Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Zscaler Authentication with RCDevs

52 views
Skip to first unread message

Nabil Rütten

unread,
Nov 5, 2024, 4:33:27 AM11/5/24
to RCDevs Security

Hello,

We’re currently working on setting up a connection between Zscaler Cloud and RCDevs as the IdP. Our configuration is a bit unique since the internal domain differs from the authentication domain. Due to this setup, we need to perform an assertion transformation to ensure seamless integration.

We have tried utilizing the Domain Mapping feature, but it still results in an error. I’d appreciate any guidance on how RCDevs handles domain mapping. Specifically, is the domain mapping done through some form of transformation process, or is there an alternate way to map an internal domain to the authentication domain?

Thanks in advance for any insights or advice!



Spyridon Gouliarmis (RCDevs)

unread,
Nov 5, 2024, 12:06:05 PM11/5/24
to RCDevs Security
Hello Nabil,

what the "Domain mapping" does is set the AttributeValue of the Attribute in the AttributesStatement with Name="domain" equal to whatever is the value of the LDAP attribute you chose. Maybe your software does not even check the attributes and tries to find a domain in the NameID?

What should the SAML assertion look like for your system to accept it?

Nabil Rütten

unread,
Nov 11, 2024, 5:21:59 AM11/11/24
to RCDevs Security

Hello Spyridon,

Thank you for your efforts on this integration. I've attached a visualization that may help clarify the setup.

Here’s a breakdown of the current configuration and the issue we are encountering:

Authentication Domain Setup: The customer has an authentication domain in Zscaler (something-else.com). When the user initiates a login, the Zscaler endpoint agent forwards a SAML request to RCDevs.

Domain Mismatch for SSO: The customer’s domain in RCDevs is configured as something.com. For seamless SSO functionality, we require a transformation on the return statement so that the user ID changes from us...@something.com to us...@something-else.com as it is processed back by Zscaler.

Transformation Implementation: We have implemented the necessary transformation in the domainID field within RCDevs to account for this domain change.

Issue on Logon Flow: Despite the transformation setup, an error is encountered when the user goes through the login flow. This suggests there may be an additional configuration or an underlying compatibility issue that’s causing the process to fail.

Could you please help us investigate further into what might be causing this error in the logon flow? Any insights or additional configurations to review would be much appreciated.

Thank you for your assistance.


Best,
Nabil 

SSO Issue.png

Spyridon Gouliarmis (RCDevs)

unread,
Nov 11, 2024, 5:40:41 AM11/11/24
to RCDevs Security
>an error is encountered when the user goes through the login flow

What error, where exactly?

>Could you please help us investigate further into what might be causing this error in the logon flow?

I can help you investigate what happens on the WebADM/OpenOTP side. If the error is on the zscaler side, for example because it's not satisfied with the contents of the SAML assertion, it's up to you to figure out why.

Most information from WebADM you will get by checking the log file in /opt/webadm/logs/webadm.log . It's per host; if you want a consolidated version, you can find one under the Databases tab in the web UI, "WebADM Shared Event Logs". Setting log_debug to Yes in /opt/webadm/conf/webadm.conf and then restarting (/opt/webadm/bin/webadm restart) will get you more output. 

Nabil Rütten

unread,
Nov 20, 2024, 3:25:02 AM11/20/24
to rcdevs-t...@googlegroups.com

Dear Spyridon,

After some time, we’ve successfully set things up—thank you for your support.

We’re now working to enable seamless SSO but have encountered some issues. Let me outline the intended flow:

  1. The user logs into their Windows system with AD credentials.
  2. Since AD doesn’t support SAML, RCDevs retrieves the authentication data from AD, transforms it, and generates a SAML token.
  3. RCDevs sends the SAML token to Zscaler.
  4. Zscaler validates the token and grants access.

While SAML authentication and provisioning are working, users are being prompted to authenticate with Zscaler via RCDevs each time, which is unexpected. No direct error messages are shown.

Could you confirm if RCDevs can seamlessly capture authentication data from AD during Windows login and pass it along in this manner?

Looking forward to your guidance.

Best regards,

Nabil 


Nabil Rütten

Sales Engineer  |  Zscaler, Inc.



--
You received this message because you are subscribed to a topic in the Google Groups "RCDevs Security" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rcdevs-technical/COig-7ZF24I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rcdevs-technic...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/rcdevs-technical/d6cbc86d-4460-479c-bc48-62331d45431dn%40googlegroups.com.

Spyridon Gouliarmis (RCDevs)

unread,
Nov 20, 2024, 9:05:00 AM11/20/24
to RCDevs Security
Nabil, I'm afraid step 2 is not possible with our product.

We've had that feature on our roadmap, since your client is not the first to want it. But no due date.

I'd recommend ADFS, but I suspect that's what your client is trying to move away from.

Reply all
Reply to author
Forward
0 new messages