This is a Managed App Connector.
Prerequisites
Organizations must meet the following prerequisites before using OneAPI:
A subscription to OneAPI and ZIdentity.
To obtain access to these services, contact your Zscaler Account team.
The administrator who will configure the required API roles must be assigned to a role that has full permission to Administration > API Key management in the ZIA Admin Portal.
To learn more, refer to Adding Admin Roles.
ZIdentity administrators assigned with Full permission to access the API Clients and API Resources modules can configure API clients in the ZIdentity Admin Portal.
To learn more, refer to Admin Roles and Permissions.
Collect Required Information from Vendor
Obtain the Vanity Domain
Collect the Zscaler domain name for your account. Example: If your domain is acme.zslogin.net, “acme” would be your vanity domain.
IMPORTANT!
You MUST copy/save this fields for use when onboarding this connector (see below).
Set Up the API Role
In ZIdentity Admin portal, go to Administration > Role Management.
Select Add API Role.
In the Add API Role window, enter the following:
Name — Enter a name for the API role.
Scope — Assign View Only Permissions to all categories.
Select Save and then follow instructions to activate the change.
Obtain the Client ID and Client Secret
In ZIdentity Admin portal, go to Integration > API Clients.
Select Add API Client.
On the Add API Client page, the Client tab is selected by default.
In the Client Information section, enter the following details:
Name —Enter a name to identify the API client.
Description — Enter a brief description that indicates the purpose of the API client (example: a software application or a script that is using this name to interact with OneAPI).
Status — Enable the status. This allows the API client to authenticate and use the API resources.
When the status is disabled, the API client cannot get the access tokens issued by ZIdentity.
Access Token Lifetime — The validity of the access token that is used to access the API resource.
Enter the time in minutes.
The minimum and maximum validity periods are 1 minute and 24 hours, respectively.
In the Client Authentication section, select Add to configure the secret authentication method.
A key is auto-generated and displayed along with the validity period.
This key is generated once, and it cannot be updated.
The minimum duration is 30 days, and the maximum duration is 365 days.
Ensure to copy the secret key and save it in your local folder as it is not going to be displayed again. You can add a maximum of two client secrets. If you add a third one, the new value replaces the most recent client secret. So, at any point in time, there are only two client secrets.
Go to the Resources tab and select the role you created earlier.
Select Save.
When you save the API client details, ZIdentity auto-generates a Client ID and it is displayed on the API Clients page.
Copy the Client ID and save it, as you need to provide the Client ID along with the token or secret to make the API call.
IMPORTANT!
You MUST copy/save these fields for use when onboarding this connector (see below).
NOTE:
You can also copy the client ID from the Edit API Client window.
On the API Clients page, select the Edit icon for the newly configured API client.
In the Edit API Client window, copy the Client ID and save it in your local folder.
Onboard This Managed App Connector
- Go to SaaS Management > Applications.
- Select Add Integration.
- From the Vendors tab, select the card with the vendor's name.
- From the API tab, enter the details you captured above.
- Select the Authorize button.
SUCCESS!
You will now be redirected to the Integrations page in Calero.com, where the data sync will continue in the background, and you can monitor progress.