icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Active Directory with LDAP to SCIM Provisioning Migration Guide

This guide contains information on how to migrate from Active Directory (AD) with LDAP user synchronization to SCIM provisioning in the ZIA Admin Portal.

Prerequisites

Make sure the following prerequisites are met:

  • Set the repository type to Active Directory in the ZIA Admin Portal.
  • Use SAML for authentication and AD for provisioning.
  • Ensure that the AD is syncing the database to Zscaler and the IdP.

When migrating from AD to SCIM, do not change the database type in the ZIA Admin Portal from Active Directory to Hosted DB. Doing so can cause all existing user and group mappings to be deleted and creates duplicate users with SCIM provisioning.

Migrating to SCIM

To migrate from AD to SCIM provisioning:

  1. Go to Administration > Authentication Settings.

  2. Click Sync Now to perform a manual sync with the AD; this ensures that the Zscaler service has the latest database from the AD.

  3. (Optional) Ensure that you have the latest user data from the AD in your IdP application by performing a manual sync in the IdP application.

  4. In the ZIA Admin Portal, go to Administration > Authentication Settings and enable Disable Directory Sync & Enable SCIM Provisioning.

  5. Go to the Identity Providers tab and click the Edit icon of the IdP you plan to use.

  6. In the Provisioning Options section, click Enable SCIM Provisioning and copy the Base URL and Bearer Token as you need them when configuring SCIM in your IdP application.

    Zscaler recommends that you disable Enable Saml Auto-Provisioning when using SCIM provisioning.

  7. Using the information you copied in step 5, configure SCIM provisioning in your selected IdP application.

    After the IdP is configured, ensure that users syncing from the IdP match those on the Users page in the ZIA Admin Portal.

Make sure that you do not disable the Disable Directory Sync & Enable SCIM Provisioning option or change the repository types. If you are using Zscaler Authentication Bridge (ZAB), it is safe to disable the ZAB VM if there are no provisioning issues observed after a few days.

If you need to revert from SCIM to AD provisioning:

  1. Go to Administration > Authentication Settings > Identity Providers and click the Edit icon for the IdP you used.
  2. Disable the Enable SCIM Provisioning option.
  3. On the Default Settings page, disable the Disable Directory Sync & Enable SCIM Provisioning option.
  4. In the IdP application that you previously configured SCIM for, disable the SCIM configuration.
  5. In the ZIA Admin Portal, go to Administration > Authentication Settings > Default Settings, and click Sync Now.
Related Articles
About Identity ProvidersAdding Identity ProvidersMigrating to a New SAML IdPAdding the Zscaler Client Connector as an IdPUnderstanding SAMLConfiguring SAMLLogging Out from Zscaler While Using SAMLTroubleshooting SAMLUnderstanding SCIMConfiguring SCIMSCIM API ExamplesActive Directory with LDAP to SCIM Provisioning Migration GuideSAML & SCIM Configuration Guide for Microsoft Entra IDSAML & SCIM Configuration Guide for OktaSAML & SCIM Configuration Guide for PingFederateSAML & SCIM Configuration Guide for PingOneSAML Configuration Guide for AD FS 3.0SAML Configuration Guide for AD FS 2.0SAML & SCIM Configuration Guide for Google AppsSAML Configuration Guide for OneLoginSAML Configuration Guide for CA Single Sign-On