This guide provides information on how to:
- Set up Beyond Identity as a passwordless authentication solution for your Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services.
- Set up Beyond Identity to enforce corporate Zero Trust policies by using Zscaler Mobile Portal APIs.
Important
- For passwordless authentication, you may integrate Zscaler with Beyond Identity, either directly or via their existing SSO. This document describes the direct integration between Zscaler and Beyond Identity. For integration via SSO, please contact Beyond Identity.
- Zscaler’s direct integration with Beyond Identity is applicable to Zscaler Client Connector for ZIA and ZPA, and ZPA Admin Console. It’s not applicable to ZIA Admin Console because ZIA Admin Console does not support SP-initiated SAML flow and Beyond Identity does not support IdP-initiated SAML flow.
- Both ZIA and ZPA Provisioning is supported with SCIM-supported directory or SSO while supporting Authentication directly with Beyond Identity as the IdP.
Contents
- How this integration works
- Prerequisites
- ZPA Admin Authentication Configuration
- ZPA USER Authentication Configuration
- ZIA USER Authentication Configuration
- Mobile Portal Configuration To Enable API Access
- Beyond Identity Console Configuration for ZScaler API Access
- Test the Integration
-
Frequently Asked Questions
How this integration works
Prerequisites
License Requirements
This integration provides support for Zscaler under the following plan versions:
- Zscaler Business
- Zscaler Transformation
- Zscaler Unlimited
Authentication Requirements
The Zscaler integration uses the OAuth 2.0 Client Credentials Grant Type, and therefore uses a Client ID and Client Secret for authentication.
Role/Access Requirements
-
Zscaler Role/Access
- A Zscaler account with “Super” admin privileges to configure SAML IdP.
- Zscaler Mobile APIs enabled for your tenant (mobileadmin.<Zscaler cloud>.net). Look for the Administration tab and “Public API” on the left side menu.
-
Beyond Identity Role/Access
- Log in as a user with a minimum role of ‘Integrations Administrators’ for adding and configuring integrations and ‘Policy Administrators’ for configuring policy
OS support on Beyond Identity
- Zscaler supports Windows, macOS, iOS, and Android.
ZPA Admin Authentication Configuration
To configure Beyond Identity as the IdP for ZPA Admin Login, follow the steps below. Once these steps are complete, you will be ready to enable Beyond Identity for Admin Login to ZPA Console.
- Sign in to the ZPA Admin Console as an Administrator.
-
Navigate to Administration > IdP Configuration.
- On the IdP configuration tab, select the Add IdP Configuration blue plus sign.
-
In the IdP Information tab provide the following and click Next.
- Name: Type "Beyond Identity Admin SSO".
- Single Sign-on: Select “Admin”.
- Admin SP Certificate Rotation: Select the correct certificate.
- Domains: Select the appropriate domain from the drop-down menu.
- On the SP Metadata tab, download the Service Provider Metadata to use in the following steps and click Next.
-
Configure Beyond Identity as the IdP.
- Log into the Beyond Identity Admin console.
- Navigate to Integrations > SAML tab.
- Click Add SAML Connection and update the fields as follows:
- Click Upload XML and select the “SP Metadata” xml file downloaded in the previous step.
- Enter “Zscaler Private Access Admin SSO” for the Name.
- Click Save Changes.
-
When you return to the SAML Connections list, copy the following fields from the recently created SAML Connection. These will be used in the next step.
- IdP Id (Beyond Identity Connection ID)
- IdP Single Sign-On URL: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso
- IdP Issuer: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso/metadata.xml
- Download the IdP Signature Certificate.
-
In the Zscaler Private Access Admin Console, on the IdP Configuration tab, configure the following and click Save.
- IdP Certificate (Downloaded in previous step)
- Single Sign-On URL: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso (Recorded in the previous step)
- IdP Entity ID: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso/metadata.xml (Recorded in the previous step)
- Status: Enabled
- HTTP-Redirect: Enabled
-
ZPA (SAML) Request: Signed
ZPA USER Authentication Configuration
To configure Beyond Identity as the IdP for ZPA User Login, follow the steps below. Once these steps are complete, you will be ready to enable Beyond Identity for User Login to ZPA Client Connector.
- Sign into the ZPA Admin Console as an Administrator.
-
Navigate to Administration > IdP Configuration.
- On the IdP configuration tab select the Add IdP Configuration blue plus sign.
-
In the IdP Information tab, provide the following Information and click Next.
- Name: Beyond Identity User SSO
- Single Sign-on: Select “User”.
- User SP Certificate Rotation: Select the correct certificate.
- Domains: Select the appropriate domain from the drop-down menu.
- On the SP Metadata tab, download the Service Provider Metadata to use in the following steps and click Next.
-
Configure Beyond Identity as the IdP for ZPA User Login:
- Log into the Beyond Identity Admin console.
- Navigate to Integrations > SAML tab.
-
Click Add SAML Connection and update the fields as follows:
- Upload the “SP Metadata” xml file downloaded in the previous step.
- Enter “Zscaler Private Access User SSO” as the Name.
- Click Save Changes.
-
Note the following fields from the SAML Connection. These will be required in the next step.
- IdP Id (Beyond Identity Connection ID)
- IdP Single Sign-On URL: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso
- IdP Issuer: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso/metadata.xml
- Download the IdP Signature Certificate.
-
In the Zscaler Private Access Admin Console, on the IdP Configuration tab, configure the following.
- IdP Certificate (Downloaded in previous step)
- Single Sign-On URL: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso (Copied in the previous step).
- IdP Entity ID: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso/metadata.xml (Copied in the previous step).
- Status: Enabled
- HTTP-Redirect: Enabled
- ZPA (SAML) Request: Signed
- SCIM Sync: Disabled
- SCIM Attributes for Policy: Disabled
- Click Save.
ZIA USER Authentication Configuration
To configure Beyond Identity as the IdP for ZIA User Login, follow the steps below. Once these steps are complete, you will be ready to enable Beyond Identity for User Login to ZIA Client Connector.
- Sign in to the ZIA Admin Console as an Administrator.
-
Navigate to Administration > Authentication Settings.
- Select the Identity Providers tab.
-
Click Add IdP.
- Download the SP Metadata file and save it to use in the next step.
-
Configure Beyond Identity as the IdP for ZIA User Login.
- Log into the Beyond Identity Admin console.
- Navigate to Integrations > SAML tab.
-
Click Add SAML Connection and update the fields as follows:
- Upload “SP Metadata” xml file downloaded in the previous step.
- Type “Zscaler Internet Access User SSO” for the Name.
- Click Save Changes.
-
Copy the following from the recently created SAML Connection. This will be required in the next step.
- IdP Id (Beyond Identity Connection ID)
- IdP Single Sign-On URL: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso
- IdP Issuer: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso/metadata.xml
- Download IdP Signature Certificate
-
In the Zscaler Internet Access Admin Console, on the IdP Configuration tab, configure the following and click Save.
- IdP SAML Certificate: Upload (Downloaded in previous step)
- SAML Portal URL: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso (Copied in the previous step).
- Status: Enabled
- Login Name Attribute: NameID
- Vendor: Others
- Sign SAML Request: Disable
- HTTP-Redirect: Enabled
- Enable SAML Auto Provisioning: Disable
-
Enable SCIM Provisioning: Disable
-
To Enable the SAML configuration on the Authentication Settings page:
- Select the Authentication Profile tab.
- Select SAML as the Authentication type.
- Save and activate the configuration.
Mobile Portal Configuration to Enable API Access
This section describes changes required to the Zscaler Mobile Portal to enable API access.
-
Log into the Zscaler Client Connector (Mobile) portal from ZIA (Policy > ZCC Portal).
You can also access it in the ZPA Admin Console by selecting Client Connector from navigation bar. - In the ZCC portal, click Administration and then click the Public API.
- Click Add API Key, configure the following and click Save.
-
- Name: Beyond Identity
- Status: Enabled
- Role: Write
-
Session Validity Interval in seconds: 31540000 (Approx. 1 year)
-
-
Note the following to use in the next section.
- Client Secret
- Client ID
-
Note the following to use in the next section.
Beyond Identity Console Configuration for Zscaler API Access
Beyond Identity supports continuous authentication and monitors device security posture even when the user is not actively trying to authenticate. Beyond Identity uses Zscaler Mobile APIs to force re-authentication of the Zscaler Client Connector in case the device security posture does not meet enterprise policies.
In this section, you’ll create a test group with a single user to test the Deny rule before configuring the policy to target all users.
Note: Before you start, you'll need the Client ID, Client Secret, and Zscaler Mobile Portal URL, which you should have copied from the previous section.
- You will need Client ID, Client Secret and Zscaler Mobile Portal URL before proceeding with the next steps of configuring Beyond Identity Integration with Zscaler Cloud.
-
Log into the Beyond Identity Admin console and navigate to Integrations > Endpoint Management > Zscaler > Edit Configuration.
- Enter the Zscaler Mobile Portal URL (Host Url), Client ID, and Client Secret you copied from the previous section.
- Select whether to match on the username or email for the User Key.
- Click Save Changes.
Test the Integration
To test the integration, you'll create a test group, user, and a policy in Beyond Identity and use Zscaler to confirm the authentication is denied.
- Log into the Beyond Identity Admin console.
- Navigate to Groups > Add Group and create a test group.
- Assign a single test user to the test group.
-
Navigate to Policy > Edit Policy > Add Rule.
- Create a Deny rule to deny authentication and invoke Zscaler Force Remove Device API.
- Add a custom notification saying Zscaler Client Connector will be logged out soon!!!
-
Click Add and create a new rule in the policy to force remove an authenticated device.
- Change the rule order as needed and click Publish changes.
-
Log into Zscaler Client Connector using the test user.
-
Authenticate to any application using Beyond Identity ensuring the authentication meets the criteria to trigger the Deny rule.
The custom notification should appear and the Zscaler Client Connector should log out within a 3-minute timeframe.
-
Authenticate to any application using Beyond Identity ensuring the authentication meets the criteria to trigger the Deny rule.
- If the test was successful, configure the policy to target all users.
Frequently Asked Questions
How are devices matched to the Zscaler device directory?
This integration leverages the Zscaler Client UUID. The Client UUID is a unique string assigned to all devices in Zscaler. In circumstances that the Client UUID cannot be found, Beyond Identity may use the serial number to match devices to records.
How does the Zscaler Client Disconnect action work for mobild devices?
If the Zscaler Client Disconnect action is triggered against a mobile device, Beyond Identity will issue disconnection action API calls for all mobile devices. This is due to restrictions in mobile operating sustems that prevent Beyond Identity from uniquely identifying the mobile device.
What rate limits apply to this integration?
All requests to the Zscaler API are subject to a rate limit. For an organization, the system rate limits all endpoints called from a given IP address to 100 API calls per hour.
Comments
0 comments
Please sign in to leave a comment.