Integration with Zscaler

Overview

This document describes the procedure to configure the BlockID Admin Console as a passwordless authentication solution for your organization's ZScaler users. This integration will allow your users to log in to the ZScaler VPN application account leveraging their biometrics. The biometric options include Touch ID / Face ID and LiveID.

Before you Begin

You will need the following resources and privileges to complete this integration:

1. Admin access to the following:
   • BlockID Tenant: If your organization is not registered for the BlockID tenant, visit the Sign Up page to set up a free BlockID tenant for your organization. The 1Kosmos representative will create a tenant URL, community, tenant tag, and a license key for your respective organization within the BlockID platform.
   • ZScaler application that supports SAML integration
2. Install on your mobile device:
   • BlockID mobile application (Compatible with iOS and Android devices). Visit BlockID for Android or BlockID for iOS to download the application.

Assumptions

1. With the above prerequisites, you should now successfully be registered and be able to login to:
   • BlockID Admin Console application. Ensure the email address used to log in to this application is the same as the one used to log in to the ZScaler account.
2. Installed and registered the BlockID mobile application.
   • Launch the BlockID mobile application and follow the on-screen instructions to register your app with the BlockID platform to enroll your biometrics. Visit the Enroll Biometrics (Touch ID / Face ID and LiveID) section of the BlockID Mobile Application User Guide for step by step understanding of the biometrics enrollment process within the BlockID mobile application.

There are two sets of configurations that need to be performed to enable this integration:

1. Configure your BlockID Tenant as an Identity Provider (IDP) within the ZScaler application.
2. Configure the ZScaler application as a Service Provider (SP) within your BlockID Tenant.

List of Topics:

1. Configure your BlockID Tenant as an Identity Provider (IDP) within the ZScaler application
2. Configure the BlockID tenant metadata
3. Configure the ZScaler application as a Service Provider (SP) within your BlockID Tenant
   • Set IDP Assertion Claim details
   • Add ZScaler application as a Service Provider
4. Test the SAML Single Sign-On Connection

Configure your BlockID Tenant as an Identity Provider (IDP) within ZScaler

Note:

The following steps will be performed by your ZScaler administrator. Get your tenant's XML metadata file and SSL certificate from your 1Kosmos representative to configure 1Kosmos as an Identity Provider for your company's ZScaler application account.

1. Log in to your ZScaler application.
2. Navigate to Administration > Authentication Settings:
3. In the Authentication Settings screen, perform the following configurations:
   • In the Authentication Type section, select SAML.
   • On the Configure SAML screen, in the Identity Provider (IDP) Options section, enter the following details:
     • SAML Portal URL: Enter your IDP sign-on URL. Get this URL from the Configure the BlockID tenant metadata topic, search for the Single SignOn Service field, copy, and paste it in this field.
     • Public SSL Certificate: Click Upload to upload the SSL certificate of your tenant's BlockID Admin Console. To check the steps on getting certificate details, visit Configure the BlockID tenant metadata topic.
   • On the Configure SAML screen, in the Service Provider (SP) Options section, perform the following configurations:
     • Sign SAML Request: Enable the option.
     • Signature Algorithm: Select SHA-2 (256-bit).
   • Click Save:

Configure the BlockID tenant metadata

1. Open the web browser and enter your organization’s BlockID tenant’s metadata URL in the following format: https://<customer_name>.1kosmos.net/default/metadata The XML metadata information file is displayed.
2. From the XML metadata information file, copy and save the values of the following keys to use while performing the ZScaler application SAML integration configuration:
   • entityID: The example of its value is: https:// <customer_name>.1kosmos.net/default/idp1
   • SingleSignOnService URL: https://<customer_name>.1kosmos.net/default/SingleSignOnService
   • SingleLogoutService URL: https://<customer_name>.1kosmos.net/default/SingleSignOnService
   • X509Certificate:
     • Copy the certificate details and save them in the following format:

       -----BEGIN CERTIFICATE-----
       Certificate details
       -----END CERTIFICATE-----
     • Save the certificate with .cert extension.

Configure ZScaler application as a Service Provider (SP) within your BlockID Tenant

Set IDP Assertion Claim details

Perform the below-mentioned steps:

1. Login to BlockID Admin Console, navigate to Administration Console > Federation > SAMLv2. The SAMLv2 screen is displayed.
2. In the IDP Assertion Claims Mapping tab, link the appropriate LDAP and Session attribute values to the Claims for each Label.
   • Map the nameIdentifier to email.
   • Click Save.

Note:

These mapped fields will be available in the SAMLv2 > Service Providers > SP Assertion Claims Mapping tab for the imported service provider.

Add ZScaler application as a Service Provider

1. In the SAMLv2 screen, click Service Providers.
2. In the Service Providers List screen, from the One-Click Rapid Service Provider Onboarding section, click on the ZScaler option.
3. In the Onboard ZScaler as a SAMLv2 Service Provider window, enter details for the following fields:
   Note:

   In case, if your client does not share their ZScaler's XML metadata file to 1Kosmos, get the Entity ID and Login URL (SAML Assertion Consumer Service URL) details of their ZScaler application.

   • Application Label: Enter the appropriate name for your organization’s ZScaler application as a service provider.
   • Entity ID: Enter the unique entityId URL specified in your single-sign on settings in the ZScaler application.
   • Login URL: Enter the login URL specified in your single-sign on settings in the ZScaler application.
   • Click Onboard ZScaler.
4. Click on the newly added ZScaler as a service provider link.
5. In the Edit screen:
   • In the SP Core Configuration tab: check the following details are selected:
     • Select the checkbox for each request/response that should be signed: ensure that the Assertion and Authentication Request options are selected.
     • NameID Value: nameidentifier.
   • In the SP Assertion Claims Mapping tab: Select the checkbox for the following options:
     • nameIdentifier
   • In the SP Service URL End Points tab:
     • Select POST.
     • Ensure ZScaler login URL is added.
   • Click Confirm and Save.

Test the SAML Single Sign-On Connection

1. In your browser, enter your organization’s ZScaler URL. You will be redirected to the BlockID Admin console’s login screen is displayed with the barcode to be scanned from your BlockID mobile app.
2. On the BlockID mobile application’s Home screen, click ‘Scan QR’.
3. Scan the QR code. The confirmation pop-up window is displayed asking to Allow BlockID to access this device’s location?.
4. In the confirmation pop-up window, select Allow only while using the app. The Authentication screen is displayed with the Please authenticate using <Biometric_option> from 1kosmos message.
5. Click Authenticate and perform the appropriate authentication method. The pop-up window is displayed with Thank you! You have successfully authenticated to Log In message upon successful authentication.
6. You will be logged in to your ZScaler account.