/
Connect to ZScaler

Connect to ZScaler

This article provides step-by-step instructions for connecting to a ZScaler account. The first two steps are prerequisites and must be completed before proceeding. Additionally, it is recommended that you review the Key Configuration section to understand the necessary settings fully before beginning the integration process.

Step 1 - Configure the ZScaler Instance

You need to make two important configurations in the Zscaler instance.

  • Configure Azure IDP:

    • Ensure that the Azure Identity Provider (IDP) is configured in ZScaler. This setup supports configuring Azure groups on ZScaler access policies.

    • Refer to the Microsoft documentation for detailed instructions.

  • Automatic Provisioning:

    • Set up ZScaler to automatically provision users and groups from your Azure tenant.

    • For detailed steps, refer to the provisioning tutorial.

Step 2 - Configure an Account Store in EmpowerID

Before integrating Zscaler with your application, ensure the Azure tenant is configured as an IDP in the Zscaler instance and has an Account Store in EmpowerID. EmpowerID can only inventory and manage resources in Zscaler if the tenant is configured to manage by EmpowerID as an account store.
To create and configure an Azure (Entra ID) account store here, follow the detailed instructions in the EmpowerID documentation.

Step 3 - Create an Account Store for ZScaler

Now that you have configured the necessary settings in ZScaler and EmpowerID, it’s time to create an account store. This is the step where we actually connect to the ZScaler instance. Please ensure you understand the key attributes before proceeding.

  1. Navigate to the Resource Admin.

  2. Click on Applications, and select Onboard ZScaler Application.

  3. Navigate to the Resource Admin.

  4. This will trigger a wizard workflow. Provide the information below and click Save to create a new ZScaler Account Store:

    • Account Store Name: Please specify a user-friendly name to identify the account store.

    • Access Token URL: Enter the specific ZScaler endpoint URL to request an access token to authenticate API calls to the ZScaler instance.

    • Azure Store Connection String: Provide the connection string for the Azure store that stores ZScaler Azure Group IDs and the external system identifiers during inventory.

    • Client API Key: Enter the API key provided by Zscaler for client authentication. The client key and secret values are stored in an encrypted format to ensure security. These credentials are decrypted when used in the connector for API authentication.

    • Client Secret: Enter the client secret associated with the API key. The secret key will be used in conjunction with the client key to authenticate the client application and obtain the access token.

    • Customer ID: The unique identifier representing the specific customer account within the ZScaler instance. This is necessary to distinguish between different customers or tenants in multi-tenant environments.

    • ZScaler Base URL: The root URL of the ZScaler instance that is used for making API calls. (e.g., https://zsapi.zscaler.net).


      image-20240627-080738.png

       

  5. You have successfully created an account store.

 

The ResourceSystemRegistration component creates or links an Account Store and associated systems using provided parameters: AccountStoreName, SecurityBoundryName, and ResourceSystemName, all set to the same value, with the types "ZscalerConnector". It checks for existing records with these names and uses them if available; otherwise, it creates new ones and establishes necessary Foreign Key links. Configuration settings are managed in ResourceSystemConfigSettings by deleting any existing values and creating new ones with the Resource System ID. If fields are left empty, corresponding settings are deleted. For example, if you use an existing account store name, no new account store with the same name will be created; the existing account store ID will be used for resource system configuration settings, avoiding duplication.This workflow uses ResourceSystemRegistration component to create the Account Store and related systems, with the following parameters: names for the Account Store, Security Boundary, and Resource System . The ResourceSystemType and SecurityBoundryType is fixed to ZscalerConnector. The workflow checks if these elements already exist with those names. If they do, it uses the existing ones. Otherwise, it creates new records for the missing components. The workflow then establishes links between these elements and configures the Resource System with provided settings. Importantly, it avoids creating duplicate entries and overwrites any outdated configurations. For e.g. If you use an existing Account Store name, the workflow won't create a new one, but will use the existing one for configuration.

Step 4 – Verify Resource System Configuration Parameters

Once you have created the Account Store, it will generate the default resource system configurations for it. You can verify that the settings are correct or change them if needed. Below is the list of parameters and instructions on how to modify them.

  1. Navigate to Admin > Applications and Directories > Account Stores and Systems and select the Account Stores tab.

  2. Search for the Zscaler account store you created and click the Account Store link.

  3. On the Account Store and Resource System page that appears, select the Resource System tab and expand the Configuration Parameters accordion.

  4. Please ensure that the parameters in the list are set up correctly. The list and description are provided below. To edit or change the value of a parameter, click the Edit button for the parameter you want to modify. Enter the new value in the Value field and click Save.


    image-20240717-113129.png



The following parameters are fixed and cannot be configured from the UI currently: AzureTenantID, CreateOrUpdateAccessPolicyJsonTemplate, CreateOrUpdateApplicationSegmentJsonTemplate, CustomerId, IdpId, PageSize.

Resource System Parameters Name

Description

AccessTokenUrl

The specific endpoint URL within Zscaler used to request an access token for API call authentication.

AzureStorageConnectionString

The connection string for the Azure storage location containing Zscaler Azure Group IDs and external system identifiers utilized during inventory.

AzureTenantID

A unique identifier for the Azure Active Directory tenant you intend the Zscaler account store or connector to manage.

ClientKey

A client key provided by Zscaler for client authentication. This value is stored securely and used to authenticate API requests.

ClientSecret

The client secret associated with the ClientKey. This secret, along with the client key, is used to authenticate the client application and obtain an access token.

CreateOrUpdateAccessPolicyJsonTemplate

A JSON template defining how to create or update access policies within Zscaler.

{ "name": "", "action": "" ,"conditions": [ { "operands": [ { "objectType": "APP", "lhs": "id", "rhs": "" } ] }, { "operands": [ { "objectType": "SCIM_GROUP", "lhs": "", "rhs": "" } ], "operator": "" } ]}

CreateOrUpdateApplicationSegmentJsonTemplate

A JSON template used for creating or updating application segments in Zscaler.

{"name": "", "enabled": "", "domainNames": [], "serverGroups":[], "segmentGroupId": "", "description": "", "tcpPortRange": [], "udpPortRange": [], "ipAnchored": "","doubleEncrypt":"", "bypassOnReauth":"", "healthReporting": "", "isCnameEnabled": "", "selectConnectorCloseToApp": "", "bypassType":"", "icmpAccessType": ""}

CustomerID

A unique identifier representing your specific customer account within the Zscaler instance. This is essential for distinguishing between different customers or tenants in multi-tenant environments.

IdpId

The Identity Provider ID used for identification and integration within the Zscaler configuration.

IsIncrementalInventory

A flag indicating whether the inventory process is incremental. When enabled (default), only changes since the last inventory are retrieved, improving efficiency by reducing data transfer. It's important to note that Zscaler doesn't offer searching by date, but EmpowerID implements this functionality within its database.

IsPagedUsingToken

A flag indicating whether pagination uses a token. By default, this value is set to false.

PageSize

Defines the size of each data page retrieved during API calls. This determines the number of records fetched per call, with a default value of 100.

ZScalerBaseUrl

The base URL for Zscaler configuration, acting as the root endpoint for making API calls (e.g., https://config.private.zscaler.com).