About SCIM

SCIM (the System for Cross-domain Identity Management) is a standard protocol that you can use for provisioning and user and group management. Zscaler provides an easy and consistent mechanism for customers to use SCIM to manage the lifecycle of user and group accounts in the Zscaler cloud. 

You can use SCIM for: 

  • Provisioning users and groups onto Zscaler. To learn more about provisioning, see Choosing Provisioning and Authentication Methods.
  • Automatically updating a user's group and department on the Zscaler user database to reflect changes in your user directory 
  • Deprovisioning users from Zscaler database when deleted in your user directory

There are two ways you can use SCIM with the Zscaler service. Firstly, you can use custom SCIM clients to make REST API calls to Zscaler. To learn more, see SCIM API Examples. Secondly, you can use one of the IdPs partnered with Zscaler.

For IdP configuration guides, see:

    When creating users, the domain included in the username must be pre-registered with Zscaler. For example, if a user has the username of "test@safemarch.com", the domain "safemarch.com" needs to be registered to your tenant on Zscaler. Zscaler support can assist you with the process. In addition, the total number of groups associated with a single user cannot exceed 128.

    Zscaler only supports SCIM version 2.0 and SAML must be used as your authentication method to use SCIM for provisioning.

    Operations Supported by Zscaler SCIM Servers

    Operation HTTP Request
    Endpoint /Users  
    Create User POST /Users
    Retrieve All Users GET /Users
    Retrieve a Specific User GET /Users/{UserID}
    Filter Users by Username GET /Users?filter=userName eq <value> 
    Filter Users by External ID GET /Users?filter=externalID eq <value>
    Filter Users by ID  GET /Users?filter=id eq <value>
    Filter Users by Date Created After GET /Users?filter=meta.lastModified gt <value>
    Update User  PUT /Users/{UserID}
    PATCH /Users/{UserID}
    Delete User DELETE /Users/{UserID}
    Endpoint /Groups  
    Create Group POST /Groups
    Retrieve All Groups GET /Groups
    Retrieve a Specific Group GET  /Groups/{GroupID}
    Filter by Group's Display Name and Members GET /Groups?filter=displayName eq <value> and members.value eq <value>
    Update Group PUT /Groups/{GroupID}
    PATCH /Groups/{GroupID}
    Delete Group DELETE /Groups/{GroupID}
    Endpoint /Bulk  
    Bulk Modify Resources POST 
    Endpoint /Schema   
    Retrieve All Resource Schemas GET /Schemas
    Retrieve a Specific Resource Schema GET /Schemas/{SchemaID}
    Endpoint /ServiceProviderConfig  

    Retrieve the Service Provider's Configuration

    Endpoint /ResourceTypes  
    Retrieve All Resource Types GET /ResourceTypes
    Retrieve a Specific Resource Type GET /ResourceTypes/{ResourceTypeID}
    Endpoint [prefix]/.search  
    Search for Resource Types POST 

    Attribute Mapping

    User Information

    SCIM User  Zscaler User Description
    id <unique_id>  Unique ID generated by Zscaler. For example,  1a234567-1b23-1200-1234-123c
    externalId scim_externalid External ID provided by the client, will be populated on to the Zscaler user database
    userName User ID (login_name) The actual user ID used for authentication. The expected format is user@domain. For example, user1@safemarch.com
    displayName User display Name(user_name) The display name of the user 
    groups Groups The Groups the user belongs to 
    active   When "active=false", Zscaler will delete this user
    department Department The department the user belongs to
    name.givenName firstname The first name of the user
    name.familyName lastname The last name of the user
    emails.value scim_emails The email address of the user

    Group Information

    SCIM Group Zscaler Group Description
    id <unique_id>  Unique ID generated by Zscaler. For example, 1a234567-1b23-1200-1234-123c
    externalId scim_externalid External ID provided by client, will be kept in the Zscaler database
    displayName Name Display name of the Group