Zscaler

Creating a single sign-on connection

To allow PingFederate to handle single sign-on (SSO) to Zscaler Internet Access, create a service provider (SP) connection.

About this task

You can follow these steps to create a new connection, or you can modify your provisioning connection.

Steps

  1. In the PingFederate administrator console, create a new SP connection:

    • For PingFederate 10.1 or later: go to Applications > Integration > SP Connections. Click Create Connection.

    • For PingFederate 10.0 or earlier: go to Identity Provider > SP Connections. Click Create Connection.

  2. Configure the basic connection details with the Zscaler Internet Access quick connection template:

    1. On the Connection Template tab, select Use a template for this connection.

    2. In the Connection Template list, select Zscaler ZIA Provisioner.

    3. In the Metadata File row, upload the zscaler-metadata.xml file that you saved in Getting SAML details from Zscaler. Click Next.

    4. On the Connection Type tab, select Browser SSO Profiles. Click Next.

    5. On the General Info tab, in the Connection Name field, enter a name for the connection. Click Next.

  3. On the Browser SSO tab, configure SSO as shown in Configuring IdP Browser SSO in the PingFederate documentation, with the following details:

    1. On the Browser SSO > SAML Profiles tab, select only IdP-Initiated SSO and SP-Initiated SSO.

      It is recommended to leverage SP-initiated SSO because IdP-initiated SSO is not commonly used.

      Learn more in IdP-Initiated SAML in the Zscaler Internet Access documentation and Setting Assertion Consumer Service URLs (SAML) in the PingFederate documentation.

      If you want to use both IdP-initiated SSO and SP-initiated SSO, both endpoints are accessible using the ACSIdx parameter.

      Learn more in IdP endpoints in the PingFederate documentation.

    2. On the Browser SSO > Protocol Settings > Allowable SAML Bindings tab, select only POST.

    3. On the Browser SSO > Protocol Settings > Signature Policy tab, select Always sign assertion.

  4. On the Credentials tab, configure the connection credentials as shown in Configuring credentials in the PingFederate documentation. Click Next.

  5. On the Activation and Summary tab, above the Summary section, click the toggle to turn on the connection. Click Save.