Skip to main content
warning

This document is a work in progress, and the information is not yet complete and might not be fully correct.

EmpowerID ZScaler Connector Overview

The EmpowerID Zscaler Connector streamlines application access management by integrating with Zscaler, a leading cloud-based security platform. This integration enables centralized control over application access, ensuring users connect only to authorized resources based on defined policies.

The connector begins by creating a detailed inventory of all applications in your environment, providing visibility into Zscaler’s application segments from within EmpowerID. Once these applications are defined in Zscaler, the connector allows you to configure and enforce access policies that determine which users or groups can access specific applications. This integration enables a seamless identity lifecycle management process, allowing administrators to define and manage applications directly from EmpowerID while enforcing security policies within Zscaler.

Key Capabilities

  • Restricted Access – Limits access to unnecessary ports to reduce the attack surface.
  • Segmented Policies – Uses ZScaler application segments to restrict user groups and prevent lateral movement.
  • Advanced Security Features – Supports Browser Access, Isolation, App Protection, and Data Loss Prevention.
  • Role-Based Access Control (RBAC) – Enables detailed policy enforcement based on user roles, device posture, trusted networks, Cloud Connector Groups, Machine Groups, and SCIM/SAML attributes.

With EmpowerID’s ZScaler Connector, only authorized users from compliant devices and trusted locations can access applications, reinforcing a zero-trust security model that helps mitigate the risk of unauthorized access and data breaches.

Architecture Overview

The ZScaler Connector consists of several components that interact to manage and secure application access:

EmpowerID ZScaler Connector

Handles inventory and record management for supported ZScaler resources, capturing changes incrementally to optimize performance. It supports full CRUD (Create, Read, Update, Delete) operations for ZScaler application segments and access policies.

ZScaler

A Secure Access Service Edge (SASE) platform that integrates networking and security controls into a cloud-based solution. The connector enables centralized management of ZScaler data within EmpowerID.

ZScaler Azure IDP

Requires ZScaler to be configured with an Azure tenant as an Identity Provider (IDP) and an Account Store in EmpowerID. This configuration allows EmpowerID to inventory and manage resources within ZScaler.

Azure Blob Storage

Stores unique identifiers of Azure SCIM groups provisioned into ZScaler Private Access (ZPA), simplifying SCIM group assignment management. This ensures that SCIM groups align with EmpowerID Azure groups inventoried through the Azure SCIM account store.

Resource System Registration Process

The ResourceSystemRegistration component is responsible for linking and managing the Account Store and associated systems in EmpowerID. This process ensures that resources are configured correctly while avoiding duplication.

How It Works

  1. Checks for Existing Resources – The component first checks if an Account Store, Security Boundary, and Resource System with the specified name already exist.

  2. Reuses Existing Resources – If records are found, they are reused instead of creating duplicates.

  3. Creates Missing Components – If any required component does not exist, a new record is created.

  4. Establishes Foreign Key Links – Ensures all relationships between the Account Store, Security Boundary, and Resource System are properly linked.

  5. Applies Configuration Settings – Any outdated values are removed, and new configuration settings are applied using the Resource System ID. If a field is left empty, its corresponding setting is deleted.

    Example: If an existing Account Store Name is used, EmpowerID avoids duplication by reusing the existing Account Store ID instead of creating a new one for configuration.

    This process streamlines integration and ensures efficient management of Zscaler resources within EmpowerID.

Interaction Flow

  1. Authentication – EmpowerID retrieves client credentials (client ID and client secret) to obtain an OAuth 2.0 access token via ZScaler’s Client Credentials grant type. This token authenticates API calls.
  2. Inventory ZScaler Resources – EmpowerID makes API calls to collect an inventory of ZScaler resources. Changes in resource data trigger updates, with SCIM group identifiers stored in Azure Blob Storage for streamlined management.
  3. Policy Enforcement – Access policies defined in EmpowerID apply security rules to users, devices, and groups within ZScaler application segments.

Authentication Details

The EmpowerID ZScaler Connector leverages OAuth 2.0 Client Credentials Grant for authentication, ensuring a secure and efficient process without requiring user interaction.

  • EmpowerID exchanges stored client credentials (client ID and client secret) with ZScaler’s authorization server.
  • The server issues an access token, which is used to authorize API requests for managing and inventorying ZPA resources.
  • This authentication method supports secure, automated integration, allowing EmpowerID to enforce identity-driven policies within ZScaler seamlessly.

By implementing EmpowerID’s ZScaler Connector, organizations gain centralized visibility and control over application access, ensuring compliance with security policies while enhancing operational efficiency.

Further reading

ZScaler Connector Features and Jobs