Untitled

For users to access your applications via Zscaler Private Access (ZPA), they must first authenticate into Zscaler Client Connector using any SAML 2.0-compliant identity provider (IdP) using the service provider-initiated (SP-initiated) model. ZPA user SSO is SP-initiated, but ZPA admin SSO can be SP-initiated or IdP-initiated. When a ZPA Admin selects Single Sign-On Using IdP on the ZPA Admin Portal's Sign In page, the login is SP-initiated. If the ZPA admin logs directly into their IdP, it's IdP-initiated.