Deployment: Cloudi-Fi Captive portal is configured into an existing Zscaler tenant leveraging existing GRE/IPSEC tunnels. The source guest network(s) should be routed into the tunnels.

Security: Guests can be profiled based on how they authenticate in the captive portal. Daily guest, consultants, employee along with their directory group can all have different policies in Zscaler. Security policies but also quota, time and duration can be configured for each profile.

Compliance: In many countries Internet logs should be kept for a specific duration and matched with the user. In order to process the government request the authentication logs and Internet logs should be correlated. All logs are hosted in the cloud. Authentication logs (in Cloudi-Fi) and pseudonymized Internet logs (in Zscaler) can be correlated in Cloudi-Fi administration interface, menu Visits. Access to this menu should be restricted to few administrators with administration profile.

Configuration: Zscaler configuration is not synchronized with Cloudi-Fi compared to a setup with a dedicated Zscaler tenant. However Zscaler configuration is done in few steps and described below.

0) Prerequisites for Eligibility

Some parameters may conflict with Cloudi-Fi integration, especially regarding the capability to Multiple Authentication Domains.

Below the settings to be verified:

Administration > Authentication Settings :

  • User Repository Type : Must be Hosted DB

  • User Authentication Type : Must be SAML

Login Attribute of your existing IdP :

The login attribute returned by your existing Identity Provider (IdP) must be unique and in the form of an email address.


If it returns only a username without any domain, Zscaler cannot perform authentications on multiple domains.

Exemple: The ADFS Attribute sAMAccountName only returns a username, without domain.

1) Provide your Zscaler account information

Go to your Zscaler Admin interface > Administration > Company Profile

Copy/Paste the following information:

  • Company ID

  • Name

  • Domains

  • Cloudi-Fi IDP ID when available

2) Add Cloudi-Fi Guest domain to your Zscaler account

Submit a ticket to Zscaler support to add the Cloudi-Fi authentication domain. The domain name is provided by Cloudi-Fi team.
Example :

3) Create Cloudi-Fi Identity Provider
Go to Administration > Authentication Settings > Identity Provider tab >
Add Identity Provider :

  • IdP SAML Certificate : Available here

  • SAML Portal URL : Provided by Cloudi-Fi team

  • Login Name Attribute : token

  • Location: None

  • Domain: Cloudi-Fi dedicated domain

  • Auto-provisionning: ON

  • User Display Name Attribute: token

  • Group Name Attribute: profile

  • Department Name Attribute: profile

  • Save

Save the ID assigned to Cloudi-Fi IDP and share it with Cloudi-Fi team.

4) Create Cloudi-Fi Custom URL Categories

Go to Administration > URL Categories > Add URL Category :

We need to create 2 custom categories:

  • Cloudi-Fi Portal URL : This category contains all URLs to be whitelisted in order to display our captive portal properly :

Cloudi-Fi Connectivity Check URL : This category contains all the URL used by guest's devices to detect the presence of a captive portal.

Below the Custom URL and Custom Key Words to be added :

- Custom URLs:

- Custom Key words:


5) Create Authentication By-pass

To prevent visitors to be redirected to your Authentication IdP, we configure a by-pass for the 2 URL Categories we created previously.

Go to Administration > Advanced Settings:

  • In Authentication Exemptions section, add our 2 custom categories.

  • Enable Policy for Unauthenticated Traffic : Enabled

Note : If this option was initially disabled in your account,
an additional URL policy rule should be added when you will create
Cloudi-Fi policy rules in the next section.

6) URL filtering policies for guests:

Configure this bundle of rules in order to redirect your guests on your captive portal, allow authentication users to browse Internet and prevent them from accessing forbidden categories.

Cloudi-Fi team can assist you in the creation of these rules.

And thanks to dynamic groups, you don't need to updates these rules every time you deploy a new Guest location (more information in the next section).

Note: if the option Enable Policy for Unauthenticated Traffic was disabled in Advanced Settings (see previous section), you must add the following rule at the end of Cloudi-Fi rules:

7) Dynamic group of Cloudi-Fi location(s)

Zscaler Dynamic group can be leveraged to simplify the management of guest rules, logs and policy into an existing Zscaler account.

This will allow any new location named Guest to dynamically belong to this Group. Alternatively the condition would be to include all locations with authentication disabled

From now, any new guest location will belong automatically to the group “CLOUDIFI”. This will add it automatically to policy rules, reports and logs and will segregate clearly the data and configuration between the guest and the corporate traffic. (see section 9 for more information about it)

Define a condition for your Guest location.

Go to `Administration > Location Management > Location Groups tab > Create New

8) Create your Guest location/sub-location

You have the choice to create location (dedicated VPN tunnel for Guest traffic) or sub-locations (reuse an existing location and define the Guest private IP range).

Go to Administration > Location Management

  • For new location : Create a new Location

  • For sub-location : Select an existing location and click on this icon on the right

How to configure your Guest location:

  • Name : Must match the condition of your Cloudi-Fi dynamic group

  • Enforce Authentication: ON

  • Enable IP Surrogate (both options) : Timers should be equal to Cloudi-FI lifetime session

  • Enforce Firewall control : ON

9) Create the Guest Firewall policy rules

Notes : We recommend to configure these rules at the beginning of your Firewall Policy.

Go to Policy > Firewall control

10) Administration and reporting

Administrators can have restricted scope to the dynamic location and can only see guest (or non guest) data

Alternatively an administrator will all access can build specific reports/insights/log views for guest (or by extension non guest) data.

Custom reports built for guest only

Custom logs research

Did this answer your question?