Transcription
ZscalerandandIBMIBMVerifySSOSSO DeploymentZscalerVerifyDeploymentGuide GuideJuly 2021Version 2.0Zscaler Business Development – Solutions Architecture Team
Zscaler and IBM Verify SSO Deployment GuideTable of ContentsTerms and Acronyms . 3About This Document . 4Zscaler Overview. 4IBM Overview . 4Audience . 4Software Versions . 4Request for Comments . 4Zscaler and IBM Introduction . 5ZIA Overview . 5ZPA Overview. 5Zscaler Resources .5IBM Security Verify Overview . 6IBM Resources .6ZIA Configuration . 7Configure Zscaler Application in Verify .10Create or Update Zscaler Application. 10Configure Sign-On . 11Configure Account Lifecycle . 12Define Adoption Policy for Account Synchronization . 13Define Entitlements for Application . 15Zscaler Provisioning Use Cases .16Account Synchronization with Zscaler. 16New User Provisioning to Zscaler . 18Create New User . 18Test the New User Can Login . 19Provisioning Use Case . 20Add User to Group . 20Check User is Provisioned to Zscaler . 22Check New User Can Access Zscaler via SSO. 23De-Provisioning Use Case . 24Copyright 2022, Zscaler, Inc.Page 1
Zscaler and IBM Verify SSO Deployment GuideRemove User from Zscaler User Group. 24Zscaler App Role Management Use Cases .26Assign User to the Zscaler Group Through Permissions. 26Check the User is Added to the Zscaler Group from Zscaler . 28Remove User from the Zscaler Group Through Permissions . 28Check the User is Removed from the Zscaler Group . 30Provision a New User and Assign to a Zscaler Group Through Permissions . 31Check the User is Added to the Zscaler Group from Zscaler . 33Add User to the Zscaler group through Roles . 33ZPA Configuration .37Before you begin . 37Zscaler Configuration . 37IBM Security Verify Zscaler Application Configuration . 40Enable SCIM configuration for Zscaler . 42Enable Lifecycle for Zscaler Application . 43Define Entitlements for Application . 45Zscaler Provisioning Use Cases .47New User Provisioning to Zscaler . 47Create New User . 47Test the New User Can Login . 48Provisioning Use Case . 49Add User to Group . 49Check User is Provisioned to ZPA . 51Check New User Can Access Zscaler via SSO. 52De-Provisioning Use Case . 52Remove User from ZPA User Group . 52Check the User is Removed from ZPA . 54Appendix A: Requesting Zscaler Support .55Gather Support Information . 55Save Company ID. 55Enter Support Section . 56Document Control .58Copyright 2022, Zscaler, Inc.Page 2
Zscaler and IBM Verify SSO Deployment GuideTerms and AcronymsThe following table defines abbreviations used in this deployment ZPACopyright 2022, Zscaler, Inc.DefinitionCentral Authority (Zscaler)Comma-Separated ValuesDead Peer Detection (RFC 3706)Generic Routing Encapsulation (RFC2890)Internet Key Exchange (RFC2409)Internet Protocol Security (RFC2411)Perfect Forward SecrecyPre-Share KeySecure Socket Layer (RFC6101)X-Forwarded-For (RFC7239)Zscaler Internet Access (Zscaler)Zscaler Enforcement Node (Zscaler)Zscaler Private Access (Zscaler)Page 3
Zscaler and IBM Verify SSO Deployment GuideAbout This DocumentThis sections describes the organizations and requirements for the integration covered in this deployment guide.Zscaler OverviewZscaler (NASDAQ: ZS) enables the world’s leading organizations to securely transform their networks andapplications for a mobile and cloud-first world. Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA)services create fast, secure connections between users and applications, regardless of device, location, ornetwork. Zscaler delivers its services 100% in the cloud and offers the simplicity, enhanced security, andimproved user experience that traditional appliances or hybrid solutions can’t match. Used in more than 185countries, Zscaler operates a massive, global cloud security platform that protects thousands of enterprises andgovernment agencies from cyberattacks and data loss. For more information on Zscaler, go to Zscaler’s websiteor follow Zscaler on Twitter @zscaler.IBM OverviewIBM (NYSE: IBM) looks to be a part of every aspect of an enterprise's IT needs. The company primarily sellssoftware, IT services, consulting, and hardware. IBM operates in 175 countries and employs approximately350,000 people. The company has a robust roster of 80,000 business partners to service 5,200 clients--whichincludes 95% of all Fortune 500. While IBM is a B2B company, IBM's outward impact is substantial. For example,IBM manages 90% of all credit card transactions globally and is responsible for 50% of all wireless connections inthe world.AudienceThis guide is for network administrators, endpoint and IT administrators, and security analysts responsible fordeploying, monitoring, and managing enterprise security systems. For additional product and companyresources, refer to: Zscaler ResourcesIBM ResourcesAppendix A: Requesting Zscaler SupportSoftware VersionsThis document was authored using the latest version of Zscaler’s software.Request for Comments For prospects and customers: we value reader opinions and experiences. Contact us at partner-docsupport@zscaler.com to offer feedback or corrections for this guide.For Zscaler employees: contact z-bd-sa@zscaler.com to reach the team that validated and authored theintegrations in this document.Copyright 2022, Zscaler, Inc.Page 4
Zscaler and IBM Verify SSO Deployment GuideZscaler and IBM IntroductionThis section contains overviews of the Zscaler and IBM applications described in this deployment guide.ZIA OverviewZIA is a secure Internet and web gateway delivered as a service from the cloud. Think of it as a secure Internetonramp—all you do is make Zscaler your next hop to the Internet via one of the following methods: Setting up a tunnel (GRE or IPSec) to the closest Zscaler data center (for offices).Forwarding traffic via our lightweight Zscaler Client Connector or PAC file (for mobile employees).No matter where users connect—a coffee shop in Milan, a hotel in Hong Kong, or a VDI instance in SouthKorea—they get identical protection. ZIA sits between your users and the Internet and inspects everytransaction inline across multiple security techniques (even within SSL).You get full protection from web and Internet threats. The Zscaler cloud platform supports Cloud Firewall, IPS,Sandboxing, DLP, CASB, and Browser Isolation, allowing you start with the services you need now and activateothers as your needs grow.ZPA OverviewZPA is a cloud service that provides secure remote access to internal applications running on cloud or datacenter using a zero trust framework. With ZPA, applications are never exposed to the internet, making themcompletely invisible to unauthorized users. The service enables the applications to connect to users via insideout connectivity rather than extending the network to them.ZPA provides a simple, secure, and effective way to access internal applications. Access is based on policiescreated by the IT administrator within the ZPA Admin Portal and hosted within the Zscaler cloud. On each userdevice, a piece of software called Zscaler Client Connector is installed. Zscaler Client Connector ensures theuser’s device posture and extends a secure micro-tunnel out to the Zscaler cloud when a user attempts to accessan internal application.Zscaler ResourcesThe following table contains links to Zscaler resources based on general topic areas.Name and LinkDescriptionZIA Help PortalHelp articles for ZIA.Zscaler ToolsTroubleshooting, security and analytics, and browser extensions that helpZscaler determine your security needs.Zscaler Training andCertificationTraining designed to help you maximize Zscaler products.Submit a Zscaler SupportTicketZscaler support portal for submitting requests and issues.ZPA Help PortalHelp articles for ZPAZscaler Training andCertificationTraining designed to help you maximize Zscaler products.Submit a ZPA Support TicketZscaler support portal for submitting ZPA requests and issues.Copyright 2022, Zscaler, Inc.Page 5
Zscaler and IBM Verify SSO Deployment GuideIBM Security Verify OverviewOrganizations need unified identity repositories and policies to deliver cloud transformation and ITmodernization, while enabling a remote workforce and increasing user productivity and security. Simultaneouslyas consumers pivot faster to digital channels, these same organizations need to provide a consistent, secure, andfrictionless experience across channels to their prospects, customers, and citizens.IBM Security Verify protects users and applications both inside and outside the enterprise, while enablingtechnical agility and operational efficiency as a cloud-native solution. Beyond single-sign on and multifactorauthentication, Verify is a modernized, modular IDaaS that provides deep AI-powered context for risk-basedauthentication and adaptive access decisions, guided experiences for developer time-to-value andcomprehensive cloud IAM capabilities. From privacy and consent management to holistic risk detection andidentity analytics, Verify centralizes workforce and consumer IAM for any hybrid cloud deployment.IBM ResourcesThe following table contains links to IBM support resources.Name and LinkIBM Security Verify produce documentationIBM Security Verify developer guidesIBM Community ForumIBM SupportCopyright 2022, Zscaler, Inc.DescriptionOnline help for IBM Security Verify.Online help for IBM developers.IBM community forum webpages.IBM support portal for submitting requests and issues.Page 6
Zscaler and IBM Verify SSO Deployment GuideZIA ConfigurationTo allow user provisioning in IBM Security Verify, follow these steps to generate the SCIM URL and token:1. Log in as an admin user to your ZIA account using the following URL:https://admin.zscalerbeta.netFigure 1. Login to ZIA Admin Portal2. Navigate to Administration Authentication Authentication settings.Figure 2. ZIA authentication settingsCopyright 2022, Zscaler, Inc.Page 7
Zscaler and IBM Verify SSO Deployment Guide3.4.5.6.7.For the Authentication Type field, select SAML .Click Open Identity Providers.Identity Providers tab is displayed.Click Add IdP (or select the identity provider that you want to modify and click the edit icon).Provide the following details in the Open Identity Providers window:oFor the GENERAL INFO section, specify the following settings: Name: Provide a name for your identity provider configuration. Status: Select Enabled. SAML Portal /saml20/login Login Name Attribute: Provide the login name attribute as NameID. Entity ID: The name of the Zscaler cloud. Org-Specific Entity ID: Enable if you have more than one organization instance on thesame Zscaler cloud. IdP SAML Certificate: Upload the certificate which can be downloaded from the Verify Vendor: Select Others.oFor the CRITERIA section, specify the following settings: Locations: Select a value from the drop-down based on your requirements. Authentication Domains: Select a value from the drop-down based on yourrequirements.Figure 3. IdP edit screenCopyright 2022, Zscaler, Inc.Page 8
Zscaler and IBM Verify SSO Deployment Guideo In the PROVISIONING OPTIONS section: Keep the option as Disable for now. In the Provisioning Options section, enable the Enable SCIM Provisioning.Copy the Base URL.Click Generate Token to create a bearer token, and copy it.Figure 4. Provisioning options8. Click Save.9. In order to apply the new changes, logout from the ZIA Admin Portal. Changes won’t start until youlogout.Copyright 2022, Zscaler, Inc.Page 9
Zscaler and IBM Verify SSO Deployment GuideConfigure Zscaler Application in VerifyThe following sections describe configuring Zscaler in the IBM Verify application.Create or Update Zscaler Application1. Login to IBM Security Verify as tenant admin.2. Navigate to Applications page, click the Add application button.Figure 5. IBM Security Verify Applications3.4.5.6.On the Select Application Type dialog, enter Zscaler into the search box.When displayed, select the Zscaler application and then click the Add application button.On the Add Application page leave Zscaler as the Company name.Enter the Zscaler cloud portal name (it is part of the URL: https://admin. myCloudName ) as the valuefor Cloud name.Figure 6. Zscaler applicationCopyright 2022, Zscaler, Inc.Page 10
Zscaler and IBM Verify SSO Deployment GuideConfigure Sign-On1. Go to the Zscaler Sign-on tab. Follow the instructions displayed in right pane.2. In another browser, login to your Zscaler account as an admin user. The URL varies depending on yourZscaler cloud, but looks like: https://admin. Zscaler Cloud .3. For the Authentication Type field, Click Open Identity Providers. Identity Providers tab displays.4. Select the previously created identity provider and click the edit icon.5. For the SERVICE PROVIDER (SP) OPTIONS section, specify the following settings:oSign SAML Request: Enable this option (If you want to sign the SAML request)oSignature Algorithm: Select SHA-2 (256-bit)oRequest Signing SAML Certificate: Select a certificate from the drop-down based on yourrequirementsoSP Metadata: Click this to download Zscaler metadataoSP SAML Certificate: If Sign SAML Request is enabled, click this to download Zscaler certificateFigure 7. Service Provider options6. In order to apply the new changes, logout from Zscaler admin console. Changes won’t apply until youlogout.Copyright 2022, Zscaler, Inc.Page 11
Zscaler and IBM Verify SSO Deployment GuideConfigure Account Lifecycle1. Go to the Zscaler Account lifecycle tab.2. Enable the provisioning and deprovisioning. As Zscaler allows Suspend and Delete (with a Grace Period)as a Deprovision action.Figure 8. Zscaler policies3. Scroll down to the API Authentication section.4. In the SCIM base URL field, enter the SCIM URL that you generated earlier.5. In the Bearer token, enter the token that you generated earlier.Figure 9.6. Click the Test Connection button to confirm the settings.7. Confirm that connection successful message is shown. If not, recheck if SCIM base URL and Bearertoken are entered correctly.Copyright 2022, Zscaler, Inc.Page 12
Zscaler and IBM Verify SSO Deployment Guide8. Scroll down to the API Attribute Mappings section and set the following:a.b.c.d.e.displayName given nameuserName preferred usernamename.givenName given namename.familyName family nameEmail emailOthers can be left as it is.Figure 10. Zscaler attribute mapping9. Click the Save button.Define Adoption Policy for Account SynchronizationAs the Zscaler connection is successfully tested, let’s define the adoption policy in order to synchronize theaccounts with IBM Security Verify. In order to define the adoption policy, click on the Account sync tab fromthe details of Zscaler application.Figure 11. Account Sync tabCopyright 2022, Zscaler, Inc.Page 13
Zscaler and IBM Verify SSO Deployment Guide1. Click on Attribute pairs to add the attribute rule to be used to match the users from Zscaler with theexisting users in Verify. Define the rules as:userName preferred usernameFigure 12. Zscaler Add Application window2. Click the Save button.Copyright 2022, Zscaler, Inc.Page 14
Zscaler and IBM Verify SSO Deployment GuideDefine Entitlements for ApplicationNow, define the entitlement for users and groups that should get access to this application. When you savedapplication, the Entitlements tab displays:1. On the Entitlements tab, select Users and Groups and assign individual accesses option is selected2. Click the Add button3. On the Select User/Group dialog, search for Zscaler User Group (this group must have been alreadycreated by admin).4. Select Zscaler User Group and click the Add button.5. Click the OK button.Figure 13. Select User/Group dialog6. Click the Save button to save application changes.Figure 14. Zscaler Applications/Details windowCopyright 2022, Zscaler, Inc.Page 15
Zscaler and IBM Verify SSO Deployment GuideZscaler Provisioning Use CasesAfter the Zscaler application is successfully configured, the tenant admin can synchronize the Zscaler accountdata with IBM Security Verify (ISV).Account Synchronization with Zscaler1. Login to ISV as tenant admin.2. From the admin console navigate to Applications.3. Select Accounts from the three dot action menu against the Zscaler application.Figure 15. IBM Security Verify Accounts4. Click Start account synchronization.Figure 16. Start account synchronizationCopyright 2022, Zscaler, Inc.Page 16
Zscaler and IBM Verify SSO Deployment Guide5. In order to monitor the account synchronization, navigate to the Governance menu and click on theAccount sync tabFigure 17. Account sync tab6. Click on the row for which details need to see seen. The account sync details get opened in the rightpane and provide the summary of various accounts fetched from the Zscaler.Figure 18. Account detailsNOTEAccount sync rule: accounts are matched on the basis on the attributes mapping defined in Adoptionpolicy of the Application window. So, the admin needs to define attribute mapping carefully.Copyright 2022, Zscaler, Inc.Page 17
Zscaler and IBM Verify SSO Deployment GuideNew User Provisioning to ZscalerFirst, let’s create a new user in IBM Security Verify and make sure they can log in.Create New User1.2.3.4.Log to IBM Security Verify tenant as an administrative user.Go to Users & groups.Click the Add user button.Create a user. You can create any user you like (as long as it doesn’t clash with existing ones). Forexample:oIdentity Source: Cloud DirectoryoUser name: zscaleruser01@ex.com (use the domain name which is registered or associatedwith Zscaler identity provider)oGiven name: User01oSurname: ZscaleroEmail: a valid real email addressFigure 19. Add user dialogCopyright 2022, Zscaler, Inc.Page 18
Zscaler and IBM Verify SSO Deployment Guide5. Click the Save button, which should create the user and list in the Users table.Figure 20. New userTest the New User Can LoginNew user gets the initial password via e-mail. Go to your email client of newly created user and look for an emailindicating a user has been created.Figure 21. New user emailCopyright 2022, Zscaler, Inc.Page 19
Zscaler and IBM Verify SSO Deployment Guide1. Open a new browser session, copy the link from the email, and log in with the username and passwordfrom the email.2. When prompted, enter a New password and Confirm password and click the Change Password button.3. Validate that user is able to access the IBM Security Verify launchpad.Figure 22. New user in IBM Security VerifyProvisioning Use CaseWe have entitled the Zscaler User Group group with Automatic access for the Zscaler application. In order toprovision a new Zscaler account for a newly created user, let’s make the new user a member of the Zscaler UserGroup. Adding a user to this group triggers the automatic provisioning for the Zscaler account.Add User to GroupReturn to the IBM Security Verify admin interface as the admin user–you should still have the window openfrom previous steps.1. Access the Users & groups section and click on the Groups tab.2. Hover over the Zscaler User Group group and click the Edit icon.Figure 23. ISV Users & groups screen3. Click the Add button beside Group Members.4. Search for name of new user that gets listed in the Search results.Copyright 2022, Zscaler, Inc.Page 20
Zscaler and IBM Verify SSO Deployment Guide5. Select the listed user and click Select. This moves the user to Selected users & groups.Figure 24. Select users & groups screen6. Click the Done button to add them, then Save on the Edit Group dialog.7. Go back to the Users tab, hover over your new user and click the User Details icon on the right.8. Confirm the new user is in the Zscaler User Group group.Figure 25. ISV user detailsCopyright 2022, Zscaler, Inc.Page 21
Zscaler and IBM Verify SSO Deployment GuideCheck User is Provisioned to ZscalerNow that the user is added to Zscaler User Group group, Zscaler’s automatic user provisioning gets triggered bySecurity Verify. The user provisioning task can be monitored by the admin.1. Navigate to Governance Operation results tabFigure 26. Operations results tab2. Validate the new user provisioning by log in to Zscaler. Navigate to Administration Authentication User Management.Figure 27. ZIA User Management3. Look for newly provisioned user.Figure 28. Newly provisioned userCopyright 2022, Zscaler, Inc.Page 22
Zscaler and IBM Verify SSO Deployment Guide4. Validate the user details such as:oNew user is listed in Zscaler with the correct user nameoOther user attributes are created as per attribute mapping rulesCheck New User Can Access Zscaler via SSO1. Access the SP init URL to Zscaler (http://gateway.your.domain/test).2. Provide the username.Figure 29. Zscaler gateway login3. Validate that user gets redirected to Security Verify for SSO.4. Provide the username and password.Figure 30. IBM Security Verify admin credentialsCopyright 2022, Zscaler, Inc.Page 23
Zscaler and IBM Verify SSO Deployment Guide5. Validate that user gets access to Zscaler.Figure 31. Zscaler monitor testDe-Provisioning Use CaseLet’s do the reverse operation to test de-provisioning user from Zscaler.Remove User from Zscaler User Group1.2.3.4.Return to the IBM Security Verify admin interface using admin user.Go to Users & groups and click Groups tab.Edit the Zscaler User Group group.Select newly added user and click the Remove button.Figure 32. Security Verify Edit Group screenCopyright 2022, Zscaler, Inc.Page 24
Zscaler and IBM Verify SSO Deployment Guide5. Click the Save button.6. As before, check details of user in the Users tab. There should not be any groups listedin Groups section.Figure 33. Users & Groups user detailsThe user de-provisioning task can be monitored by the admin. Navigate to Governance Operationresults tab.Figure 34. Operations results tabCheck that the user has been removed from Zscaler:1. Return to the Zscaler Admin Portal and search with the username.2. Check that no users get listed.Figure 35. User Management tabCopyright 2022, Zscaler, Inc.Page 25
Zscaler and IBM Verify SSO Deployment GuideZscaler App Role Management Use CasesPermission is managed through App Role Management where a user can be added to Zscaler groups. Thesegroups are fetched during account synchronization.Assign User to the Zscaler Group Through Permissions1. Login to ISV as tenant admin.2. From the admin console navigate to App Role Management Permissions.3. Filter your created Zscaler Application and check the Zscaler groups.Figure 36. App role management4. Click on any of the groups and click on Manage membership.Figure 37. Manage groupsCopyright 2022, Zscaler, Inc.Page 26
Zscaler and IBM Verify SSO Deployment Guide5. Click on Assign new users.Figure 38. Assign new users6. Search with the userName, select the user and click on Add User.Figure 39. Add user7. The group permission added task can be monitored by the admin. Navigate to Governance Operation results tab.Figure 40. Operations results tabCopyright 2022, Zscaler, Inc.Page 27
Zscaler and IBM Verify SSO Deployment GuideCheck the User is Added to the Zscaler Group from Zscaler1. Return to the Zscaler and search with the username (zscaleruser
Zscaler Business Development - Solutions Architecture Team Zscaler and I M Verify SSO Deployment Guide . Zscaler Client Connector ensures the user's device posture and extends a secure micro-tunnel out to the Zscaler cloud when a user attempts to access . Validate that user is able to access the IBM Security Verify launchpad. Figure 22 .
