Experience Center
About SCIM
System for Cross-domain Identity Management (SCIM) is a standard protocol for automating the exchange of identity information. Enabling SCIM allows you to quickly remove users from the Private Applications service when a user is disabled or deleted in your user directory and to enforce policies based on SCIM attributes and SCIM groups. To learn more, see Deleting Users in SCIM.
SCIM provides the following benefits and enables you to:
- Automatically modify a user's access when their attributes, group membership, or status changes.
- Enforce policies based on SCIM user attributes and SCIM groups.
- Improve the admin experience by populating SCIM user attributes and SCIM groups when configuring policies.
Setting up SCIM requires configuration in the Admin Portal and requires using an IdP partnered with Zscaler for SCIM:
- SCIM Configuration Guide for Microsoft Azure AD
- SCIM Configuration Guide for Okta
- PingFederate integration with ZPA
The Private Applications service works with any IdP that supports the SCIM standard (e.g., SailPoint).
Users might encounter a connection error in Zscaler Client Connector when enabling SCIM sync with Okta. Okta does not sync users to the Private Applications service in the Okta IdP before you enable SCIM. As a result, users do not initially appear in the SCIM user database when SCIM is enabled in the Private Applications service. Zscaler recommends the following to resolve the connection error in Zscaler Client Connector:
- Enable PROVISION_OUT_OF_SYNC_USERS in Okta.
- Unassign and reassign all users and groups from the Private Applications service in Okta, and then wait for the sync to occur.
Most of the time, the IdP you set up for SAML authentication will be the same one you use for SCIM identity management.
Zscaler only supports SCIM version 2.0.
You can also use custom SCIM clients to make REST API calls to Zscaler. To learn more, see About SCIM APIs and SCIM API Examples.
About the SCIM Attributes Page
The SCIM Attributes page is a read-only table, and the Private Applications service does not support custom attributes. You must enable SCIM for any information to appear on this page. To learn more, see Enabling SCIM for Identity Management.
On the SCIM Attributes page (Administration > Identity > Private Access > SCIM Attributes), you can do the following:
- Select an identity provider enabled for SCIM to generate a list of attributes in the table.
- Enter a SCIM attribute associated with the IdP, and click Apply to filter the table.
- View a list of SCIM attributes. For each attribute, you can see:
- SCIM Attribute Name: The name of the SCIM attribute as it is specified in the IdP.
- SCIM Attribute: The SCIM attribute as it is specified in the IdP.
Required Attribute: The attributes that must sync between an IdP and Zscaler. Currently, only username is required.
The SCIM username attribute must match nameID in the SAML attribute.
- Unique Attribute: The attribute with a unique value used to identify the user or group. For example, two users cannot share the same username. Currently, username is the only unique attribute.
- Copy the SCIM Attribute to your clipboard.
Supported SCIM Attributes
The following table includes the supported SCIM attributes and their values:
| SCIM Attribute Name | SCIM Attribute | Description |
|---|---|---|
| Active | active | When "active=false", Zscaler deletes this user. When "active=true", Zscaler enables this user. |
| Cost Center | costCenter | The cost center that the user belongs to |
| Department | department | The department that the user belongs to |
| Display Name | displayName | The display name of the user |
| Division | division | The division that the user belongs to |
| emails.value | The email address of the user | |
| First Name | names.givenName | The first name of the user |
| Formatted Name | name.formatted | The formatted name of the user |
| Last Name | name.familyName | The last name of the user |
| id | <unique_id> | Unique ID generated by Zscaler (e.g., 1a1234567-1b23-1200-1234-123c) |
| Organization | organization | The organization of the user |
| Title | title | The title of the user |
| Username | userName | The user ID used for authentication. The expected format is user@domain.com (e.g., user1@safemarch.com). |
| UserType | userType | Indicates the type of user |