Zscaler
Guideline for ADFS -
 IDP SAML Certificate Renew/Update

 


 

 

TABLE OF CONTENT

Pre-Test Before Renewing IDP SAML Certificate3

Remove user enrolment3

Re-Authenticate / Re-enroll 4

ADFS SAML Cert 5

Export the IdP SAML SSL Certificate5

Administration > Authentication Settings > Identity Providers12

Verification & Post-Testing13

SAML IDP cert Expiration date Verification13

Post-Testing After renewal of IDP SAML Certification13

Re-Authenticate / Re-enroll 14

 


 

 

 

Pre-Test Before Renewing IDP SAML Certificate

Remove user enrolment

Before Conduct any Upload of certificate or IDP SAML Certificate renewal. It’s is recommended to conduct this short test to ensure your current authentication is working correctly. Remember to Conduct this test first Log off your user with ZCC

 1) Go to Enrolled Devices from client portal

2) Select a user which available to conduct the testing

3) Select the current enrolment which are available at hand

4) Click on Force remove. To remove the user from enrolment


 

 

Re-Authenticate / Re-enroll

 

Next, Open you Zscaler Client Connector From your PC/Laptop. Login using the user ID which removed from the enrolment previously. If it able to access, mean the current authentication is working correctly.

 

Ensure that, user able to log in and the enrolment detail is in Zscaler Client Connector Portal after re-enrol.

ADFS SAML Cert

Export the IdP SAML SSL Certificate

To export the ADFS token-signing certificate that you will upload to the Zscaler service:

  1. In the left navigation panel of the AD FS window, expand the Service folder, and then click the Certificates folder.

B. Exporting the Certificate

  1. In the Certificates panel, right-click the certificate under Token-signing, and click View Certificate....

     

  1.  


 

 

  1. In the Certificate window, select the Details tab, and click Copy to File….

     


 

 

  1. When the Certificate Export Wizard appears, click Next.

     

 

 


 

 

  1. In Export File Format, select Base-64 encoded X.509 (.CER), and click Next.

     


 

 

  1. In File to Export, click Browse to navigate to the location where you want to export the certificate, enter a certificate name, and then click Next. In this example, the certificate is called adfsadmin.

     

 


 

 

  1. When the export is complete, click Finish, and then click OK to close the Certificate Export Wizard.

     

 

  1. Click OK to close the Certificate window.
  2. Go to the exported certificate, and ensure the following:
    • The certificate file name has a .pem extension. (For example, rename adfsadmin.cer to adfsadmin.pem.) The Zscaler service accepts certificates with the .pem extension only.
    • The file name contains one dot (".") only.

You will upload this IdP SAML SSL certificate to the ZIA Admin Portal.

 

 

Administration > Authentication Settings > Identity Providers

 


 1) Go Get into IDP setting tabs. Administration > Authentication Settings > Identity Providers> “Select Your IDP” – Click on Edit to get to “Edit idP” pages

2) Upload your .pem certificate which generated from your IDP server

3) Verify the Expiration Date has been Updated

4) Save and Activate

 


 

 

Verification & Post-Testing

SAML IDP cert Expiration date Verification

Administration > Authentication Setting > Identity Providers > “look for your IDP and clink on [EDIT]” > Check the idP SAML Certification Expiration Date should be updated

 

 

Post-Testing After renewal of IDP SAML Certification

****This is Just a repeat Similar like Pre-test 

It’s is recommended to repeat this step which similar to pre-testing. Remember to Conduct this test first Log off your user with ZCC


 1) Go to Enrolled Devices from client portal

2) Select a user which available to conduct the testing

3) Select the current enrolment which are available at hand

4) Click on Force remove. To remove the user from enrolment

 

Re-Authenticate / Re-enroll

Next, Open your Zscaler Client Connector From your PC/Laptop. Login using the user ID which removed from the enrolment previously. If it able to access, mean the Certification renewal are correctly conducted.

 

Ensure that, user able to log in and the enrolment detail is in Zscaler Client Connector Portal after re-enrol.