Beyond Identity and Zscaler


The first part of the demo shows Federated Web Login experience into the Zscaler admin portal using direct SAML-based integration with Beyond Identity platform authenticator. The admin simply enters their login username and signs on seamlessly into the admin dashboard. The second part of the demo shows Federated login for end-users using the Zscaler Client Connector application. 

This application runs on macOS, Windows, iOS, and Android. The end-user is seamlessly able to perform MFA using Beyond Identity and login to both Zscaler Internet Access, ZIA, and Zscaler Private Access, ZPA. Now, we'll see how Beyond Identity is able to leverage its policy engine to enforce device disconnection from ZPA. 

Beyond Identity's platform authenticator collects sophisticated risk signals from the device and uses Zscaler Cloud as a policy enforcement point. We begin with writing policies into the Beyond Identity Cloud. As you can see, we have a policy in place to continuously monitor firewall status of any device with macOS. 

A change in this posture will result in a disconnection from ZPA, and a further reconnection attempt to ZPA will be blocked by Beyond Identity. We now initiate a device posture change manually on a Mac. We can monitor Beyond Identity events to detect this change via continuous posture checks via the Beyond Identity agent on the device. 

In an instant, the continuous posture check detects this change at a policy deny event is registered in the Beyond Identity Cloud. Let's have a look at how the policy enforcement now occurs On Zscaler Cloud. You can see Client Connector on one side and the device in registered state on Zscaler Cloud on the other side. 

The posture change detected by the Beyond Identity platform authenticator triggers an enforcement event on Zscaler to remove the specific device from its list. The ZPA Client Connector will then detect this change and the service status will change from connected to connecting. 

This forces the user to log out from Zscaler Client Connector app and reconnect. The reconnection to ZPA is now blocked by Beyond Identity, completing a closed-loop integration.