About SCIM

SCIM (the System for Cross-domain Identity Management) is a standard protocol that enables you to manage user identities. It leverages existing schemas with a focus on the need for security, simplicity, and scalability. The SCIM protocol has been accepted by many enterprises. In addition, major identity providers (IdPs) support using SCIM for provisioning and user and group management. Zscaler provides an easy and consistent mechanism for customers to use SCIM to manage the lifecycle of user and group accounts in the Zscaler cloud. 

You can use custom SCIM clients to make REST API calls to Zscaler. To learn more, see SCIM API Examples

You can also use one of the IdPs partnered with Zscaler for authentication:

You can use SCIM based REST APIs for: 

  • Provisioning users and groups onto Zscaler
  • Automatically updating a user's group and department on the Zscaler user database to reflect changes in your user directory 
  • Deprovisioning users from Zscaler database when deleted on your user directory

To learn more about provisioning and authentication, see Choosing Provisioning and Authentication Methods.

When creating users, be aware that the domain included in the username must be pre-registered with Zscaler. For example, if a user has the username of “test@safemarch.com”, the domain “safemarch.com” needs to be registered to your tenant on Zscaler. Zscaler support can assist you with the process. In addition, the total number of groups associated with a single user cannot exceed 128.

Zscaler only supports SCIM version 2.0 and SAML must be used as your authentication method to use SCIM for provisioning.

Operations Supported by Zscaler SCIM Servers

Operation HTTP Request
Endpoint /Users  
Create User POST /Users
Fetch All Users GET /Users
Fetch a Specific User GET /Users/{UserID}
Filter Users by Username GET /Users?filter=userName eq <value> 
Filter Users by External ID GET /Users?filter=externalID eq <value>
Filter Users by ID and Manager GET /Users?filter=id eq <value> and manager eq <value>
Filter Users by Date Created After GET /Users?filter=meta.lastModified gt <value>
Update User  PUT /Users/{UserID}
or
PATCH /Users/{UserID}
Delete User DELETE /Users/{UserID}
Endpoint /Groups  
Create Group POST /Groups
Fetch All Groups GET /Groups
Fetch a Specific Group GET  /Groups/{GroupID}
Filter by Group's Display Name and Members GET /Groups?filter=displayName eq <value> and members.value eq <value>
Update Group PUT /Groups/{GroupID}
or
PATCH /Groups/{GroupID}
Delete Group DELETE /Groups/{GroupID}
Endpoint /Bulk  
Bulk Modify Resources POST 
Endpoint /Schema   
Retrieve a Resource's Schema GET /Schemas/<value>
Endpoint /ServiceProviderConfig  
Retrieve the Service Provider's Configuration GET 
Endpoint /ResourceTypes  
Find the types of SCIM resources available on a SCIM Service Provider  GET
Endpoint [prefix]/.search  
Search for resource types POST 

Attribute Mapping

User Information

SCIM User  Zscaler User Description
id <unique_id>  Unique ID generated by Zscaler. For example,  1a234567-1b23-1200-1234-123c
externalId scim_externalid External ID provided by the client, will be populated on to the Zscaler user database
userName User ID (login_name) The actual user ID used for authentication. The expected format is user@domain. For example, user1@safemarch.com
displayName User display Name(user_name) The display name of the user 
groups Groups The Groups the user belongs to 
active   When "active=false", Zscaler will delete this user
department Department The department the user belongs to
name.givenName firstname The first name of the user
name.familyName lastname The last name of the user
emails.value scim_emails The email address of the user

Group Information

SCIM Group Zscaler Group Description
id <unique_id>  Unique ID generated by Zscaler. For example, 1a234567-1b23-1200-1234-123c
externalId scim_externalid External ID provided by client, will be kept in the Zscaler database
displayName Name Display name of the Group