icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Understanding SCIM

SCIM (the System for Cross-domain Identity Management) is a standard protocol that you can use for provisioning and user and group management. Zscaler provides an easy and consistent mechanism for customers to use SCIM to manage the lifecycle of user and group accounts in the Zscaler cloud.

You can use SCIM for:

  • Provisioning users and groups onto Zscaler. To learn more about provisioning, see Choosing Provisioning and Authentication Methods.
  • Automatically updating a user's group and department on the Zscaler user database to reflect changes in your user directory
  • Deprovisioning users from Zscaler database when users are deleted from your user directory

There are two ways you can use SCIM with the Zscaler service. Firstly, you can use custom SCIM clients to make REST API calls to Zscaler. To learn more, see SCIM API Examples. Secondly, you can use one of the IdPs partnered with Zscaler.

For IdP configuration guides, see:

When creating users, the domain included in the username must be preregistered with Zscaler. For example, if a user has the username of "test@safemarch.com", the domain "safemarch.com" needs to be registered to your tenant on Zscaler. Zscaler Support can assist you with the process. In addition, the total number of groups associated with a single user cannot exceed 128.

Zscaler supports only SCIM version 2.0 and SAML must be used as your authentication method to use SCIM for provisioning.

Operations Supported by Zscaler SCIM Servers

OperationHTTP Request
Endpoint /Users
Create UserPOST /Users
Retrieve All Users (up to 1,000 entries)GET /Users
Retrieve All Users (1,000 users from specified index value)GET /Users?startIndex=<value>
Retrieve a Specific UserGET /Users/{UserID}
Filter Users by UsernameGET /Users?filter=userName eq <value>
Filter Users by External IDGET /Users?filter=externalID eq <value>
Filter Users by IDGET /Users?filter=id eq <value>
Filter Users by Date Created AfterGET /Users?filter=meta.lastModified gt <value>
Update UserPUT /Users/{UserID}
or
PATCH /Users/{UserID}
Delete UserDELETE /Users/{UserID}
Endpoint /Groups
Create GroupPOST /Groups
Retrieve All Groups (up to 1,000 entries)GET /Groups
Retrieve All Groups (1,000 groups from specified index value)GET /Groups?startIndex=<value>
Retrieve a Specific GroupGET /Groups/{GroupID}
Filter by Group's Display Name and MembersGET /Groups?filter=displayName eq <value> and members.value eq <value>
Update GroupPUT /Groups/{GroupID}
or
PATCH /Groups/{GroupID}
Delete GroupDELETE /Groups/{GroupID}
Endpoint /Bulk
Bulk Modify ResourcesPOST
Endpoint /Schema
Retrieve All Resource SchemasGET /Schemas
Retrieve a Specific Resource SchemaGET /Schemas/{SchemaID}
Endpoint /ServiceProviderConfig
Retrieve the Service Provider's ConfigurationGET
Endpoint /ResourceTypes
Retrieve All Resource TypesGET /ResourceTypes
Retrieve a Specific Resource TypeGET /ResourceTypes/{ResourceTypeID}
Endpoint [prefix]/.search
Search for Resource TypesPOST

Attribute Mapping

User Information

SCIM UserZscaler UserDescription
id<unique_id>Unique ID generated by Zscaler. For example, 1a234567-1b23-1200-1234-123c
externalIdscim_externalidExternal ID provided by the client populates on to the Zscaler user database
userNameUser ID (login_name)The actual user ID used for authentication. The expected format is user@domain. For example, user1@safemarch.com
displayNameUser display Name(user_name)The display name of the user
groupsGroupsThe Groups the user belongs to
active

When "active=false", Zscaler disables this user

When "active=true", Zscaler enables this user

departmentDepartmentThe department the user belongs to
name.givenNamefirstnameThe first name of the user
name.familyNamelastnameThe last name of the user
emails.valuescim_emailsThe email address of the user

Group Information

SCIM GroupZscaler GroupDescription
id<unique_id>Unique ID generated by Zscaler. For example, 1a234567-1b23-1200-1234-123c
externalIdscim_externalidExternal ID provided by the client that is kept in the Zscaler database
displayNameNameDisplay name of the Group
Related Articles
About Identity ProvidersAdding Identity ProvidersMigrating to a New SAML IdPAdding the Zscaler Client Connector as an IdPUnderstanding SAMLConfiguring SAMLLogging Out from Zscaler While Using SAMLTroubleshooting SAMLUnderstanding SCIMConfiguring SCIMSCIM API ExamplesActive Directory with LDAP to SCIM Provisioning Migration GuideSAML & SCIM Configuration Guide for Microsoft Entra IDSAML & SCIM Configuration Guide for OktaSAML & SCIM Configuration Guide for PingFederateSAML & SCIM Configuration Guide for PingOneSAML Configuration Guide for AD FS 3.0SAML Configuration Guide for AD FS 2.0SAML & SCIM Configuration Guide for Google AppsSAML Configuration Guide for OneLoginSAML Configuration Guide for CA Single Sign-On