Overview
This integration enables organizations to redirect all public GenAI traffic to SurePath AI through Zscaler's proxy chaining capability using Forwarding Control policies. Using this method, all GenAI traffic defined by a custom URL category is sent through the Zscaler proxy system, which then forwards the traffic to the SurePath AI Proxy before reaching the final destination. This approach provides complete visibility in both Zscaler and SurePath AI logging systems, allowing admins to use either platform for troubleshooting or analysis.
Organizations implementing this integration should understand that all users whose traffic matches the configured policy will have their public GenAI access redirected to SurePath AI. When the X-Authenticated-User (XAU) header is configured in the proxy settings as described in this document, users will have a fully transparent experience without any authentication prompts. Without the XAU header configuration, users would be required to authenticate using SSO before gaining access to any GenAI services governed by SurePath AI.
For POC or pilot deployments, admins can configure specific criteria in the Zscaler Forwarding Control policy to redirect traffic for a subset of users or groups. Depending on Zscaler licensing, admins should reach out to their Zscaler technical representative to verify they can segment policy rules by groups before attempting to implement a limited deployment.
Prerequisites
Before configuring Zscaler, admins should verify the Zscaler environment requirements, ensure the SurePath AI Root CA is distributed to endpoints, and gather the necessary configuration information from the SurePath AI platform.
Verify Zscaler environment requirements
This integration requires Zscaler Tunnel 2.0 to be deployed on client endpoints. The configuration outlined in this document will not function properly if Tunnel version 1.0 is used.
Open the Zscaler client on any endpoint
Verify that Tunnel 2.0 is displayed in the client interface
If Tunnel 1.0 is shown, consult Zscaler documentation at https://help.zscaler.com/zia/about-forwarding-policies for upgrade guidance before proceeding
Distribute SurePath AI Root CA to endpoints
SurePath AI recommends that organizations distribute the SurePath AI Root CA to all endpoints as a trusted certificate authority before beginning the Zscaler configuration. The certificate will also be installed in Zscaler's trusted CA store during the configuration steps, which ensures that Zscaler trusts SurePath AI's TLS inspection. Distributing the certificate directly to endpoints provides additional protection against certificate trust errors and ensures a seamless user experience.
To download and distribute the certificate:
In the Admin UI, click Organization in the CONFIGURE section and select the Integration tab
Select the certificate format appropriate for the endpoint operating systems
Click the DOWNLOAD CERTIFICATE button
Distribute the SurePath AI Root CA using existing certificate deployment mechanisms, such as Group Policy, Mobile Device Management (MDM) platforms, or endpoint management tools
Gather configuration information
Admins must collect several items from the SurePath AI platform that will be used during the Zscaler configuration steps. These include the proxy address that Zscaler will forward traffic to, the curated list of GenAI sites that defines which domains should be redirected, and the SurePath AI security certificate that will be installed in Zscaler's trusted CA store.
SurePath AI proxy address
The SurePath AI proxy address is the hostname that Zscaler will use as the destination for forwarded GenAI traffic.
In the Admin UI, click Organization in the CONFIGURE section and select the Integration tab
Copy the proxy URL value and save it for use during the Zscaler proxy configuration step (the port number is typically not needed as it will be specified separately)
SurePath AI public services catalog
SurePath AI maintains and curates a list of GenAI sites across the public internet, including vendor names and associated risk levels. This list is downloaded in Zscaler-specific format and imported into Zscaler as a custom URL category.
In the Admin UI, click Public Services in the GOVERN section
Click the DOWNLOAD CATALOG button
Select Zscaler Config from the download format dropdown
Click DOWNLOAD to save the file
The downloaded file will be named similar to surepath-ai-public-services-zscaler-YYYY-MM-DD.txt. Admins should not add additional URLs to this file. If there are sites that need to be added to the catalog, the admin should contact their SurePath AI technical representative for guidance on the appropriate approach.
SurePath AI security certificate
The SurePath AI security certificate must be downloaded and installed in Zscaler's trusted CA store during the configuration steps. This allows Zscaler to trust SurePath AI's TLS inspection and prevents certificate warnings when SurePath AI decrypts and inspects GenAI traffic.
In the Admin UI, click Organization in the CONFIGURE section and select the Integration tab
Select the PEM format (typically required for Zscaler)
Click the DOWNLOAD CERTIFICATE button
Understanding X-Authenticated-User (XAU) header
The X-Authenticated-User header is a critical component of this integration that enables transparent user identification without requiring SSO authentication prompts. When properly configured, the XAU header dramatically improves the user experience by eliminating the need for users to authenticate when accessing public GenAI services.
How XAU works with SurePath AI
When Zscaler forwards traffic to the SurePath AI proxy, it can insert the X-Authenticated-User header into each request. This header contains the username of the end user whose traffic is being proxied. SurePath AI validates that the traffic is coming from a trusted Zscaler connector and then automatically associates the user's identity with their GenAI activity without requiring an additional authentication step. This creates a fully transparent experience where users can access GenAI services without any interruption or authentication prompts.
XAU requirements by deployment type
Organizations using SurePath AI Discovery mode must configure the XAU header, as it is the only method for SurePath AI to identify which users are accessing GenAI services. Without the XAU header, Discovery mode cannot attribute activity to individual users.
For non-Discovery organizations, the XAU header is optional but strongly recommended. Without XAU, users will be redirected to an SSO authentication page the first time they access any GenAI service governed by SurePath AI. While this authentication is typically cached for a period of time, enabling XAU eliminates this authentication requirement entirely and provides the best user experience.
The XAU header configuration is completed during the proxy configuration step outlined in this document.
Zscaler configuration steps
The Zscaler configuration process involves several distinct steps: creating a custom URL category containing all GenAI domains from the SurePath AI catalog, adding the SurePath AI security certificate to Zscaler's trusted certificate store, creating a proxy configuration that points to the SurePath AI proxy address, creating a proxy gateway that references the proxy, and finally creating a forwarding rule that redirects matching traffic through the configured proxy gateway.
Access the Zscaler admin console
Navigate to https://zscaler.com and log in using organization credentials
Create the custom URL category
The custom URL category contains all the individual hostnames and domains from the SurePath AI public services catalog. This category defines what traffic should be considered "GenAI traffic" for the purpose of the forwarding policy.
Navigate to Administration > URL Categories and click Add URL Category
Enter a descriptive name—these instructions use SurePathAI as the example name throughout
Click in the Custom URLs text field
Open the previously downloaded SurePath AI public services file (named similar to
surepath-ai-public-services-zscaler-YYYY-MM-DD.txt)Select all hosts and lines in the file and paste them into the field (each host should appear on a separate line)
Click the Add Items button next to the text field
Click Save
The URL category should now appear in the list of configured URL categories under User-Defined. The number of services listed in the SurePath AI catalog will not match the number of lines in the file. The line count will be higher because some GenAI services require multiple hostnames to capture all relevant traffic.
Add the SurePath AI security certificate
Installing the SurePath AI root certificate in Zscaler's trusted CA store ensures that Zscaler will trust SurePath AI's TLS inspection. This prevents certificate warnings from being presented to end users when SurePath AI decrypts and inspects GenAI traffic.
Navigate to Administration > Root Certificates and click Add Root Certificate
Enter a descriptive name—these instructions use SurePathAI throughout
Set the Type field to Proxy Chaining
Click Done
Click Choose File and select the
.pemcertificate file previously downloaded from SurePath AIClick SAVE
The certificate should now appear in the list of Root Certificates.
Create the proxy configuration
The proxy configuration defines the SurePath AI proxy as a forwarding destination that Zscaler can send traffic to. The proxy settings include the hostname, port number, the associated root certificate that Zscaler will use when forwarding GenAI traffic, and the critical X-Authenticated-User header configuration.
Navigate to Administration > Proxies & Gateways > Proxies and click Add Proxy
Enter a descriptive name—these instructions use SurePathAI throughout
Set the IP Address / FQDN field to the SurePath AI proxy URL value that was copied from the Admin UI in the prerequisites section
Set the Port field to 8080 unless the organization has received specific instructions from SurePath AI to use a different port number
Set the Proxy's Root Certificate field to the root certificate created in the previous step (named SurePathAI in these examples)
Configure X-Authenticated-User header (Recommended)
As described in the "Understanding X-Authenticated-User (XAU) header" section above, enabling the XAU header eliminates the need for users to authenticate via SSO when accessing public GenAI services. This configuration is required for Discovery mode deployments and strongly recommended for all other deployments.
Enable the Insert X-Authenticated-User option by clicking the toggle to turn it green
When this option is enabled, Zscaler will insert the X-Authenticated-User header into every proxy request, passing the end user's username to SurePath AI. SurePath AI will validate that the traffic is coming from the trusted Zscaler connector and automatically associate the user's identity with their GenAI activity without requiring an authentication prompt. This creates a fully transparent experience for end users.
Click SAVE
The proxy should now appear in the list of configured proxies.
Create the proxy gateway
The proxy gateway serves as a container for one or more proxy configurations and is referenced by the forwarding rule. This gateway will point to the SurePath AI proxy created in the previous step.
Navigate to Administration > Proxies & Gateways > Proxy Gateways and click Add Gateway for Proxies
Enter a descriptive name—these instructions use SurePathAI throughout
Set the Primary Proxy field to the proxy created in the previous step (named SurePathAI in these examples)
Leave the Secondary Proxy field empty (multiple SurePath AI proxies will respond from the hostname provided for high availability)
Click SAVE
The proxy gateway should now appear in the list of configured gateways.
Create the forwarding rule
The forwarding rule instructs Zscaler to redirect traffic matching the custom URL category to the SurePath AI proxy gateway. This is the policy that actually enables the integration and begins redirecting GenAI traffic.
Navigate to Policies > Forwarding Control and click Add Forwarding Rule
Enter a descriptive name—these instructions use SurePathAI throughout
Adjust the Rule Order and Admin Rank to ensure the rule is evaluated appropriately within the organization's overall Zscaler policy structure (the SurePath AI forwarding rule should typically be positioned before other AI-related rules to ensure GenAI traffic is redirected before other rules can take effect)
Set the Forwarding Method field to Proxy Chaining
For pilot or POC deployments, set CRITERIA > General to specific groups of users to limit the policy to test users or groups
For production deployments, leave CRITERIA > General at the default value of Any to apply the policy to all users
Set CRITERIA > Destination > URL Category to the custom URL category created earlier (named SurePathAI in these examples)
Set ACTION > Forward to Proxy Gateway to the proxy gateway created in the previous step (named SurePathAI in these examples)
Click SAVE
The forwarding rule should now appear in the policy list.
Activate the configuration
Click Activation and then click Activate to publish the configuration changes and make the integration active
Verification and troubleshooting
After the configuration is activated and deployed to test users or groups, admins can verify the integration using the Ready tool at https://ready.surepath.ai. Users whose traffic is being redirected should see successful validation results for both certificate trust and network configuration. If either test fails, admins should verify that the URL category, certificate installation, proxy configuration, proxy gateway, and forwarding rule are all configured correctly and that the policy is being applied to the intended user population.