Overview
ZSLogin is a new common identity service for Zscaler that centralizes and simplifies identity management, user authentication, and entitlement assignment for users to services. The initial release supports administrators, and support for end users is in development.
Problem
Prior to ZSLogin, Zscaler products directly implemented identity services. This led to scenarios where identity data was stored separately, services that supported identities were implemented separately, and customers needed to maintain multiple connections from SAML identity providers to Zscaler. Although customers could successfully achieve their zero trust goals, maintaining multiple implementations of identity services made it more difficult for customers to use and limited Zscaler’s pace of innovation with identity.
ZSLogin
Zscaler recognized the opportunity to improve customer experience and increase efficiency by advancing both identity capabilities and the other security capabilities of Zscaler products. By extracting identity into a common service, other Zscaler products can focus more on other areas.
In the first release, we targeted the administrator user, and ZSLogin became the central point of entry to all Zscaler products. If admins authenticate with credentials hosted at Zscaler, they only need to manage a single credential. If admins use single sign-on from identity providers, customers only need to maintain a single connection with those IdPs. With a single authentication into Zscaler, admins are able to seamlessly access all services in use by their organization and determine which services admins are able to access. They no longer need to keep track of different sets of credentials depending on which services they administer.
User identity is stored in ZSLogin and then made available to other Zscaler services. Users can be manually created, updated, enabled, disabled, and deleted in the ZSLogin admin UI. Users can also be automatically synchronized with identity providers through SAML just-in-time provisioning or SCIM provisioning. With ZSLogin, customers can automate the provisioning and deprovisioning of administrators, something that was not possible previously.
Users that authenticate with hosted credentials at ZSLogin can be authenticated with a password, password plus second factor, or passwordless authentication. The second factors supported include SMS one-time-passcode (OTP), email OTP, Google Authenticator (TOTP), and FIDO. FIDO can also be used for passwordless multi-factor authentication, which is also a phishing resistant credential. Although Zscaler products previously had some support for MFA of administrators, ZSLogin’s support ensures consistency and provides authentication factors that are stronger, more user friendly, and phishing resistant. Having industry-leading authentication options will give customers more options for enabling users of secondary population types, such as contractors, partners, or users from acquisitions.
Customers have also been asking for the ability to control from where admins could access and administer their Zscaler products. ZSLogin provides controls to limit administrator access based on source IP address. This gives customers the options to ensure that admins to their zero trust solution are accessing the system from authorized locations.
All ZSLogin configuration changes are logged. ZSLogin provides an audit report, so administrators can review changes that have been made in their ZSLogin tenant over time.
What’s next
Building on what’s been implemented to support administrators, Zscaler is developing support for end users on ZSLogin. The core principles for end users are the same: a single identity record and centralized entitlement management for the services to which users should be enrolled.
Prior to ZSLogin, it wasn’t possible for customers to host users on Zscaler for access to private resources. ZSLogin solves this problem with support for hosted users along with service entitlement assignment for Zscaler Private Access.
Now that ZSLogin can ensure a guaranteed unique identity, it will make it much easier to share all context signals about users and related activities throughout the Zscaler ecosystem. Zscaler is looking at ways to enable consistent policy criteria across policies from any Zscaler product, making it easier for customers to define policy criteria and ensure consistency.
To learn more, watch our breakout on ZSLogin that was presented at Zenith Live ‘23 here.
Learn More
To learn more about ZSLogin, contact your account team and request to meet with Product Management. We can review your use case and discuss how ZSLogin can help improve your zero trust posture.