ZDTA EXAM QANDA 2026 STUDY SHEET
QUESTIONS AND SOLUTIONS GRADED A+
●● Zscaler Private Access (ZPA) configures connectivity to private
applications and resources hosted where?
Answer: 1. Infrastructure as a Service (IaaS)
2. Platform as a Service (PaaS)
3. Your private data center
●● Zscaler integrates with multiple IdP partners and can work with
_______.
Answer: Zscaler can integrate with Active Directory, Azure Active
Directory, ADFS, Okta, Ping, or really any SAML 2.0-compliant identity
provider
●● Define Service Provider (SP) and the role it plays with IdP
integration with Zscaler.
Answer: Service Provider (SP) - The "Application" Also known as the
Relying Party (RP) to the Identity Provider (IdP) Employs the services
of an IdP for the Authentication and Authorization of users Zscaler acts
as a SAML SP
●● Define Identity Provider (IdP) and the role it plays with IdP
integration with Zscaler.
,Answer: IdP - Authenticates Users/Devices Provides Identifiers and
Identity Assertions for users that wish to access a service. IdP examples
include: Okta, Ping, AD FS, Azure AD
●● Define Security Assertions and the role it plays with IdP integration
with Zscaler.
Answer: Also known as Tokens Issued to users by the IdP Presented to
SPs / RPs to confirm authentication Trust based on PKI Assertions may
contain: Authentication, Attribute, or Authorization statements
●● Describe the authentication flow for Zscaler utilizing SAML with an
IdP initiated SSO.
Answer: 1. User Clicks an application.
2. User is redirected to Zscaler. (ZIA or ZPA pending request)
3. User clicks to log into Zscaler (ZIA or ZPA pending request)
4. User is redirected to SAML IdP login (this can include user attributes
and/or group memberships)
5. User logs into IdP (this can include user attributes and/or group
memberships)
6. IdP sends over assertion Identity to user (SAML assertion is
encrypted)
7. User sends identity to Zscaler (SAML assertion is encrypted)
8. Zscaler issues auth token to user (assertion is verified)
9. User is given access to the application
,●● What are the advantages of using SCIM? What are the
disadvantages?
Answer: Advantages -
- Updates information automatically
- Allows users to be deleted (While Auto-Provisioning can add user
information, it cannot delete users from the database)
Disadvantages -
- Not supported by all IdPs
●● What operations are supported by SCIM?
Answer: 1. Add Users: As they are assigned to the ZPA SP in the source
IDP
2. Delete Users: Remove ZPA access for users that are either removed
from the ZPA SP in the source IdP, or are removed from the directory
completely.
3. Update Users: Update SCIM attributes dynamically (e.g. group
memberships)
4. Apply Policy: Based on SCIM user or group attributes.
●● What is the Zscaler Client Connector (ZCC)?
, Answer: It is a lightweight app that sits on users' endpoints and enforces
security policies and access controls regardless of device, location, or
application.
●● What is the recommended mode for Zscaler Client Connector (ZCC)
to function when it's forwarding traffic to Zscaler Internet Access (ZIA)
Answer: The recommended mechanism is to use the Zscaler tunnel.
●● What are the three authenticated tunnel options (meaning that once
the user is enrolled in Zscaler Client Connector (ZCC)?
Answer: 1. ZTunnel - Packet Filter Based
2. ZTunnel - Route-Based
3. ZTunnel with Local Proxy
●● What are the additional options that support legacy implementations
for ZCC?
Answer: 1. Enforced PAC mode, which basically instruments the PAC
file in the browser, similar to what you'd get from a group policy object.
That means that the browser itself is forced to go to Zscaler Internet
Access via a specified proxy.
2.None, meaning that the policy is not going to do any configuration of
proxy or tunneling mode, and relies on the group policy object or the
default configuration within the browser.
●● What type of tunnel is ZTunnel 1.0?
QUESTIONS AND SOLUTIONS GRADED A+
●● Zscaler Private Access (ZPA) configures connectivity to private
applications and resources hosted where?
Answer: 1. Infrastructure as a Service (IaaS)
2. Platform as a Service (PaaS)
3. Your private data center
●● Zscaler integrates with multiple IdP partners and can work with
_______.
Answer: Zscaler can integrate with Active Directory, Azure Active
Directory, ADFS, Okta, Ping, or really any SAML 2.0-compliant identity
provider
●● Define Service Provider (SP) and the role it plays with IdP
integration with Zscaler.
Answer: Service Provider (SP) - The "Application" Also known as the
Relying Party (RP) to the Identity Provider (IdP) Employs the services
of an IdP for the Authentication and Authorization of users Zscaler acts
as a SAML SP
●● Define Identity Provider (IdP) and the role it plays with IdP
integration with Zscaler.
,Answer: IdP - Authenticates Users/Devices Provides Identifiers and
Identity Assertions for users that wish to access a service. IdP examples
include: Okta, Ping, AD FS, Azure AD
●● Define Security Assertions and the role it plays with IdP integration
with Zscaler.
Answer: Also known as Tokens Issued to users by the IdP Presented to
SPs / RPs to confirm authentication Trust based on PKI Assertions may
contain: Authentication, Attribute, or Authorization statements
●● Describe the authentication flow for Zscaler utilizing SAML with an
IdP initiated SSO.
Answer: 1. User Clicks an application.
2. User is redirected to Zscaler. (ZIA or ZPA pending request)
3. User clicks to log into Zscaler (ZIA or ZPA pending request)
4. User is redirected to SAML IdP login (this can include user attributes
and/or group memberships)
5. User logs into IdP (this can include user attributes and/or group
memberships)
6. IdP sends over assertion Identity to user (SAML assertion is
encrypted)
7. User sends identity to Zscaler (SAML assertion is encrypted)
8. Zscaler issues auth token to user (assertion is verified)
9. User is given access to the application
,●● What are the advantages of using SCIM? What are the
disadvantages?
Answer: Advantages -
- Updates information automatically
- Allows users to be deleted (While Auto-Provisioning can add user
information, it cannot delete users from the database)
Disadvantages -
- Not supported by all IdPs
●● What operations are supported by SCIM?
Answer: 1. Add Users: As they are assigned to the ZPA SP in the source
IDP
2. Delete Users: Remove ZPA access for users that are either removed
from the ZPA SP in the source IdP, or are removed from the directory
completely.
3. Update Users: Update SCIM attributes dynamically (e.g. group
memberships)
4. Apply Policy: Based on SCIM user or group attributes.
●● What is the Zscaler Client Connector (ZCC)?
, Answer: It is a lightweight app that sits on users' endpoints and enforces
security policies and access controls regardless of device, location, or
application.
●● What is the recommended mode for Zscaler Client Connector (ZCC)
to function when it's forwarding traffic to Zscaler Internet Access (ZIA)
Answer: The recommended mechanism is to use the Zscaler tunnel.
●● What are the three authenticated tunnel options (meaning that once
the user is enrolled in Zscaler Client Connector (ZCC)?
Answer: 1. ZTunnel - Packet Filter Based
2. ZTunnel - Route-Based
3. ZTunnel with Local Proxy
●● What are the additional options that support legacy implementations
for ZCC?
Answer: 1. Enforced PAC mode, which basically instruments the PAC
file in the browser, similar to what you'd get from a group policy object.
That means that the browser itself is forced to go to Zscaler Internet
Access via a specified proxy.
2.None, meaning that the policy is not going to do any configuration of
proxy or tunneling mode, and relies on the group policy object or the
default configuration within the browser.
●● What type of tunnel is ZTunnel 1.0?
