The following steps are necessary to configure ZScaler Private Access to use inWebo as a SAML Identity Provider to authenticate users with multi-factor authentication.
Zscaler Private Access SSO Configuration (step 1/2)
First step is to connect to your ZPA admin portal https://admin.private.zscaler.com/ and navigate to Administration->Authentication->IDP configuration.
Then select “Add IdP Configuration” on the top right corner as described below:
Then start to complete the configuration wizard by choosing “User” as Single Sign-On and the domain that will be used to trigger inWebo authentication.
In the second step, please download the Service Provider Metadata that will be used in the inWebo portal to configure ZPA as a Service Provider.
Once you complete step 1 and step 2 you can pause the configuration at step 3 since you’ll have to go to inWebo admin portal to configure the SP and collect IdP Metadata to complete IdP configuration wizard (step 3 - Create IdP).
Configure SAML connector on inWebo platform
In the inWebo Administration console, select the "secure sites" tab and add a SAML 2.0 connector in the "connectors” section.
Open the metadata file downloaded from the Zscaler console and copy/paste the metadata in section 1 of the connector and click on “Save”.
Once the SAML connector is created go back to section 1 and click on “Download inWebo IdP SAML 2.0 metadata in XML format” to download the inWebo metadata file.
To offer a better user experience to your users, change the “Push Authentication” setting to Yes. Configure section 3 as shown below to provide relevant SAML attributes to Zscaler. Click “Update”.
You can choose the NameID value depending on your configuration (User login or User email). Zscaler best practices is to use an email address with a domain name rather than a login name.
Click on “Download inWebo IdP SAML 2.0 metadata in XML format” and keep it for the next steps to configure ZPA.
In the “Secure site” column click on “Add a Secure Site of type” and select the SAML connector name you configured above. You can set the Called URL to point to one of the ZPA protected applications or any other URL relevant in your context. The Called URL setting is only used to set a bookmark for the user on his Myinwebo portal, it has no impact on the security.
Zscaler Private Access SSO Configuration (step 2/2)
Once you configured inWebo and downloaded the IdP Metadata, you can use them to finish the SSO configuration you’ve started in the first step of that guide. So please return to ZPA admin portal and navigate to Administration->Authentication->IdP Configuration and click to resume the inWebo IdP Configuration. You should see the final step of configuration to upload your IdP metadata file (xml file). Once Metadata is uploaded to the portal please make sure that all fields are completed: Certificate, Sign-On URL and IdP Entity ID.
Once this step is validated you can test your configuration and import SAML attributes by clicking on “Import Attributes” on the following screen:
You’ll be challenged for inWebo authentication. Please complete the authentication steps as below:
Step 1: Enter your inWebo username and click “OK”:
Step 2: Accept the authentication request by entering your pin
Once these two steps are done and the authentication process successfully you should be able to review the imported attributes. Then click “Save”.
Attributes should be saved in the SAML Attributes section as shown below:
Zscaler Client Connector Configuration
Make sure you enable the following option in the Mobile Portal (Zscaler Client Connector) to enhance the user experience during authentication steps with inWebo.
End User Authentication Experience
Open Zscaler Client Connector and enter your credentials. Please note that step can be avoided if you install Zscaler Client Connector with the domain and cloud parameters. If you have both ZIA and ZPA services enabled for that domain name (e.g. crepain.zscloud.net) you’ll have two authentication steps: One for ZIA and one for ZPA. If the same IdP is configured, the user should be challenged only once.
Once these steps are completed, you should see ZCC Authenticated and Connector for ZPA service: