Zscaler Cloud

Zscaler Portal Cloud configuration

Go to Authentication Settings:

https://admin.zscloud.net/#administration/auth-settings

In the field Authentication Type select SAML

Click on Configure SAML

In the field Login Name Attribute write: NameID
Note: the default NameID is the user's email.
If you want to use the upn instead, enter the following script line in Trustelem application Custom scripting field (see below for a complete example):

 function CustomSAMLResponse(msg: SAMLResponse, user: User, groups: Groups, deny: Deny): void {
   msg.setNameID(user.upn);
 }

In the field SAML Portal URL write:

https://mydomain.trustelem.com/app/18XXXX/sso

In Public SSL Certificate, upload the certificate of your Trustelem application

Turn OFF both Enable SCIM-Based Provisioning and Sign SAML Request

If you want to turn ON the SAML Auto-Provisioning function

In Zscaler, activate SAML Auto-Provisioning and enter the following attributes:

User Display Name Attribute : displayName

Group Name Attribute : groups

Department Name Attribute : department

In Trustelem application Custom scripting field, write:

 function CustomSAMLResponse(msg: SAMLResponse, user: User, groups: Groups, deny: Deny): void {
 msg.setAttr('displayName', user.firstname + ' ' + user.lastname);
 msg.addAttr('groups', 'group1');
 msg.addAttr('groups', 'group2');
 msg.addAttr('groups', 'groupX');
 msg.setAttr('department', 'my_department');
 }

Note: instead of the constants "groupX" and "my_department", you can use other user's attributes.
For instance if you want to use Trustelem group attribute:
 for (let name in groups){
 msg.addAttr('groups', name);
 }

Here is a complete example of custom scripting: