icon-unified.svg
Experience Center

SCIM Configuration Guide for Okta

This guide provides information on how to configure and install the Zscaler Private Access (ZPA) 2.0 app in Okta. Zscaler Private Access 2.0 enables you to use SAML as your method of authentication and SCIM as your method of provisioning.

Prerequisites

Ensure that you have:

  • An Okta account with admin privileges.
  • An existing directory in Okta.
  • A Private Applications account with an administrator role that allows you to add a SCIM configuration.
  • A SCIM provisioning subscription for Okta. Contact your Okta representative to ensure your organization has the appropriate subscription.

Configuring SCIM for Identity Management

Using SCIM allows you to quickly remove users from Private Applications when you delete them in your user directory. SCIM also ensures that information flows to Private Applications and policies are updated accordingly when you make a change to the group information for a user. To use SCIM, you must enable it in Okta.

The following procedures apply to SCIM configurations for the Private Applications application in Okta. You need to begin the SCIM configuration process in the Admin Portal to get the SCIM Service Provider Endpoint and bearer token required in steps 4 and 5.

To configure SCIM in Okta:

  1. Click the Provisioning tab.

  1. Click Configure API Integration.

  1. Select the Enable API Integration checkbox.
  2. In the Base URL field, enter the SCIM Service Provider Endpoint that is provided when enabling SCIM in the Admin Portal.
  3. In the API Token field, enter the Bearer Token that is provided when enabling SCIM in the Admin Portal.
  4. Click Test API Credentials. Okta attempts to connect to the SCIM endpoint. When the connection is successful, a verification message appears.

If the attempt fails, make sure you save your IdP configuration in the Admin Portal when enabling SCIM, and then try again.

  1. Click Save after a successful connection to save your credentials.
  2. After the To App settings load, click Edit next to Provisioning to App.

  1. For Create Users, select the Enable checkbox.
  2. For Update User Attributes, select the Enable checkbox.
  3. For Deactivate Users, select the Enable checkbox.
  4. Click Save.

After SCIM is enabled, Zscaler checks if a user is present in the SCIM database. Based on this information, Zscaler decides if the user is allowed or blocked access to Private Applications. Customers need to ensure SCIM user sync is complete prior to enabling SCIM policies for these users, otherwise the Private Applications service does not recognize the users and evaluate policies for them. Before enabling SCIM for policies, Zscaler recommends monitoring the user and group count in the Admin Portal until it is equal to the user and group count in Okta. The duration of the SCIM sync is dependent on the amount of users and groups that are being synced. This can take up to a week in certain scenarios. To learn more, see Enabling SCIM for Identity Management.

To assign users or groups to Zscaler Private Access 2.0:

  1. Click the Assignments tab.
  2. In the Assign drop-down menu, you can:
    1. Select Assign to People: Assigns a user.

  1. Select Assign to Groups: Assigns a group of users.

  1. After finding the correct users or groups, click Assign.
  2. Click Done.

When assigning users to an application, Zscaler recommends creating one assignment group with all Okta users to leverage assignments and define policies in the Admin Portal. After the assignments are complete, push the groups you want to sync with Zscaler Private Access 2.0.

To sync groups with Zscaler Private Access 2.0:

  1. Click the Push Groups tab.
  2. Click the Push Groups drop-down menu.
  3. To define which groups are synced with the service provider:
    1. Select Find groups by name: Searches for specific groups to push.

  1. Select Find groups by rule: Creates a search rule that pushes any groups that match the rule.

  1. After searching for the group by name or rule, click Save or Save & Add Another.

To sync attributes (e.g. department, job title) with SCIM for Private Applications:

  1. Select Directory.
  2. Select Profile Editor.
  3. Select the relevant SCIM application configured for Private Applications authentication.
  4. Click Add Attribute.

  1. Enter the necessary information:
  • Data type: Select string.
  • Display name: Enter the attribute you are going to sync (e.g., department, job title).
  • Variable name: Enter the attribute you are going to sync (e.g., department, job title).
  • External name: Enter the attribute you are going to sync (e.g., department, job title).
  • External namespace: Enter the url urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
  • Description: The description for the attribute, if available.

Fill in the additional fields if necessary.

  1. Click Save attribute.

  1. Select the relevant SCIM application again.
  2. Click Mappings.

  1. Click the Okta Users to Zscaler Private Access tab.
  2. Enter the necessary information:
  • Locate the attribute name in the right column under the SCIM application name.
  • In the left field, next to the attribute name enter user. with the attribute (e.g. user.department, user.jobtitle).
  1. Click Save Mappings.

  1. Click Profile Editor.
  2. Review the attributes to confirm that the new attribute is synced.
  3. Click the View icon under an Internal User ID to confirm that the SCIM User is reflected in the Admin Portal.

Related Articles
SCIM Configuration Guide for OktaSCIM Configuration Guide for Microsoft Azure AD