Zimperium zConsole supports SAML 2.0 integration with an external SAML Identity Provider for administrator logins. This either completely replaces the Console’s default User ID/password authentication or provides an alternative authentication option for users.
This article explains how to configure the Zimperium zConsole with RSA Cloud Authentication Service SAML Identity Provider, allowing enhanced access features to be configured for the Zimperium zConsole, including:

• Access Policy rules and conditions
• Alternatives to password for primary authentication
• Multifactor authentication
• Single-sign-on, for example, with an RSA portal or an external identity provider such as IWA 

The two main steps for setting up SSO for the Zimperium zConsole are as follows:

• Request RSA Support to enable the SSO Configuration feature on your Zimperium zConsole
• Configure both the Zimperium zConsole and RSA Cloud Authentication Service SAML Identity Provider for SSO authentication for administrators logging in to the Console

Refer to the following articles for the steps to configure SAML integration of the Zimperium zConsole with the Cloud Authentication Service using My Page SSO and Relying Party.

• Zimperium zConsole - SAML My Page SSO Configuration - RSA Ready Implementation Guide
• Zimperium zConsole - SAML Relying Party Configuration - RSA Ready Implementation Guide

Request to Enable SSO Configuration for Zimperium zConsole

To enable SSO configuration for Zimperium zConsole, create an RSA support case by providing the following details:

• The managed account ID: This appears in the upper-right corner of the navigation bar.
• Zimperium zConsole version: This appears in the upper-left corner under Console.
• A unique client-prefix for the Zimperium zConsole’s URL. This is used to form a new fully qualified hostname for your Zimperium zConsole. Once the SSO configuration is enabled for your console, your organization will use this new name to access Zimperium zConsole. The new hostname will be of the form: client-prefix-ZimperiumZConsole.zimperium.com

To ensure that the resulting URL is valid, client-prefix must:

• start with a letter (the remaining characters can be letters, digits, or hyphens).
• have a maximum length of 35 characters.
• be unique (not the same as any other Zimperium zConsole’s client-prefix).

Allow ten USA business days for this request to be processed.

As soon as SSO Configuration is enabled for your Zimperium zConsole, your administrators will no longer be able to log in at https:\\ Zimperium ZConsole.zimperium.com . The new hostname must be used. You can immediately start using the new name to access the Zimperium zConsole, without waiting for notice from RSA Support that the new name has been activated.

Configure Zimperium zConsole

1. Once the SSO configuration is enabled for your Zimperium zConsole, download the Zimperium ZConsole metadata file from: https://client-prefix-ZimperiumZConsole.zimperium.com/api/auth/saml/metadata
   where client-prefix-ZimperiumZConsole.zimperium.com is your new Zimperium ZConsole hostname.
   The downloaded metadata file is: client-prefix-ZimperiumZConsole_zimperium_com_saml_metadata.xml
2. Create a test user in your Zimperium zConsole or choose an existing administrator to test.
3. Click the cog icon in the upper-right corner, and then navigate to the Users menu.
4. Configure RSA Cloud Authentication Service as explained in the next section.
5. In Zimperium zConsole, click the cog icon in the upper-right corner, and then navigate to the SSO menu.
   1. Entity ID: Set to the Identity Provider Entity ID copied from the application configuration in the Cloud Administration Console.
   2. Metadata: Use a text editor such as Notepad to open the metadata file that was downloaded while configuring the RSA Cloud Authentication Service. Copy the entire content of the file and paste it into the metadata field. 
   3. Choose SAML as the SSO Type.
   4. Keep the Disable Local Logins check box cleared. This allows administrators to continue to sign in with their existing Zimperium zConsole user ID and password. If the Disable Local Logins is selected, administrators must sign in with SSO since it is the only option available.
   5. Click Save Configuration. 
      
      SSO has been enabled. The Zimperium zConsole login screen now displays the Sign In with SSO button, which can be used to test SSO login with the new test user. Existing administrators can continue to use the Sign In button.
6. Return to the SSO Configuration page and select the Disable Local Logins check box to force administrators to sign in with SSO.

Configure Cloud Authentication Service

Create or Choose Identity Source(s) for Zimperium ZConsole Administrators

All Zimperium zConsole administrators must be configured in the Zimperium zConsole (click the cog icon and click Users) and exist in an identity source configured in the Cloud Administration Console. Each administrator's e-mail address in the Zimperium zConsole Users page must match the user’s e-mail address in an identity source to sign in with SSO.
For all Zimperium zConsole administrators who do not already exist in such an identity source, you need to create a new identity source, using one of these methods:

• Create a Unified Directory identity source. See the Unified Directory Identity Sources article.
• Create an Active Directory or LDAPv3 identity source. See the Add an Identity Source section in the Add, Delete, and Test the Connection for an Identity Source in the Cloud Authentication Service article.

You must ensure that a new test user (if added in the Configure Zimperium zConsole section) exists in an identity source.
When using My Page > My Applications or Relying Party in the Cloud Authentication Service, to add administrators who do not already exist in any identity source:

1. Add a Local type Unified Directory Identity Sources.
2. Add each Zimperium zConsole administrator to the new Local Unified Directory identity source. See Add a User in the Unified Directory section in the Manage Users for the Cloud Authentication Service article.

Notes:

• Unified Directory identity sources cannot be used with IDR SSO Agent configurations.
• If an administrator already exists in an identity source with the same e-mail address used to sign in to Zimperium zConsole, then the administrator cannot be added to another identity since duplicate users are not supported by the Cloud Authentication Service.

Create or Choose an Access Policy for the Zimperium ZConsole

You need a 1.0 Access Policy to control access to the Zimperium zConsole.
In the Cloud Administration Console, either choose an existing Access Policy that implements the controls or add a new Access Policy for the Zimperium zConsole.
See:

• Cloud Authentication Service - Planning Access Policies
• Add an Access Policy section in the Add, Clone, or Delete an Access Policy article

Note: Make sure that the Identity Sources page of the new or chosen Access Policy has all identity sources selected that contain the Zimperium zConsole administrators.

Return to Zimperium zConsole - RSA Ready Implementation Guide.