zscaler integration guide · 2020. 4. 7. · provider (for example, zscaler). 5. in the saml 2.0...

Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright © 2013 SafeNet, Inc. All rights reserved.

1

Zscaler

Integration Guide

Using SAS as an Identity Provider for Zscaler

Zscaler: Integration Guide


Document PN: 007-012539-001, Rev. A, Copyright © 2014 SafeNet, Inc., All rights reserved.

2

Document Information

Document Part Number 007-012539-001, Rev. A

Release Date April 2014

Trademarks

All intellectual property is protected by copyright. All trademarks and product names used or referred to are the

copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system

or transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording, or

otherwise, without the prior written permission of SafeNet, Inc.

Disclaimer

SafeNet makes no representations or warranties with respect to the contents of this document and specifically

disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, SafeNet

reserves the right to revise this publication and to make changes from time to time in the content hereof without

the obligation upon SafeNet to notify any person or organization of any such revisions or changes.

We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to

be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct

them in succeeding releases of the product.

SafeNet invites constructive comments on the contents of this document. These comments, together with your

personal and/or company details, should be sent to the address or email below.

Contact Method Contact Information

Mail SafeNet, Inc.

4690 Millennium Drive

Belcamp, Maryland 21017, USA

Email [email protected]

mailto:[email protected]

Contents




3

Contents

Overview ................................................................................................................................................................ 4 Single Sign-On Dataflow ....................................................................................................................................... 4 Identity Provider Configuration .............................................................................................................................. 5 Configuring Zscaler to Use SAS as an Identity Provider ...................................................................................... 6 Configuring SAS to Use SAML-based User Federation ....................................................................................... 9

Enabling SAML User Authentication............................................................................................................. 10 Associating SAS Users with the SAML Service Provider ............................................................................. 11

Running the Zscaler SAML Solution ................................................................................................................... 12 Browser Configuration .................................................................................................................................. 13 Connecting to Zscaler ................................................................................................................................... 17

Support Contacts ................................................................................................................................................. 19




4

Overview

This document provides guidance for setting up and managing SafeNet Authentication Service (SAS) as an

identity provider for Zscaler.

Single Sign-On Dataflow

1. Bob, a user, wants to log in to Zscaler. Bob leverages the single sign-on capabilities embedded in the organization’s SafeNet Authentication Service solution. SafeNet Authentication Service collects and evaluates Bob's credentials.

2. SAS returns a response to Zscaler to accept or reject Bob’s credentials for authentication.

NOTE: The document assumes that Zscaler is already configured and working

with local users and static passwords prior to implementing SafeNet

Authentication Service strong authentication.




5

Identity Provider Configuration

The SAS Administrator Console settings are used to establish SafeNet Authentication Service (SAS) as the

identity provider for Zscaler.

To configure SAS as an identity provider, do the following:

1. In the SAS Administrator Console, click Virtual Server, then click the COMMS tab.

2. Click SAML Service Providers > SAML 2.0 Settings. The SAML 2.0 Settings are displayed, as shown in the example below.

3. Download the Identity Provider Certificate using the configured URL and save it locally.

The file will be needed in step 6 of “Configuring Zscaler to Use SAS as an Identity Provider” on page 6.

4. Copy the link in the Identity Provider HTTP-Post login URL field.

It will be needed in step 6 of “Configuring Zscaler to Use SAS as an Identity Provider” on page 6.




6

Configuring Zscaler to Use SAS as an Identity Provider

1. Log in to Zscaler.

2. In the Zscaler window, click the Policy & Admin link.




7

3. On the Administration tab, in the left pane, under Manage Administrators & Roles, click Manage Users & Authentication to configure single sign-on (SSO) settings.

4. On the Configure User Authentication dialog box, click the Edit button.




8

5. Click Configure SAML Single Sign-On Parameters.

6. On the Configure Single Sign-On using SAML dialog box, complete the following fields:

URL of the SAML Portal to which users are sent for authentication

Type the following URL: http:///idp/profile/ SAML2/POST/SSO

Attribute containing Login Name Type NameID. This field is case-sensitive.

Upload SSL Public Certificate Use the Choose File button to locate and upload the

certificate downloaded from SAS.

In order to upload a certificate, you must convert the downloaded .crt certificate into a base-64 encoded format (.der or .pem). You can do so by using a tool such as SSL Converter, which can be downloaded from the following location: https://www.sslshopper.com/ssl-converter.html

Sign SAML Request This check box should not be selected.

Enable SAML Auto-Provisioning Select this check box.

Attribute containing User Display Name Type displayName.

Attribute containing Group Name Type memberOf.

Attribute containing Department Name Type department.




9

7. Click Done.

SafeNet Authentication Service is now configured as an identity provider for Zscaler.

Configuring SAS to Use SAML-based User Federation

Before configuring a Zscaler instance as a SAML service provider for SAS, ensure that the organization’s user

accounts have been created on the SAS virtual server. This can be done using one of the following methods:

Automatically by synchronizing with your Active Directory/LDAP server using the SAS LDAP

Synchronization Agent

Manually by using the Create User shortcut

Manually by importing one or more user records using a flat file

For further information on adding users to SAS, refer to SafeNet Authentication Service documentation at the

following location: http://www2.safenet-inc.com/sas/implementation-guides.html

http://www2.safenet-inc.com/sas/implementation-guides.html




10

Enabling SAML User Authentication

An organization’s user accounts must be configured to authenticate to Zscaler using SafeNet Authentication

Service.

1. On the SafeNet Authentication Service Administrator Console, click Virtual Server, then click the COMMS tab.

2. Click SAML Service Providers, and then click SAML 2.0 Settings. The SAML 2.0 Settings are displayed, as shown in the example below.

3. Click Add.




11

4. On the Add SAML 2.0 Settings dialog box, in the Friendly Name field, type a name for the Zscaler service provider (for example, Zscaler).

5. In the SAML 2.0 Metadata field, select Create New Metadata File.

a. In the Entity ID field, type the domain of the URL you use to log in to the service (for example, if you log in to https://admin.zscaler.net, type zscaler.net).

b. In the Location field, type https://login.:443/sfc_sso (for example, if you log in to https://admin.zscaler.net, type https:/login.zscaler.net:443/sfc_sso).

6. Click Apply.

Zscaler is now added as a SAML service provider.

Associating SAS Users with the SAML Service Provider

Users in the SAS User Store must be associated with the appropriate SAML service provider. This should be

done using a pre-defined SAML provisioning rule that will automatically associate a group (or groups) of users to

the specific SAML service provider. For more information on using SAML provisioning rules, see the SafeNet

Authentication Service Administration Guide. SAS documentation can be found at the following location:

http://www2.safenet-inc.com/sas/implementation-guides.html

NOTE: This process is common for all SAML service providers. Readers that

have already configured a different SAML service provider may need to repeat

the process, making sure that the users are associated with multiple SAML

service providers.

https://admin.zscaler.net/https://aws.amazon.com/https://admin.zscaler.net/https://signin.aws.amazon.com/samlhttp://www2.safenet-inc.com/sas/implementation-guides.html




12

Running the Zscaler SAML Solution

After Zscaler is configured to use SafeNet Authentication Service as its identity provider, and SafeNet

Authentication Service is configured to use Zscaler as a SAML service provider, users can log in to Zscaler.

NOTE: The Zscaler server and the SAS server time should be NTP

synchronized, as a difference in time of more than two (2) seconds will cause a

failure.

The Zscaler SAML solution works as follows:




13

Browser Configuration

In order to work with the Zscaler proxy, you will need to configure your browser to connect to the Zscaler

Security Cloud. This section contains configuration steps for the following browsers:

Configuring Internet Explorer for Connection to Zscaler Security Cloud – see below

Configuring Firefox for Connection to Zscaler Security Cloud – see page 15

Configuring Internet Explorer for Connection to Zscaler Security Cloud

1. Open Internet Explorer.

2. Click Tools > Internet Options.

3. On the Internet Options window, click Connections > LAN settings.




14

4. On the Local Area Network (LAN) Settings dialog box, perform the appropriate steps for automatic or manual configuration.

Automatic Configuration

In the Automatic configuration section, do the following:

a. Select Automatically detect settings.

b. Select Use automatic configuration script. In the Address box, enter the PAC file URL supplied by your sales engineer.

c. Click OK.




15

Manual Configuration

In the Proxy server section, do the following:

a. Select Use a proxy server for your LAN.

b. In the Address field, type gateway.zscaler.net.

c. In the Port field, enter the port number (for example, 80, which is the most commonly used port).

d. Click OK.

Configuring Firefox for Connection to Zscaler Security Cloud

1. Open Firefox.

2. Click Tools > Options.

3. On the Options window, click Advanced > Network.




16

4. On the Network tab, click Settings.

5. On the Connection Settings dialog box, perform the appropriate steps for automatic or manual configuration.

Automatic Configuration

For automatic proxy configuration, do the following:

a. On the Connection Settings dialog box, select Automatic proxy configuration URL.

b. In the text box, enter the PAC file URL supplied by your sales engineer.

c. Click OK.




17

Manual Configuration

For manual proxy configuration, do the following:

a. On the Connection Settings dialog box, select Manual proxy configuration.

b. In the HTTP Proxy field, type gateway.zscaler.net.

c. In the Port field, enter the port number (for example, 80, which is the most commonly used port).

d. Click OK to save the configuration.

Connecting to Zscaler

1. Launch a browser and go to any site (for example, google.com).

2. Zscaler will automatically redirect you to the IDP when coming from a known location (a location which is defined as a specific source IP (or IPs), a GRE tunnel, a VPN tunnel, or a per-company port).

3. On the Zscaler login box, type your user name, and then click Submit.

Note that any login ([email protected]) can be entered as Zscaler ignores this and uses the domain to identify the IDP to redirect to.

http://company.com/




18

4. The SAS Login window is displayed. Type your SAS user name and password, and then click Login.

5. The requested website is opened through the Zscaler proxy.




19

Support Contacts

If you encounter a problem while installing, registering or operating this product, please make sure that you have

read the documentation. If you cannot resolve the issue, contact your supplier or SafeNet Customer Support.

SafeNet Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is

governed by the support plan arrangements made between SafeNet and your organization. Please consult this

support plan for further information about your entitlements, including the hours when telephone support is

available to you.

Table 1: Support Contacts

Contact Method Contact Information

Address SafeNet, Inc.

4690 Millennium Drive

Belcamp, Maryland 21017 USA

Phone United States 1-800-545-6608

International 1-410-931-7520

Email [email protected]

Technical Support Customer Portal

https://serviceportal.safenet-inc.com

Existing customers with a Technical Support Customer Portal account can log in to manage incidents, get the latest software upgrades, and access the SafeNet Knowledge Base.
https://serviceportal.safenet-inc.com/

zscaler integration guide · 2020. 4. 7. · provider (for example, zscaler). 5. in the saml 2.0...

Documents