Use Case 1: Private Cloud and On-prem Access with SSO into Salesforce

Use ZTA to route traffic securely to these resources, front ended by ZTA Gateways. There are a few key configurations that are required before this use case can be met.

•Creating or connecting user database

•Deploying a gateway in a location that permits access to a protected resource

•Configuration on the Salesforce domain for SSO integration into the ZTA domain

Creating or connecting user database

1. Local users can easily be added by the admin

2. SAML integration can also be used to link to an external user database

3. Use Workflows > User Authentication to start the configuration wizard



4. The admin will need to define authentication servers for at least Enrollment and User Signin and optionally Admin Signin.

Deploying a gateway in a location that permits access to a protected resource

1. The steps to gateway deployment vary greatly depending on what type of hypervisor is being used

2. Follow the steps outlined in the Help documentation, Getting Started with ZTA.

Configuration on the Salesforce domain for SSO integration into the ZTA domain

1. Sign up for a new Salesforce Developer account.

2. Once domain is registered, log in to the domain (Example: cloudsecure-dev- ed.my.salesforce.com).

3. Click setup located on top right corner of the page.

4. Navigate to Security Controls > Single Sign-On Settings on the left panel. Click on Edit, check SAML Enabled and click Save.



5. Return to the ZTA domain and begin the process of creating a Secure Access Policy



1. You will need to fill out the first few fields in order to get the SAML metadata file from ZTA before returning to the Salesforce domain to complete configuration.



2. Return to Salesforce domain in the SAML SSO settings and select New from Metadata File and upload the file downloaded from ZTA



3. Click the name of the new entry (next to Edit | Del) and download the metadata file associated with the new entry.



4. Take the metadata file back to ZTA and upload (move the radio button selection from download to upload)



5. Select Next and move through the rest of the settings.

1.Select the users who see the bookmark

2.Apply an option host checking rule

3.Attach the bookmark to a gateway for access

6. Navigate to Domain Management > My Domain on the left panel. Click Edit under the Authentication

7. Configuration section, check the box for the SSO profile created above and click Save.



8. Navigate to Administer > Manage Users > Users. Click New User to create a new Salesforce user if user does not exist. Provide the following details, matching the user created on the ZTA domain:

1.Provide First Name.

2.Provide Last Name. Alias will get populated automatically.

3.Provide Email. Username and Nickname will get populated automatically.

4.Select Role for the user.

5.Select User License as Salesforce.

6.Select Profile for the user.

7.Click Save. Leave Salesforce.

9. Take the downloaded file from step above back to ZTA and upload it in the Secure Access Policy Creation page.



10. Select Add Allowed Domains and upload the below listing for domains saved in an excel generated CSV file.

Only the top 4 are needed if a non-DLP setup is being created (SSO from ZTA to Salesforce, without Lookout).

*.salesforce.com

*.my.salesforce.com

*.force.com

*.lightning.com

*.salesforce-communities.com

*.eloqua.com

*.salesforcemarke.com

*.documentforce.com

*.forcesslreports.com

*.forceusercontent.com

*.salesforceliveagent.com

*.sfdcstatic.com

*.developerforce.com

11. Click Next and select a device policy if desired. This enforces a device posture rule for the resource to be accessed.

12. Select the users and sign-in policy to attach the resource.

13. Select the gateway to be used for access.

14. Save and publish the Secure Access Policy.

Register a device (using the Enrollment link found in Secure Access > User > User Policies) and bring up the ZTA connection in the Ivanti Secure Access Client to leverage the settings defined in the above steps.