Integrating Zscaler with CyberArk for Privileged Access Management

A comprehensive guide to accessing Zscaler admin roles via CyberArk PAM

Key Insights

Unified SSO Configuration: Setup SAML-based Single Sign-On between Zscaler and CyberArk to streamline access.
Role and Permission Mapping: Properly map user attributes and roles to control privileged access.
Secure Certificate Management: Utilize signed certificates to establish trusted communication between both systems.

Overview of the Integration Process

Integrating Zscaler with CyberArk to enable access to the Zscaler admin role through CyberArk PAM involves multiple steps that ensure a secure, streamlined connection between the two systems via Single Sign-On (SSO) and role-based access controls. This guide outlines the process in detail, covering prerequisites, configuration steps for both Zscaler and CyberArk Identity, SAML configurations, and the mapping of user roles.

Pre-requisites and Preparation

Before initiating the integration, verify that you meet the following pre-requisites:

An active Zscaler account with administrative rights.
An active CyberArk Identity or Privileged Access Management account.
A trusted, signed certificate from your organization or the CyberArk Identity Administration portal.
Proper access to both the Zscaler Admin Portal and the CyberArk Admin Portal.

Having these items in place ensures that you can securely establish the communication between platforms and proceed with configuring SSO.

Step-by-Step Integration Process

Step 1: Configuring Zscaler for SSO

Registering Zscaler as an Application

Begin by logging into your Zscaler Admin Portal. Here, navigate to the Administration section and access the Authentication settings under Authentication Settings and then Identity Providers. You will add CyberArk as an Identity Provider (IdP). During this process, ensure that the SAML 2.0 protocol is enabled.

Once SAML is activated, configure both SP-initiated SSO and, if required, IdP-initiated SSO. SP-initiated SSO enables users to access Zscaler directly via the web application, while IdP-initiated SSO allows them to log in through the CyberArk Identity User Portal.

Certificate Provisioning

It is essential to upload a signed certificate to the Zscaler Admin Portal. This certificate establishes trust with CyberArk and ensures that data exchanged between the two platforms remains secure. You may download a certificate from your CyberArk or organizational Certificate Authority, or use the one provided within your CyberArk Identity Administration portal.

During the certificate configuration, make sure to verify all details, particularly the validity period and encryption parameters. This certificate is a cornerstone of maintaining a secure integration between the systems.

Step 2: Configuring CyberArk Identity

Adding Zscaler as a Web Application

The second major step involves setting up Zscaler within the CyberArk Identity Administration portal. Once logged in, navigate to the "Apps & Widgets" section and select "Web Apps". Here, you will add Zscaler as a new web application.

Within the portal, use the Zscaler application template to expedite the configuration process. During setup, you need to ensure the following:

Configure the application settings by providing the Zscaler Organization ID and Company ID, typically available in the Zscaler Admin Portal under Company Profile.
Define SAML settings to match the configuration you have in Zscaler. This includes specifying the SAML Endpoint URLs and the required attributes.
Establish SAML mappings that correlate CyberArk user attributes to the appropriate Zscaler roles. Ensure these attributes are accurate and case-sensitive.

SSO Configuration and Role Mapping

SAML configuration is critical for establishing Single Sign-On. In the CyberArk Identity portal, ensure you configure both IdP-initiated and SP-initiated SAML SSO methods. IdP-initiated SSO allows users to access Zscaler through the CyberArk Identity User Portal, whereas SP-initiated SSO lets them access Zscaler directly via its web interface.

One of the integral parts of this step is mapping the user attributes correctly. In CyberArk, this involves:

Assigning the necessary roles – ensure that one user is designated with an administrator role to access Zscaler administrative functions.
Mapping additional user attributes as required, to ensure seamless synchronization during the SAML assertion exchange.
Verifying that the NameID attribute in the SAML response matches the user’s login information in Zscaler.

Step 3: Integrating CyberArk with Zscaler

Finalizing SAML Settings

Once both systems have been configured individually, synchronize the SAML settings by performing the following actions:

In CyberArk, navigate to the Trust tab within the Zscaler application settings, and select the option for manual configuration if available.
Copy the SAML Portal URL provided by CyberArk and paste it into the respective field in the Zscaler Admin Portal under the Identity Provider settings.
Upload the CyberArk public certificate into Zscaler to complete the trust configuration.
Ensure that the NameID attribute is correctly set to reflect the user’s login name, thus ensuring proper access matching.

Testing and Validation

After configuration, rigorous testing is essential. Perform the following tests:

Test a user login initiated from CyberArk’s Identity User Portal to verify IdP-initiated SSO as well as direct SP-initiated access from Zscaler.
Confirm the correct mapping of roles within the SAML response by ensuring that CyberArk-assigned roles propagate to the Zscaler admin profile.
Perform periodic validation of certificates to ensure ongoing secure communications between the systems.

Once testing is complete and results are consistent, the integration is successfully established, and privileged access management can be enforced through CyberArk PAM.

Additional Considerations for Secure Integration

Management of Privileged Roles

Beyond simply enabling SSO access for Zscaler via CyberArk PAM, it is crucial to enforce the best practices of role-based access management. Utilizing CyberArk’s capabilities, assign permissions carefully to ensure the principle of least privilege is maintained. Only users who require administrative access to Zscaler should be granted appropriate roles. This minimizes the risk of unauthorized access.

CyberArk offers additional features like session monitoring and audit logging, which can be invaluable for reviewing who accessed critical systems. Leveraging these tools helps maintain compliance and security audits.

Implementation of Zero Trust Architecture

In modern security architectures, zero trust principles are widely adopted to continuously validate user identity and device trustworthiness. Integrating Zscaler with CyberArk should also follow a zero trust model, where every access request is authenticated and authorized rigorously. For enterprises, this means that each login via the CyberArk PAM is subject to additional verification methods—further limiting the opportunities for breaches.

Employing two-factor authentication (2FA) or multi-factor authentication (MFA) in addition to SAML SSO helps reinforce the security posture during the access process.

Continuous Monitoring and Maintenance

Establishing the integration is only the first step. Regular monitoring and maintenance are equally vital to ensure ongoing security and functionality. Periodic reviews of the SSO logs, certificate expirations, and user access audits will help detect any anomalies promptly.

Regular software updates and reviews of both CyberArk and Zscaler configurations ensure that any new security patches or features are seamlessly integrated into your privileged access management strategy.

Detailed Configuration Table

Below is a comprehensive table summarizing key configuration details for integrating Zscaler with CyberArk:

Configuration Area	Action	Key Details
Zscaler Admin Portal	Enable SAML	Access Authentication Settings, select Identity Providers, and enable SAML 2.0.
Certificate Management	Upload Signed Certificate	Use a trusted certificate from your organization or CyberArk CA for secure communication.
CyberArk Identity Portal	Add Zscaler App	Use the Zscaler application template and complete role mapping and attribute configuration.
SSO Settings	Configure IdP & SP Initiated SSO	Ensure correct SAML Endpoint URLs, attribute mappings, and NameID settings in both systems.
Testing	Validate Access	Confirm SSO functionality from both CyberArk and direct Zscaler accesses with proper role assignments.

Best Practices and Additional Resources

Enforce Least Privilege Access

Make sure only designated users have administrative privileges in Zscaler. Continuously monitor access, and adjust roles as needed to comply with the principle of least privilege. Utilizing CyberArk’s advanced access control and session monitoring capabilities can help in maintaining compliance and security.

Regular Audits and Revocation Processes

Implement regular audits of the integration logs to track which users and user groups are accessing Zscaler. Establish automatic revocation processes for users who no longer require privileged access, ensuring that outdated permissions do not lead to security vulnerabilities.

Comprehensive Documentation and Support

Keep a detailed record of all configuration steps, attribute mappings, and user roles. Having a clear documentation trail aids in troubleshooting and ensures that future administrators can understand the current implementation. Leverage guides and documentation provided by both Zscaler and CyberArk for in-depth technical details.