Force Remove Device API.

Add a custom notification “Zscaler Client Connector will be logged out soon!!!”.

 

Add the Rule.

Change the rule order as needed.

Login to Zscaler Client Connector using the test user.

Publish the Policy.

Authenticate to any application using Beyond Identity – make sure the authentication meets the criteria to trigger the Deny rule.

This should display the custom notification and the Zscaler Client Connector should be logged out in about 3 minutes.

5. Change the rule order as needed and click Publish changes. 
6. Log into Zscaler Client Connector using the test user.
7. Authenticate to any application using Beyond Identity ensuring the authentication meets the criteria to trigger the Deny rule.

The custom notification should appear and the Zscaler Client Connector should log out within a 3-minute timeframe. 

8. If the test was successful, Now configure the policy to target all the users.