Setting Up SSO for ZPC with ADFS

Owned by Sean McDade
Last updated: Dec 14, 2023 by Benoit Desnoyers
3 min read

 

 

About SAML Single Sign-On in ZPC

Single Sign-On can be setup in ZPC against any Identity Provider (IdP) which supports SAML 2.0.

This guide covers the steps required to setup SAML SSO against ADFS.

For an exhaustive list of supported IDP’s, visit SAML-based products and services.

Provide ZPC Service Provider (SP) Metadata to your Identity Provider (IdP)

Export the SP Metadata to provide to your IdP.

 

Adding ZPC as a Service Provider (SP) in ADFS using metadata.xml file:

  1. Click on Add Relying Party Trust

     

  2. Select default option “Claims Aware”

     

  3. Select “Import data about the relying party from a file”

     

  4. Upload the Service Provider (SP) metadata file from previous step.

  5. Provide a meaningful Display Name for ZPC relying party and click “Next”

     

  6. Select “Permit everyone” and click “Next”

     

  7. Enable “Configure claims issuance policy for this application” checkbox and click “Close”

Configure Name Identifier (NameID)

  1. Edit Claim Issuance Policy

     

  2. Click “Add Rule”

     

  3. Choose Claim rule template “Send LDAP Attributes as Claims” and click “Next”

     

  4. Provide a Claim rule name, select the Attribute Store “Active Directory” from the dropdown, provide the value from Username Attribute from LDAP Management in ZPC to Name ID mapping and click “Finish”.

Download your Identity Provider (IdP) Metadata

Drop this link in your browser to download your IdP metadata.

https://< hostname >/federationmetadata/2007-06/federationmetadata.xml

Go back into ZPC and complete the SAML SSO Configuration

  1. Import your IDP metadata

  2. Enable SSO

  3. Logout from ZPC

  4. Go to the ZPC URL & click the teal login button to authenticate using SAML SSO

  5. For any login issues with SSO, please reach out to ZIRO Support.

     

SSO Configuration Complete ✔

Once logged in you will have initiated a Single Sign-On session which will give you access to all other applications registered to your IdP server without having to re log-in.