The Zscaler integration configures 1Kosmos as a SAML 2.0 identity provider, enabling biometric authentication before Zscaler enforces security policies and application access controls based on verified user identity.
Integration type
SSO
Updated
Overview
Zscaler is a cloud security platform whose products (ZIA and ZPA) require user authentication to enforce security policies and control application access. 1Kosmos integrates as a SAML 2.0 identity provider, enabling biometric authentication via the 1Kosmos mobile app before Zscaler applies policies based on verified user identity.
The SAML identity provider is configured in the ZIA Admin Portal under Administration → Authentication Settings. Zscaler supports uploading SP metadata from the Add IdP window, which can be imported into AdminX to complete the trust configuration. Zscaler's SP ACS URL follows the pattern https://[cloud-name].zscaler.net/auth, where the cloud name is the specific Zscaler cloud your organization is provisioned on.
Zscaler supports SP-initiated SSO only. Users must authenticate through the Zscaler portal or through the Zscaler client before their internet traffic is subject to Zscaler's security policies.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
Zscaler ZIA or ZPA administrator access: Admin access to the Zscaler Admin Portal with permissions to configure Authentication Settings and Identity Providers.
Zscaler cloud name: Know which Zscaler cloud your organization uses (e.g., zscaler.net, zscloud.net, zscalertwo.net). This determines the SP ACS URL pattern. Available in your ZIA Admin Portal URL.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for Zscaler:
Field | Where to find it |
|---|---|
SAML Portal URL (SSO URL) | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID | AdminX → Settings → IdP Configuration → Core Configuration |
IdP SAML Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Zscaler SP values to collect for AdminX:
Field | Where to find it |
|---|---|
SP Metadata XML | ZIA Admin Portal → Administration → Authentication Settings → Identity Providers → Add IdP → Download Service Provider Metadata |
SP ACS URL (approximate pattern) | https://[cloud-name].zscaler.net/auth (confirm exact URL from SP metadata) |
Integration steps
Step 1: Download Zscaler SP metadata
Log in to the ZIA Admin Portal and navigate to Administration → Authentication Settings.
Click the Identity Providers tab and click Add IdP.
In the Add IdP window, before configuring any fields, click to download the SP Metadata file (zscaler-metadata.xml). This file contains the Zscaler SP Entity ID and ACS URL needed for AdminX.
Step 2: Add Zscaler as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Select SAML 2.0 Generic and click Add integration. Enter "Zscaler" as the Application Name and the Zscaler login URL for your organization as the Application Access URL.
Set NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value to email. Add claims for email, DisplayName, and memberOf (groups, if applicable). Enable Assertion signing.Import the Zscaler SP metadata XML file or manually enter the SP Entity ID and ACS URL from the metadata. Click Save.
Step 3: Complete the IdP configuration in Zscaler
Return to the Add IdP window in the ZIA Admin Portal.
Enter a name for the identity provider (e.g., "1Kosmos").
In the SAML Portal URL field, paste the 1Kosmos SSO URL.
Enter the Login Name Attribute that maps to the SAML attribute Zscaler should use as the user identifier (typically email or userPrincipalName).
Upload the 1Kosmos SAML signing certificate in base-64 encoded PEM format (.pem extension, no periods other than the extension).
Under Authentication Frequency, set the frequency at which users must re-authenticate.
Set Authentication Type to SAML. Click Save.
Click Activate in the Zscaler Admin Portal to activate the configuration changes.
Step 4: Test the integration
Navigate to your Zscaler login URL and sign in using the SAML option.
Confirm you are redirected to 1Kosmos. Authenticate biometrically and confirm you are authenticated with Zscaler and subject to your organization's internet security policies.
Attribute mappings
Source (1Kosmos) | Target (Zscaler) | Description |
|---|---|---|
user.email | Login Name Attribute / NameID | Primary identifier for Zscaler user policy assignment |
user.displayName | DisplayName | User display name in Zscaler logs and reports |
user.groups (optional) | memberOf | Group membership for group-based policy enforcement in Zscaler |
Integration notes
Zscaler activates configuration changes through an explicit Activate step in the admin portal. Configuration changes saved but not activated are not applied to user authentication.
Always click Activate after saving IdP configuration changes. The Zscaler certificate upload requires the PEM file to have no periods in the filename other than the .pem extension. Renaming a certificate file downloaded from AdminX to comply with this restriction is common.
If SCIM provisioning is needed alongside SAML for automatic user account sync, enable SCIM in Zscaler after activating SAML; do not enable both SAML Auto-Provisioning and SCIM simultaneously, as they conflict.
