Connecting to Zscaler
This article provides step-by-step instructions for integrating EmpowerID with Zscaler. Before proceeding, complete the prerequisite steps and review the Key Configuration section to understand the required settings.
This document is a work in progress, and the information is not yet complete and might not be fully correct.
Procedure
Step 1 - Configure the Zscaler Instance
Before connecting EmpowerID, you must configure two key settings in Zscaler:
1. Configure Azure IDP
Ensure that an Azure Identity Provider (IDP) is configured in Zscaler. This setup enables Azure group-based access policies in Zscaler.
For detailed setup instructions, refer to the Microsoft documentation.
2. Enable Automatic Provisioning
Enable automatic provisioning of users and groups from your Azure tenant into Zscaler.
For step-by-step instructions, refer to the provisioning tutorial.
Step 2 - Configure an Account Store in EmpowerID
Before proceeding, ensure that:
- Your Azure tenant is configured as an IDP in Zscaler.
- An Account Store is created in EmpowerID.
EmpowerID can inventory and manage Zscaler resources only if the tenant is configured as an account store. Follow the EmpowerID documentation to set up an Azure (Entra ID) Account Store.
Step 3 - Create an Account Store for Zscaler
Now that Zscaler and EmpowerID are configured, you can create an Account Store in EmpowerID to establish the connection to Zscaler. When you create an Account Store, EmpowerID automatically handles linking and configuration to prevent duplication. See the Resource System Registration Process section of the overview article for more details on how this process works in the background.
To create a Zscaler Account Store:
- Navigate to Resource Admin.
- Click on Applications and select Onboard Zscaler Application.
- Follow the wizard workflow, entering the required details below.
| Parameter | Description |
|---|---|
| Account Store Name | A user-friendly name to identify the account store. |
| Access Token URL | The Zscaler endpoint URL for authentication. |
| Azure Store Connection String | Connection string for storing Zscaler Azure Group IDs and system identifiers. |
| Client API Key | The API key provided by Zscaler for authentication. Stored in encrypted format for security. |
| Client Secret | Secret associated with the API key. Used to obtain an access token. |
| Customer ID | Unique identifier for the Zscaler instance. Required for multi-tenant environments. |
| Zscaler Base URL | The base URL for Zscaler API calls (e.g., https://zsapi.zscaler.net). |
The Client Key and Secret values are stored securely and decrypted only when needed for authentication.
Step 4 – Verify Resource System Configuration Parameters
Once the Account Store is created, it automatically generates default resource system configurations. You can review and modify these settings if needed.
To verify and update configuration settings:
- Go to Admin > Applications and Directories > Account Stores and Systems.
- Click the Account Stores tab.
- Search for your Zscaler Account Store and click its name.
- On the Account Store and Resource System page, select the Resource System tab.
- Expand the Configuration Parameters section.
Editing Configuration Parameters
- To modify a parameter, click Edit, update the value, and click Save.
- Some system parameters are fixed and cannot be modified in the UI. These include:
- AzureTenantID
- CreateOrUpdateAccessPolicyJsonTemplate
- CreateOrUpdateApplicationSegmentJsonTemplate
- CustomerId
- IdpId
- PageSize
| Resource System Parameters Name | Description |
| AccessTokenUrl | The specific endpoint URL within Zscaler used to request an access token for API call authentication. |
| AzureStorageConnectionString | The connection string for the Azure storage location containing Zscaler Azure Group IDs and external system identifiers utilized during inventory. |
| AzureTenantID | A unique identifier for the Azure Active Directory tenant you intend the Zscaler account store or connector to manage. |
| ClientKey | A client key provided by Zscaler for client authentication. This value is stored securely and used to authenticate API requests. |
| ClientSecret | The client secret associated with the ClientKey. This secret, along with the client key, is used to authenticate the client application and obtain an access token. |
| CreateOrUpdateAccessPolicyJsonTemplate | A JSON template defining how to create or update access policies within Zscaler.<br>{ "name": "", "action": "" ,"conditions": [ { "operands": [ { "objectType": "APP", "lhs": "id", "rhs": "" } ] }, { "operands": [ { "objectType": "SCIM_GROUP", "lhs": "", "rhs": "" } ], "operator": "" } ]}<br> |
| CreateOrUpdateApplicationSegmentJsonTemplate | A JSON template used for creating or updating application segments in Zscaler.<br>{"name": "", "enabled": "", "domainNames": [], "serverGroups":[], "segmentGroupId": "", "description": "", "tcpPortRange": [], "udpPortRange": [], "ipAnchored": "","doubleEncrypt":"", "bypassOnReauth":"", "healthReporting": "", "isCnameEnabled": "", "selectConnectorCloseToApp": "", "bypassType":"", "icmpAccessType": ""}<br> |
| CustomerID | A unique identifier representing your specific customer account within the Zscaler instance. This is essential for distinguishing between different customers or tenants in multi-tenant environments. |
| IdpId | The Identity Provider ID used for identification and integration within the Zscaler configuration. |
| IsIncrementalInventory | A flag indicating whether the inventory process is incremental. When enabled (default), only changes since the last inventory are retrieved, improving efficiency by reducing data transfer. It's important to note that Zscaler doesn't offer searching by date, but EmpowerID implements this functionality within its database. |
| IsPagedUsingToken | A flag indicating whether pagination uses a token. By default, this value is set to false. |
| PageSize | Defines the size of each data page retrieved during API calls. This determines the number of records fetched per call, with a default value of 100. |
| ZscalerBaseUrl | The base URL for Zscaler configuration, acting as the root endpoint for making API calls (e.g., https://config.private.zscaler.com). |
Step 5 – Ensure Inventory & Component Jobs are Running
- Enable Component Job