icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Configuring SCIM

This article covers how to enable SCIM provisioning in the ZIA Admin Portal. If you wish to use SCIM for provisioning, you must also use SAML for authentication and obtain and implement a SCIM client.

Prerequisites

Before configuring SCIM, ensure you have added an IdP in the ZIA Admin Portal to establish a unique identifier. The identifier is included in the SCIM base URL.

Configuring SCIM

To configure SCIM in the ZIA Admin Portal:

  1. Go to Administration > Authentication Settings.
  2. Click the Identity Providers tab.
  3. Click the Edit icon for the identity provider (IdP) you want to enable SCIM provisioning for.

The Edit IdP window appears.

  1. In the Edit IdP window:
  • Enable SAML Auto-Provisioning: Disable this option when enabling SCIM-based provisioning.
  • Enable SCIM Provisioning: Enable to activate SCIM-based provisioning for users on the Zscaler service. To learn more, see About SCIM. SCIM provisioning isn't supported with Active Directory or OpenLDAP user repositories. If you want to migrate from directory synchronization to SCIM provisioning, enable Disable Directory Sync & Enable SCIM Provisioning on the Authentication Profile page. After enabling SCIM provisioning, the following fields appear:
    • Base URL: Copy the Base URL for the SCIM server. You need this URL when configuring your IdP for SCIM provisioning. If you see multiple URLs, use the one with the new format:
https://scim.<Zscaler Cloud>/<Organization ID>/<IdP ID>/scim

If you are configuring Okta as the IdP for SCIM provisioning, Okta only requires the /<Organization ID>/<IdP ID>/ parts of the base URL for the SCIM server.

The old SCIM Base URL marked as (Deprecated) will be removed in the future.

  • Bearer Token: Copy the bearer token. It's a unique alphanumeric string that is used by the SCIM client to make authenticated API calls to the Zscaler SCIM server. You need this token when configuring your IdP for SCIM provisioning.
  • Generate Token: Click to generate a new bearer token for security reasons. If you're generating a new bearer token for an existing SCIM configuration, ensure you update the token for your IdP.

  1. Click Save to exit the window.
  2. Click Save and activate the change.
Related Articles
About Identity ProvidersAdding Identity ProvidersMigrating to a New SAML IdPAdding the Zscaler Client Connector as an IdPUnderstanding SAMLConfiguring SAMLLogging Out from Zscaler While Using SAMLTroubleshooting SAMLUnderstanding SCIMConfiguring SCIMSCIM API ExamplesActive Directory with LDAP to SCIM Provisioning Migration GuideSAML & SCIM Configuration Guide for Microsoft Entra IDSAML & SCIM Configuration Guide for OktaSAML & SCIM Configuration Guide for PingFederateSAML & SCIM Configuration Guide for PingOneSAML Configuration Guide for AD FS 3.0SAML Configuration Guide for AD FS 2.0SAML & SCIM Configuration Guide for Google AppsSAML Configuration Guide for OneLoginSAML Configuration Guide for CA Single Sign-On