Zscaler
Guideline for ADFS -
IDP SAML Certificate Renew/Update
TABLE OF CONTENT
Pre-Test Before Renewing IDP SAML Certificate. 3
Export the IdP SAML SSL Certificate. 5
Administration > Authentication Settings > Identity Providers. 12
Verification & Post-Testing. 13
SAML IDP cert Expiration date Verification. 13
Post-Testing After renewal of IDP SAML Certification. 13
Re-Authenticate / Re-enroll 14
Pre-Test Before Renewing IDP SAML Certificate
Remove user enrolment
Before Conduct any Upload of certificate or IDP SAML Certificate renewal. It’s is recommended to conduct this short test to ensure your current authentication is working correctly. Remember to Conduct this test first Log off your user with ZCC
1) Go to Enrolled Devices from client portal
2) Select a user which available to conduct the testing
3) Select the current enrolment which are available at hand
4) Click on Force remove. To remove the user from enrolment
Re-Authenticate / Re-enroll
Next, Open you Zscaler Client Connector From your PC/Laptop. Login using the user ID which removed from the enrolment previously. If it able to access, mean the current authentication is working correctly.
Ensure that, user able to log in and the enrolment detail is in Zscaler Client Connector Portal after re-enrol.
ADFS SAML Cert
Export the IdP SAML SSL Certificate
To export the ADFS token-signing certificate that you will upload to the Zscaler service:
- In the left navigation panel of the AD FS window, expand the Service folder, and then click the Certificates folder.
- In the Certificates panel, right-click the certificate under Token-signing, and click View Certificate....
- In the Certificate window, select the Details tab, and click Copy to File….
- When the Certificate Export Wizard appears, click Next.
- In Export File Format, select Base-64 encoded X.509 (.CER), and click Next.
- In File to Export, click Browse to navigate to the location where you want to export the certificate, enter a certificate name, and then click Next. In this example, the certificate is called adfsadmin.
- When the export is complete, click Finish, and then click OK to close the Certificate Export Wizard.
- Click OK to close the Certificate window.
- Go to the exported certificate, and ensure the following:
- The certificate file name has a .pem extension. (For example, rename adfsadmin.cer to adfsadmin.pem.) The Zscaler service accepts certificates with the .pem extension only.
- The file name contains one dot (".") only.
You will upload this IdP SAML SSL certificate to the ZIA Admin Portal.
Administration > Authentication Settings > Identity Providers
1) Go Get into IDP setting tabs. Administration > Authentication Settings > Identity Providers> “Select Your IDP” – Click on Edit to get to “Edit idP” pages
2) Upload your .pem certificate which generated from your IDP server
3) Verify the Expiration Date has been Updated
4) Save and Activate
Verification & Post-Testing
SAML IDP cert Expiration date Verification
Administration > Authentication Setting > Identity Providers > “look for your IDP and clink on [EDIT]” > Check the idP SAML Certification Expiration Date should be updated
Post-Testing After renewal of IDP SAML Certification
****This is Just a repeat Similar like Pre-test
It’s is recommended to repeat this step which similar to pre-testing. Remember to Conduct this test first Log off your user with ZCC
1) Go to Enrolled Devices from client portal
2) Select a user which available to conduct the testing
3) Select the current enrolment which are available at hand
4) Click on Force remove. To remove the user from enrolment
Re-Authenticate / Re-enroll
Next, Open your Zscaler Client Connector From your PC/Laptop. Login using the user ID which removed from the enrolment previously. If it able to access, mean the Certification renewal are correctly conducted.
Ensure that, user able to log in and the enrolment detail is in Zscaler Client Connector Portal after re-enrol.