Zscaler ZPA SAML Single Sign-On (SSO)

This topic contains procedures to configure Zscaler ZPA for Single Sign-On (SSO) in CyberArk Identity using SAML.

Supported features

This application template supports the following features:

  • IdP-initiated SAML SSO - Access through the CyberArk Identity User Portal

  • SP-initiated SAML SSO - Access through the Zscaler ZPA web application

You can configure one or both methods.


To configure the Zscaler ZPA web interface for SSO, you need the following:

  • A Zscaler ZPA account with admin privileges.

  • Zscaler ZPA users who will access the Identity Administration portal through SSO.

Configure the Zscaler ZPA application template in the Identity Administration portal

Perform these steps in the Identity Administration portal to configure the Zscaler ZPA application template for SSO.

Step 1: Add the Zscaler ZPA web application template

  1. In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

    Add a web app screen

  2. On the Search page, enter the application name in the Search field and click the search button.

  3. Next to the application name, click Add.

  4. On the Add Web App page, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The application opens to the Settings page.

Step 2: Configure the Settings page

  1. Set an app name, description, and logo if you want to change them.

  2. Fill the Cloud Name and Org ID fields.

    You can get the Cloud name and Org ID from the Zscaler ZPA web portal.

Step 3: Configure the Trust page

  1. Click Trust.

  2. In the Identity Provider Configuration section, select Metadata.

  3. Expand the Single Sign On URL drop-down menu and click Download Metadata File to download the file. You will need these files later when you configure Zscaler ZPA.

Step 4: Configure the SAML Response page

  1. Verify the following attributes with the Zscaler ZPA attribute name in the Attribute Name column and the CyberArk attribute in the Attribute Value column.

    Attributes are case-sensitive.

    Attribute Name Attribute Value
    FirstName user.firstName
    LastName user.lastName
    Email user.userName




    You can configure this in the application.

  2. Map any other attributes that you want to pass in the SAML response, then click Save.

Step 5: Configure the Permissions page to grant Zscaler ZPA users SSO access

Grant SSO access to Zscaler ZPA by assigning permissions to users, groups, or roles. Add two users. One user must be an administrator who is mapped to the Zscaler role attribute, while the second user can have any role. The users must already exist in Zscaler ZPA.

Perform these steps to define permissions for each user.

  1. On the Permissions page, click Add.

    The Select User, Group, or Role window appears.

  2. Select the user(s), group(s), or role(s) that you want to give permissions to, then click Add.

    The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.

  3. Select the permissions you want, then click Save.

Step 6: Review and save

Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click Save when you are satisfied.

Configure Zscaler ZPA for SAML single sign-on

Perform these steps in Zscaler ZPA to configure the Zscaler ZPA app template for SSO.

  1. Sign in to the Zscaler ZPA website as an admin user.

  1. Navigate to Administration > Authentication > IdP Configuration.

  2. Click Add IdP Configuration.

  3. Click Select File and upload the metadata file you saved earlier. See Configure the Trust page

  4. Do the following steps:

    1. Enter the Name field as IdP Config Administrators.

    2. Switch the  Single Sign-On toggle button  to Administrator.

    3. Select the required domain.

    4. Click Save.

Configure the Identity Administration portal

  1. In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Zscaler ZPA.

  2. In the Trust tab > Service Provider Configuration section > click Manual Configuration.

  3. Fill the following fields:

    • SP Entity ID

    • Assertion Consumer Service (ACS) URL

    • Relay State URL

  1. Click Save to save the configuration and enable single sign-on.

Test the Zscaler ZPA SSO configuration

Now that you have finished configuring the application template settings in the Identity Administration portal and Zscaler ZPA, users can benefit from IdP-initiated and SP-initiated SSO.

To test IdP-initiated SSO:

  1. Sign in to CyberArk Identity.

  2. Click the Zscaler ZPA application to launch it in a new tab and automatically sign in.

To test SP-initiated SSO:
  1. Go to https://admin.private.zscaler.com.

  2. Select the Single Sign On using IdP checkbox.

  3. Enter your username.

  4. Click Sign in.

Additional information

For additional information, see the following Zscaler ZPA’s integration documents: