Cloudi-Fi has developed a feature called "transient mode" that acts as an intermediate state for iOS devices. This mode is available only in Zscaler integration deployments only and is specifically designed for iOS devices users, enabling more robust session management and authentication flow.
This article explores transient mode, the necessity of using Safari for cookie persistence, and how these combined features create a more consistent, reliable connectivity experience for Zscaler iOS users.
Introduction
When you connect to a Wi-Fi network with a captive portal, iOS detects if internet access is restricted.
If a login is required, iOS will automatically trigger a captive portal mini-browser (CPMB) window to display the portal. This mini-browser has some limitation since there are no persistent cookies: all the written cookies are destroyed after CPMB closes.
In Zscaler ZIA, cookie authentication is used to streamline user access and improve security by storing an authentication token (cookie) on a user’s device after they successfully authenticate.
To resolve persistence of Cookies with iOS, Cloudi-Fi introduced an intermediate authentication state called "Transient".
What Is Transient Mode?
Transient mode is an intermediate status introduced by Cloudi-Fi for Zscaler, which exists between pre-authentication and post-authentication states. This unique state is only available on iOS devices within Zscaler’s deployment framework.
In transient mode, devices are not fully authenticated but retain an "in-between" connectivity status. This allows the device to operate as if it has network access while essential pre-auth steps are processed in the background.
In transient mode, Zscaler essentially allows the device to operate as though it has connectivity even though it has not completed the full authentication process.
The login attribute returned by Cloudi-Fi Identity Provider (IdP) for a Transient user must be in the following form
transient**@yourcompany.cloudi-fi.net
The login attribute returned by Cloudi-Fi Identity Provider (IdP) for a fully authenticated user must be in the following form
user**@yourcompany.cloudi-fi.net
Authentication workflow
With "Transient" feature enabled
Step 1 : Connection to the Wi-Fi Network (Guest SSID):
The user opens the Wi-Fi settings on their iOS device and selects the guest Wi-Fi network, "Guest SSID." Once connected to the guest SSID, the iOS device is assigned an IP address by the DHCP server in the network.
Step 2 : Captive Portal Detection by iOS Device
iOS devices have a built-in mechanism to detect captive portals by attempting to access a known Apple URL, such as http://captive.apple.com/generate_204. If this request is redirected (instead of getting a "No Content" HTTP 204 response), iOS detects that it is behind a captive portal and displays a captive portal login screen.
user in Zscaler = noauth-protocol$@zscaler_ID.zscaler_cloud.net
Step 3 : Redirection to the Transient Page in Apple mini-browser
The iOS device automatically opens a mini-browser (a simplified Safari view) that redirects to the transient page URL provided by the network.
This page might have the URL structure such as
- ************ : your Cloudi-fi public key visible in your Cloudi-fi Admin interface under Settings > Company Account.
- "zscaler.net" : your Zscaler Entity ID (zscaler.net or zscloud.net or zscalerthree.net, etc).
https://login.cloudi-fi.net/start/ch/************/sp/spzscaler.net?source=transient
user in Zscaler = transient***@yourcompany.cloudi-fi.net
Step 4 : Redirection to the Captive Portal Page in Safari
After clicking on "Continue" button, the user is redirected to the captive portal assigned to your location (see Admin UI > Locations > Portals column)
For instance
user in Zscaler = transient***@yourcompany.cloudi-fi.net
Then user complete his authentication and can browse internet.
Without "Transient" feature enabled
Step 1 : Connection to the Wi-Fi Network (Guest SSID):
The user opens the Wi-Fi settings on their iOS device and selects the guest Wi-Fi network, "Guest SSID." Once connected to the guest SSID, the iOS device is assigned an IP address by the DHCP server in the network.
Step 2 : Captive Portal Detection by iOS Device
iOS devices have a built-in mechanism to detect captive portals by attempting to access a known Apple URL, such as http://captive.apple.com/generate_204. If this request is redirected (instead of getting a "No Content" HTTP 204 response), iOS detects that it is behind a captive portal and displays a captive portal login screen.
user in Zscaler = noauth-protocol$@zscaler_ID.zscaler_cloud.net
Step 3 : Redirection to the Captive Portal Page in Apple mini-browser
After clicking on "Continue" button, the user is redirected to the captive portal assigned to your location (see Admin UI > Locations > Portals column)
For instance
user in Zscaler = noauth-protocol$@zscaler_ID.zscaler_cloud.net
Then user complete his authentication and can browse internet.
How to enable "Transient" feature
Here are the steps to follow to enable transient feature
Step 1 : Enable "Transient" page in you captive portal
Open a ticket to Cloudi-Fi Support (see How to contact your Cloudi-Fi support ?) to enable the "Transient" Page in you captive portal
Step 2 : Create Zscaler URL policy for Transient page redirection (if it was not created yet)
see How to Deploy Cloudi-Fi Captive Portal into an Existing Zscaler Tenant - Option Location Only-
Go to your Zscaler Admin interface and navigate to Policy > Access Control > URL and Cloud App Control. Then create the following rules : Rule 1 : apple captive portal URL
URL Filtering Rule
- Rule Name : for instance Apple Captive Portal
- Rule status : enabled
Criteria
- URL categories : Cloudi-fi Apple Check URL
- Department : Unauthenticated Transactions
- Request Methods : CONNECT, DELETE, GET, HEAD, OPTIONS, OTHER, POST, PUT, TRACE
- Time : Always
- Location Group : CLOUDIFI
- Web Traffic : Block
- Allow override : OFF
- Redirect URL :
https://login.cloudi-fi.net/start/ch/************/sp/spzscaler.net?source=transient
- ************ : your Cloudi-fi public key visible in your Cloudi-fi Admin interface under Settings > Company Account.
- "zscaler.net" : your Zscaler Entity ID (zscaler.net or zscloud.net or zscalerthree.net, etc).
Step 3 : Update Zscaler URL policy
see How to Deploy Cloudi-Fi Captive Portal into an Existing Zscaler Tenant - Option Location Only-
Go to your Zscaler Admin interface and navigate to Policy > Access Control > URL and Cloud App Control.
Then update the Rule_3 (Rule 3 : Cloudi-fi redirection) to add the Wallguard Department. The Wallguard Department will be available after your first test of authentications. It cannot be created manually, so you will have to update this rule after your first tests.
Additional options for improved security and user experience
Some additional option(s) can be enabled (on back end side) such as : automatic deletion of Transient users in Zscaler.
If the guest user closes the iOS mini-browser (without clicking the "Continue" button), they will remain stuck in a transient state (transient**@yourcompany.cloudi-fi.net) and will be unable to authenticate. To resolve this issue, the guest user has two options:
- Option 1: Open Safari, go to http://ip.zscaler.com/, and log out. The guest user can then restart the full connection process (see the "Transient" feature documentation for details).
- Option 2: Open Safari and navigate to an HTTP page (for example, http://3wi.fi/). This will trigger the captive portal to display in Safari, allowing the user to authenticate.
To prevent this issue from occurring, you can request that Cloudi-Fi Support (see How to contact your Cloudi-Fi support ?) activate automatic deletion of transient users in Zscaler.
Conclusion
Transient mode in Zscaler, is a game-changer for iOS deployments, providing a practical solution to the challenges of cookie persistence and secure connectivity. By creating an intermediate state that enables simulated connectivity and enforcing Safari redirection for reliable session persistence, Zscaler ensures that iPhone users experience a smooth and secure authentication process.
For organizations relying on Zscaler’s cloud security solutions, transient mode is a valuable feature that supports a secure, consistent, and user-friendly environment, reflecting Zscaler’s commitment to balancing security and user experience in the modern digital landscape.