<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=7086586&amp;fmt=gif">
Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

How to configure Microsoft Entra ID as the OpenID Provider (OP) for the ZIdentity

This guide explains how to configure Microsoft Entra ID as the OpenID Provider (OP) for the ZIdentity via prebuilt app integration to facilitate SSO to various Zscaler services for admin access management.

Prerequisites

Ensure that you have:

  • A subscription to Entra ID.
  • An existing user directory in Entra ID.
  • A ZIdentity account with an admin role that allows you to add an IdP configuration using OIDC-based integration

  • A preferred choice of provisioning mode (JIT) as this determines the number of apps you need to configure in Entra ID — one app for JIT.

Configuring Microsoft Entra ID as OP for ZIdentity

To set up Microsoft Entra ID as an OP for ZIdentity:

  • 1. Configure app integration using the Zscaler app in the Entra ID gallery

  • 2. Set up Entra ID as an OP for ZIdentity

  • 3. Provision users for ZIdentity via JIT

 

1. Configure app integration using the Zscaler app in the Entra ID gallery

In Entra ID, in the left-side navigation, go to Identity > Applications > Enterprise applications. Click New application. In the Microsoft Entra Gallery window, search for zscaler

In the Zscaler app window, customize the app name, and click Create.

On the application details page, click Single sign-on and click Go to application.

  • On the App Registration page copy the Application (Client) ID and save it for future use

appID-1

  • Click on Endpoints, and locate the OpenID Connect metadata document field, and copy and save the URL for future use.

endp

In the left-side navigation, go to Manage > Branding & properties

In the Home page URL field, enter the ZIdentity Admin Portal URL along with the idp_id URL parameter. 

  • Home page URL if Entra ID is configured as your primary IdP in the ZIdentity Admin Portal: https://<your_domain>.zslogin.net/?idp_id=default
  • This works only if you are configuring Entra ID as your primary IdP.
  • to know what is <your_domain>, check on ZIdentity Admin Portal for Redirect URI domain.
In the left-side navigation, click Certificates & secrets, click New client secret.
  • In the Add a client secret window, enter a description, and click Add.
  • Copy the client secret value from the Value column and save it for future use.

In the left-side navigation, click API permissions.
  • Click Grant admin consent for <entra_ID_tenant_name>, then click Yes. Make sure the Status column shows the green checkmark.

In the left-side navigation, click Token configuration, click Add optional claim.

  • In the Add optional claim window:
  • Select ID as the token type, and from the list of claims, select email and preferred_username

Then click Add groups claim.

  • In the Edit groups claim window:
  • Under the Select group types to include in Access, ID, and SAML tokens section, select the Groups assigned to the application option.
  • Under the Customize token properties by type section, click ID to expand the ID subsection, and select the Group ID option.

The group claims are added.token1


In the left-side navigation, click Manifest.

In the Manifest window, update the required attributes in the graph manifest:

Using Microsoft Graph Manifest (Recommended):

  • Change the value of the acceptMappedClaims attribute to true.
  • Change the value of the requestedAccessTokenVersion attribute to 2.

Or using Azure AD Graph Manifest (we used):
  • Change the value of the acceptMappedClaims attribute to true.
  • Change the value of the accessTokenAcceptedVersion attribute to 2.


Navigate back to Enterprise Applications -> choose your app ZIdentity -> in the left-side navigation Users and groups.

In the Users and groups window, select the users and groups that you want to have access to the application.

 

In the left-side navigation, click Single sign-on.

In the Single sign-on window, locate Attributes & Claims, and click the Edit icon.

In the Attributes & Claims window, click Add new claim. The Manage claim window appears.

In the Manage claim window:

  • Name: Enter Department.
  • Source: Select Attribute.
  • Source attribute: Select user.department. Click Save.


 

2. Set up Entra ID as an OP for ZIdentity

Adding an IdP in the ZIdentity Admin Portal:

 

Log in to the ZIdentity Admin Portal.

Go to Integration > External Identities.

On the Basic tab:

  • Name: Enter a name for the IdP.
  • Identity Vendor: Select Microsoft Entra ID
  • Domain: Select the domain for which the IdP is responsible for authenticating the users.
  • Protocol: Select OIDC.
  • Status: Select Enabled.
  • Login ID Attribute: Enter an attribute to map it with the Login ID attribute. Zscaler recommends using the preferred_username as the Login ID attribute.


Under the OIDC Configuration section:

  • Paste the OpenID Connect metadata document value copied from the Entra Admin Center to the Metadata URL field and click Fetch.
  • Copy the Redirect URI value. This value is used in the client application in the Entra Admin Center.
  • Paste the Client ID and Client Secret values copied from the Entra Admin Center to the respective fields.

tok2

 

In the Entra Admin Center, the value copied from the Application (Client) ID field must be used for the Client ID field, and the value copied from the Value column in the Client secrets tab must be used for the Client Secret field.

 

Configuring the Platform Settings in the Entra Admin Center:

Go to the Entra Admin Center and go to the client application created for ZIdentity.

Go to Manage > Authentication

Under the Platform configurations section, click Add a platform. The Configure platforms window appears.

In the Configure platforms window:

  • Click Web.
  • Paste the Redirect URI
  • Click Configure.
 

3. Provision users for ZIdentity via JIT

In the ZIdentity Admin Portal, go to Integration > External Identities.

In the Edit Primary IdP window:
 

Go to the Provisioning tab.

Select Enable Just-in-time (JIT) Provisioning.

Enter groups as the Just-in-time User Group Attribute and map the Primary Email User Attribute with the email Just-in-time User Attribute.

Map other ZIdentity user attributes with the appropriate Entra ID attributes as necessary. By default, the following attributes in ID tokens are mapped with the corresponding user attributes in ZIdentity:

Click Update.
 

 

Setting Up IdP-Initiated SSO

You can log in to the ZIdentity Admin Portal via the IdP-initiated flow.

To log in to ZIdentity Admin Portal from the Entra ID's My Apps portal, first you need to create it. 

For URL, use the link from Home page URL in Entra.
 
The ZIdentity Admin Portal URL is opened in a new tab or window and you are logged in.