Secure Internet and SaaS Access (ZIA)
Understanding SCIM
SCIM (the System for Cross-domain Identity Management) is a standard protocol that you can use for provisioning and user and group management. Zscaler provides an easy and consistent mechanism for customers to use SCIM to manage the lifecycle of user and group accounts in the Zscaler cloud.
You can use SCIM for:
- Provisioning users and groups onto Zscaler. To learn more about provisioning, see Choosing Provisioning and Authentication Methods.
- Automatically updating a user's group and department on the Zscaler user database to reflect changes in your user directory
- Deprovisioning users from Zscaler database when users are deleted from your user directory
There are two ways you can use SCIM with the Zscaler service. Firstly, you can use custom SCIM clients to make REST API calls to Zscaler. To learn more, see SCIM API Examples. Secondly, you can use one of the IdPs partnered with Zscaler.
For IdP configuration guides, see:
- SAML & SCIM Configuration Guide for Microsoft Entra ID (formerly Azure Active Directory)
- SAML & SCIM Configuration Guide for Okta
- SAML & SCIM Configuration Guide for PingFederate
When creating users, the domain included in the username must be preregistered with Zscaler. For example, if a user has the username of "test@safemarch.com", the domain "safemarch.com" needs to be registered to your tenant on Zscaler. Zscaler Support can assist you with the process. In addition, the total number of groups associated with a single user cannot exceed 128.
Zscaler supports only SCIM version 2.0 and SAML must be used as your authentication method to use SCIM for provisioning.
Operations Supported by Zscaler SCIM Servers
| Operation | HTTP Request |
| Endpoint /Users | |
| Create User | POST /Users |
| Retrieve All Users (up to 1,000 entries) | GET /Users |
| Retrieve All Users (1,000 users from specified index value) | GET /Users?startIndex=<value> |
| Retrieve a Specific User | GET /Users/{UserID} |
| Filter Users by Username | GET /Users?filter=userName eq <value> |
| Filter Users by External ID | GET /Users?filter=externalID eq <value> |
| Filter Users by ID | GET /Users?filter=id eq <value> |
| Filter Users by Date Created After | GET /Users?filter=meta.lastModified gt <value> |
| Update User | PUT /Users/{UserID} or PATCH /Users/{UserID} |
| Delete User | DELETE /Users/{UserID} |
| Endpoint /Groups | |
| Create Group | POST /Groups |
| Retrieve All Groups (up to 1,000 entries) | GET /Groups |
| Retrieve All Groups (1,000 groups from specified index value) | GET /Groups?startIndex=<value> |
| Retrieve a Specific Group | GET /Groups/{GroupID} |
| Filter by Group's Display Name and Members | GET /Groups?filter=displayName eq <value> and members.value eq <value> |
| Update Group | PUT /Groups/{GroupID} or PATCH /Groups/{GroupID} |
| Delete Group | DELETE /Groups/{GroupID} |
| Endpoint /Bulk | |
| Bulk Modify Resources | POST |
| Endpoint /Schema | |
| Retrieve All Resource Schemas | GET /Schemas |
| Retrieve a Specific Resource Schema | GET /Schemas/{SchemaID} |
| Endpoint /ServiceProviderConfig | |
| Retrieve the Service Provider's Configuration | GET |
| Endpoint /ResourceTypes | |
| Retrieve All Resource Types | GET /ResourceTypes |
| Retrieve a Specific Resource Type | GET /ResourceTypes/{ResourceTypeID} |
| Endpoint [prefix]/.search | |
| Search for Resource Types | POST |
Attribute Mapping
User Information
| SCIM User | Zscaler User | Description |
| id | <unique_id> | Unique ID generated by Zscaler. For example, 1a234567-1b23-1200-1234-123c |
| externalId | scim_externalid | External ID provided by the client populates on to the Zscaler user database |
| userName | User ID (login_name) | The actual user ID used for authentication. The expected format is user@domain. For example, user1@safemarch.com |
| displayName | User display Name(user_name) | The display name of the user |
| groups | Groups | The Groups the user belongs to |
| active | When "active=false", Zscaler disables this user When "active=true", Zscaler enables this user | |
| department | Department | The department the user belongs to |
| name.givenName | firstname | The first name of the user |
| name.familyName | lastname | The last name of the user |
| emails.value | scim_emails | The email address of the user |
Group Information
| SCIM Group | Zscaler Group | Description |
| id | <unique_id> | Unique ID generated by Zscaler. For example, 1a234567-1b23-1200-1234-123c |
| externalId | scim_externalid | External ID provided by the client that is kept in the Zscaler database |
| displayName | Name | Display name of the Group |