icon-zslogin.svg
ZIdentity

Configuring Microsoft Entra ID as an External IdP

This guide provides information on how to configure Microsoft Entra ID as an external identity provider (IdP) for ZIdentity to facilitate single sign-on (SSO) to various Zscaler services for admin access management. You can configure Entra ID as an external IdP to enable SSO to ZIdentity using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML) authentication protocols.

Zscaler and Microsoft are technology partners. To learn more about integrating Zscaler and Microsoft Entra ID, see the Zscaler and Microsoft Entra ID Passwordless Deployment Guide.

Zscaler strongly recommends using OIDC-based integration as it would support new features in the future.

Depending on the authentication protocol, you can provision users to ZIdentity from Entra ID using Just-in-Time (JIT) provisoning or System for Cross-domain Identity Management (SCIM) provisioning.

If you want to leverage step-up authentication, it is recommended to use OIDC-based integrations as most IdPs only support step-up authentication with the OIDC protocol.

  • This section explains how to configure Microsoft Entra ID as the OpenID Provider (OP) for the ZIdentity via prebuilt app integration to facilitate SSO to various Zscaler services for admin access management.

    Prerequisites

    Ensure that you have:

    • A subscription to Entra ID.
    • An existing user directory in Entra ID.
    • A ZIdentity account with an admin role that allows you to add an IdP configuration.

    • A preferred choice of provisioning mode (JIT or SCIM) as this determines the number of apps you need to configure in Entra ID — one app for JIT and two apps for SCIM.

      Entra ID only supports JIT provisioning for OIDC apps via the Microsoft Entra App Gallery. If you prefer SCIM provisioning with OIDC, you need to create a custom Entra ID app for SCIM, in addition to using the Gallery App for authentication. The following table summarizes the implementation differences for JIT and SCIM:

      Provisioning ModeAuthentication via Gallery AppProvisioning SupportAdditional Requirements
      JIT ProvisioningYesSupported by defaultNone
      SCIM ProvisioningYesNot supported in the Gallery ApplicationCreate a custom Entra ID app for SCIM provisioning in addition to using the Gallery App for authentication.
      Close

    Configuring Microsoft Entra ID as OP for ZIdentity

    To set up Microsoft Entra ID as an OP for ZIdentity:

      1. Log in to the Entra Admin Center.
      2. In the left-side navigation, go to Identity > Applications > Enterprise applications.

      3. Click New application.


        A screenshot highlighting the New Application button in Entra ID


        The Microsoft Entra Gallery window appears.

      4. In the Microsoft Entra Gallery window, search for zscaler.

      5. Click the Zscaler tile on the search results.

        The Zscaler app window appears.

      6. In the Zscaler app window, customize the app name, if needed, and click Create.

        The application details page appears.

      7. On the application details page, click Single sign-on and click Go to application.

        The App Registration page for Zscaler app appears.

      8. On the App Registration page:

        1. Copy the Application (Client) ID and save it for future use.

        2. Click Endpoints.

          The Endpoints window appears.

        3. In the Endpoints window, locate the OpenID Connect metadata document field, and copy and save the URL for future use.

        4. In the left-side navigation, go to Manage > Branding & properties.

        5. In the Home page URL field, enter the ZIdentity Admin Portal URL along with the idp_id URL parameter. This step is required for enabling the IdP-initiated SSO option for ZIdentity Admin Portal.

          The value for the idp_id URL parameter is default if you are configuring Entra ID as your primary IdP in the ZIdentity Admin Portal. If you are configuring Entra ID as a secondary IdP, the value for idp_id must be sourced from the final segment of the Redirect URI.

          • Home page URL if Entra ID is configured as your primary IdP in the ZIdentity Admin Portal: https://<your_domain>.zslogin.net/?idp_id=default

            Close

          • Home page URL if Entra ID is configured as your secondary IdP in the ZIdentity Admin Portal: https://<your_domain>.zslogin.net/?idp_id=<final_segment_from_redirect_URI>

            Close

          If you are configuring Entra ID as your secondary IdP, update this field with the appropriate idp_id value after setting up Entra ID as the IdP in the ZIdentity Admin Portal in the subsequent steps.


          Close

        6. Click Save.

          The configuration is saved, and it takes a few hours for the changes to take effect.

      9. In the left-side navigation, click Certificates & secrets.

        The Certificates & secrets window appears.

      10. On the Certificates & secrets window:

        1. Click New client secret.

          The Add a client secret window appears.

        2. In the Add a client secret window, enter a description, and click Add.

          The client secret is added and is shown in the Client secrets table.

        3. Copy the client secret value from the Value column and save it for future use.

          The client secret value cannot be accessed or viewed after you leave the page.

      11. In the left-side navigation, click API permissions.

        The API permissions window appears.

      12. In the API permissions window:

        1. Click Grant admin consent for <entra_ID_tenant_name>.

          To ensure only administrators can accept grants, this configuration is required as it prevents the end users from getting the prompt to accept the grant while logging in to the application.

        2. Click Yes on the Grant admin consent confirmation window.

          Make sure the Status column shows the green checkmark.

      13. In the left-side navigation, click Token configuration.

        The Token configuration window appears.

      14. In the Token configuration window:

        1. Click Add optional claim.

          The Add optional claim window appears.

        2. In the Add optional claim window:

          1. Select ID as the token type, and from the list of claims, select email and preferred_username.

          2. Click Add.

          The selected claims are added.

        3. Click Add groups claim.


          A screenhost highlighting the Add groups claim option in Entra Admin Center

          The Edit groups claim window appears.

        4. In the Edit groups claim window:

          1. Under the Select group types to include in Access, ID, and SAML tokens section, select the Groups assigned to the application option.

          2. Under the Customize token properties by type section, click ID to expand the ID subsection, and select the Group ID option.

            The Group ID must be selected as Entra ID does not support sending group names with OIDC protocol when groups are created in the Entra Cloud.

            If the group names are received via the Entra ID sync, click the sAMAccountName option instead of the Group ID option to pass on the group names.

          3. Click Add.

          The group claims are added.

      15. In the left-side navigation, click Manifest.

        The Manifest window appears.

      16. In the Manifest window, update the required attributes in the graph manifest:

        Microsoft is deprecating Azure AD Graphy format in favor of the Microsoft Graph format.

        These changes are required if you are adding any optional claims in a future step.

      17. Click the OIDC-based Sign-on option on the top to go to the application page.


        A screenshot highlighting an option in breadcrumbs in Entra Admin Center

      18. In the left-side navigation, click Users and groups.

        The Users and groups window appears.

      19. In the Users and groups window, select the users and groups that you want to have access to the application.

        If you want to pass group memberships as claims, make sure that the groups are assigned instead of individual users in the Users and groups window.

      20. In the left-side navigation, click Single sign-on.

        The Single sign-on window appears.

      21. In the Single sign-on window, locate Attributes & Claims, and click the Edit icon.

        The Attributes & Claims window appears.

      22. In the Attributes & Claims window:

        1. In the Attributes & Claims window, click Add new claim.

          The Manage claim window appears.

        2. In the Manage claim window:

          1. Name: Enter Department.
          2. Source: Select Attribute.
          3. Source attribute: Select user.department.

          4. Click Save.

          The Department claim is added. Repeat the preceding steps to add other claims if needed.

      Close

        1. Log in to the ZIdentity Admin Portal.
        2. Go to Integration > External Identities.
        3. Click Add Primary IdP (or Add Secondary IdP).
          The Add Primary Identity Provider or Add Secondary Identity Provider window appears.
        4. On the Basic tab:

          1. Under the General section:

            1. Name: Enter a name for the IdP.
            2. Identity Vendor: Select Microsoft Entra ID from the drop-down menu.
            3. Domain: Select the domain for which the IdP is responsible for authenticating the users. This allows the Zscaler service to display the correct IdP to authenticate an incoming user.
            4. Protocol: Select OIDC.
            5. Status: Select Enabled.

            6. Login ID Attribute: Enter an attribute to map it with the Login ID attribute. You can use any attribute that has the email address format e.g., <user_name>@domain.com>. However, Zscaler recommends using the preferred_username as the Login ID attribute.

              • If you are using email as the Login ID attribute, ensure that your email domain matches with one of the domains added to ZIdentity for the Primary Email attribute.
              • You can use any email domain for your primary email if you are using any attribute other than email as the source for the Login ID attribute.
              • Ensure that the attribute that you enter in the Login ID field matches exactly with the attribute received in the ID tokens.

          2. Under the OIDC Configuration section:

            1. Paste the OpenID Connect metadata document value copied from the Entra Admin Center to the Metadata URL field and click Fetch.

            2. Copy the Redirect URI value. This value is used in the client application in the Entra Admin Center in the subsequent steps.

              If you are configuring Entra ID as the secondary IdP in the ZIdentity Admin Portal, the final segment of the Redirect URI is required for configuring IdP-initiated SSO. Use this value as idp_id as part of the Home page URL in the Entra Admin Center.

            3. Paste the Client ID and Client Secret values copied from the Entra Admin Center to the respective fields.

              In the Entra Admin Center, the value copied from the Application (Client) ID field must be used for the Client ID field, and the value copied from the Value column in the Client secrets tab must be used for the Client Secret field.

            4. Under Requested Scopes, add profile and email scopes.

        5. Click Save.
        Close
        1. Go to the Entra Admin Center and go to the client application created for ZIdentity.
        2. Go to Manage > Authentication.

        3. Under the Platform configurations section, click Add a platform.

          The Configure platforms window appears.

        4. In the Configure platforms window:

          1. Click Web.

          2. Paste the Redirect URI you copied earlier.
          3. Click Configure.

        Close

    • This section explains how to provision Entra ID users in the ZIdentity Admin Portal. Currently, Entra ID does not support SCIM provisioning for OIDC apps added via Microsoft Entra App Gallery. Currently, provisioning is supported via Just-in-Time (JIT) provisioning with the gallery application. However if you prefer using SCIM provisioning with OIDC, you need to create a custom app in the Entra ID specifically to support SCIM-based provisioning, in addition to configuring the Microsoft Entra Gallery App for authentication.

        1. In the ZIdentity Admin Portal, go to Integration > External Identities.
        2. Locate the IdP entry created for Entra ID under the Primary Identity Provider (or Secondary Identity Providers) tab and click the Edit icon.

        3. In the Edit Primary IdP (or Edit Secondary IdP) window:

          1. Go to the Provisioning tab.
          2. Select Enable Just-in-time (JIT) Provisioning.

          3. Enter groups as the Just-in-time User Group Attribute and map the Primary Email User Attribute with the email Just-in-time User Attribute.

            The mapping of the Primary Email attribute is mandatory as it is required for functionalities, such as password resetting and multi-factor authentication.

          4. Map other ZIdentity user attributes with the appropriate Entra ID attributes as necessary. By default, the following attributes in ID tokens are mapped with the corresponding user attributes in ZIdentity:

            Attribute in ID TokensDefault ZIdentity User Attributes
            given_nameFirst Name
            family_nameLast Name
            nameDisplay Name
            • If the external IdP is configured to send different attributes for First Name, Last Name, or Display Name, then you must map those attributes. For example, if the ID token from the external IdP includes Surname instead of family_name, then you must map it with the Last Name user attribute in ZIdentity.

            • While mapping attributes, ensure that the attributes that you enter in the Just-in-time Attribute field match exactly with the attributes that would be received in the ID Tokens.

        4. Click Update.
        Close
        1. Log in to the Entra Admin Center and go to Identity > Applications > Enterprise applications.

        2. Click New application.

        3. In the Browse Microsoft Entra Gallery window that appears, click Create your own application.

          The Create your own application window appears.

        4. In the Create your own application window:
          1. Enter an application name for the ZIdentity service in the What's the name of your app? field. For example, enter ZIdentity-OIDC-SCIM.
          2. Select the Integrate any other application you don't find in the gallery (Non-gallery) option.
          3. Click Create.
        5. In the ZIdentity Admin Portal, go to Integration > External Identities.

        6. Locate the IdP entry created for Entra ID under the Primary Identity Provider (or Secondary Identity Providers) tab and click the Edit icon.

          The Edit Primary IdP (or Edit Secondary IdP) window appears.

        7. In the Edit Primary IdP (or Edit Secondary IdP) window:
          1. Go to the Provisioning tab.

          2. Under the SCIM Configuration section:

            1. Select Enable SCIM Provisioning.

            2. Copy the SCIM Endpoint URL. This value is used in a subsequent step.

              The SCIM Endpoint URL field appears only if the configurations for the IdP in the Basic tab are completed and saved.

            3. Click Generate Token and Bearer Token value. This value is used in a subsequent step.
            4. (Optional) Map the SCIM attributes (e.g., addresses) with the corresponding ZIdentity user attribute. This mapping is required only for attributes that need to be mapped to a custom user attribute in ZIdentity. To learn more about the SCIM attributes that require custom attribute mapping, see Understanding SCIM.

          3. Click Update.

        8. In the Entra Admin Center, go to Identity > Applications > Enterprise applications.

        9. Locate and click the custom application that you created for SCIM provisioning.

          The application overview page appears.

        10. In the left-side navigation, click Users and groups.

          The Users and groups window appears.

        11. In the Users and groups window, select the users and groups that you want to have access to the application.

          If you want to pass group memberships as claims, make sure that the groups are assigned instead of individual users in the Users and groups window.

        12. In the left-side navigation, click Provisioning.

          The Provisioning window appears.

        13. In the Provisioning window:
          1. Provisioning Mode: Select Automatic from the Provisioning Mode drop-down menu.
          2. Under the Admin Credentials section:

            1. Tenant URL: Enter the endpoint displayed in the SCIM Endpoint URL field while adding the primary or secondary IdP in the ZIdentity Admin Portal.

              The SCIM Endpoint URL field appears only if the configurations for the IdP in the Basic tab are completed and saved.

            2. Secret Token: Enter the bearer token that you generated and copied from the Bearer Token field while configuring the primary or secondary IdP in the ZIdentity Admin Portal.
          3. Click Test Connection. The Microsoft Entra ID attempts to connect to the SCIM endpoint. When the connection is successful, a verification message appears. If the attempt fails, error information is displayed, and you must resolve those errors before moving forward.

          4. Click Save after a successful connection.

            The provisioning configuration is saved and the Mappings section appears within the Provisioning window.

          5. Under the Mappings section:

            1. Click the groups attributes mapping.

              The Attribute Mapping window appears.

            2. In the Attributes Mapping window:
              1. Review the attributes that are synchronized from Microsoft Entra ID to your application.

              2. Verify the group attribute mappings as listed in the following table and change as needed by clicking Edit on an existing attribute or by clicking Add New Mapping.

                Zscaler Attribute (Target Attribute)Microsoft Entra Attribute (Source Attribute)Match Objects Using this Attribute
                displayNamedisplayNameYes
                externalIdobjectid
                membersmembers

              3. Click Save to save the attribute mapping changes.
              4. Return to the Provisioning screen.

            3. Click the users attribute mapping.

              The Attribute Mapping window appears.

            4. In the Attributes Mapping window:
              1. Review the attributes that are synchronized from Microsoft Entra ID to your application.

              2. Verify the users attribute mappings as listed in the following table and change as needed by clicking Edit on an existing attribute or by clicking Add New Mapping.

                Zscaler Attribute (Target Attribute)Microsoft Entra Attribute (Source Attribute)Match Objects Using this Attribute
                userNameuserPrincipalNameYes
                activeSwitch([IsSoftDeleted], , "False", "True", "True", "False")
                displayNamedisplayName
                emails[type eq "work"].valuemail
                name.givenNamegivenName
                name.familyNamesurname
                externalidobjectid
                urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:departmentdepartment

              3. Click Save to save the attribute mapping changes.
              4. Return to the Provisioning screen.

        14. Under the Settings section:

          1. Send an email notification when a failure occurs: (Optional) Select this and provide an email to receive a notification when there is a provisioning failure.
          2. Prevent accidental deletion: (Optional) Selecting this option allows you to set an Accidental deletion threshold. When the option is enabled, deleting a number of groups and users over the threshold requires approval from an admin.
          3. Scope: (Optional) Choose Sync only assigned users and groups. Zscaler recommends using this setting.

        15. Set the Provisioning Status to On.
        16. Click Save to start the Microsoft Entra ID provisioning service.
        Close

    • You can configure step-up authentication to extend the existing authentication process by requiring multi-factor authentication (MFA) when needed, ensuring that access to high-risk or sensitive data is protected.

      Before configuring step-up authentication, make sure you have configured authentication levels and access policies. To learn more, see Understanding Step-Up Authentication.

      To enable step-up authentication:

      1. In the ZIdentity Admin Portal, go to Integration > External Identities.
      2. Locate the IdP entry created for Entra ID under the Primary Identity Provider (or Secondary Identity Providers) tab and click the Edit icon.
      3. In the Edit Primary IdP (or Edit Secondary IdP) window:
        1. Go to the Advanced tab.

        2. Under the Levels to Authentication context mapping section, enter the ACR Claim value for each authentication level. To learn more about the supported ACR Claims in Entra ID, refer to the Microsoft Technical documentation.

          Ensure that you map proper ACR claims for each level depending on the hierarchy. The highest level of authentication must be mapped to the ACR value for the strongest context.

      4. Click Update.
      Close

    Setting Up IdP-Initiated SSO

    You can log in to the ZIdentity Admin Portal via the IdP-initiated flow.

    To log in to ZIdentity Admin Portal from the Entra ID's My Apps portal:

    1. Log in to the Entra ID's My Apps portal.

    2. Locate and click the Zscaler app.


      A screenshot capturing the Entra ID's My Apps portal with Zscaler App highlighted

      Close

      The ZIdentity Admin Portal URL is opened in a new tab or window and you are logged in.


      Close

    Close

  • This section explains how to configure Microsoft Entra ID as an identity provider (IdP) for the ZIdentity service. Zscaler recommends configuring the IdP and service provider (SP) simultaneously as configurations are interdependent on each other. To learn more, see Adding SAML Identity Providers.

    Prerequisites

    Ensure that you have:

    • A premium Microsoft Entra ID subscription
    • An existing directory in Microsoft Entra ID
    • A ZIdentity account with an admin role that allows you to add an IdP configuration

    Configuring Microsoft Entra ID as IdP for ZIdentity

    To set up Microsoft Entra ID as an IdP for ZIdentity:

      1. Log in to the Entra Admin Center and go to Identity > Applications > Enterprise applications from the left-side navigation.
      2. Click New application, then Create your own application.
      3. In the Create your own application window, enter an application name for the ZIdentity service in the What's the name of your app? field. For example, enter ZIdentity.
      4. Select the Integrate any other application you don't find in the gallery (Non-gallery) option.

      5. Click Create.

        The Microsoft Entra ID service displays a notification that the application is added and you are redirected to the application's Overview page.

      6. From the left-side navigation, click Single sign-on, then SAML.

        The Set up Single Sign-on with SAML page appears.

      7. In the Basic SAML Configuration section, click Edit and do the following:

        1. Identifier (Entity ID): Enter the entity ID displayed in the SP Entity ID field when you configure Microsoft Entra ID as an IdP in the ZIdentity Admin Portal. This ID is specific to your IdP.

        2. Reply URL (Assertion Customer Service URL): Enter the URL that is displayed SP URL field when you configure Microsoft Entra ID as an IdP in the ZIdentity Admin Portal.

        3. Leave the other fields blank.
        4. Click Save and exit the window.

        After saving, you are prompted to test the configuration. Do not test the configuration at this time.

      8. In the User Attributes & Claims section, verify that you have the necessary claims mapped to the attributes.

      9. Map the required attributes in the ZIdentity Admin Portal. The mapping of the Primary Email attribute is mandatory as it is required for functionalities, such as password resetting or multi-factor authentication.

      10. Click Add a group claim and do the following:

        1. Which groups associated with the user should be returned in the claim?: Select Groups assigned to the application.
        2. Source attribute: Select Cloud-only group display names.
        3. Enable the Customize the name of the group claim option.
        4. Name (required): Enter a name for the group attribute.
        5. Click Save and exit the window.

        Map this attribute to the User Group SAML Attribute field in the ZIdentity Admin Portal when configuring Microsoft Entra ID as an IdP.

      11. Depending on how you want to provide the IdP inputs when configuring Microsoft Entra ID as an IdP in the ZIdentity Admin Portal, complete one of the following actions:

      12. (Optional) If you want to enable the SAML request and response signing options in the ZIdentity Admin Portal, go to the Advanced tab, and do the following:
        1. Enable SAML Request Signing.

        2. Signing Algorithm: Select SHA-256 from the drop-down menu.

        3. Under SP SAML Certificate, click Download Certificate.

          The Service Provider (SP) SAML Certificate is downloaded to your system as a PEM file. Rename this file and change the file extension from .pem to .cer.

        4. Select Encrypted SAML Assertion.

        5. Under SAML Encryption Certificate, click Download Certificate.

          The SAML Encryption Certificate is downloaded to your system as a PEM file. Rename this file and change the file extension from .pem to .cer.

        6. Click Update.
        7. Go to the Entra Admin Center and go to the application created for ZIdentity.

        8. To complete the SAML Request Signing configuration, go to Manage > Single sign-on, and click the Edit icon for the Verification certificates (optional) section.

        9. In the Verification Certifcation window:

          1. Select Require verification certificates.

          2. Click Upload certificate and upload the SP SAML Certificate file downloaded from the ZIdentity Admin Portal.

            Ensure that the SP SAML Encryption Certificate was renamed by changing the file extension from .pem to .cer before uploading.

          3. Click Save.

          The Verification Certificate is uploaded to the Entra Admin Center.

        10. To complete the Encrypted SAML Assertion configuration, go to Security > Token encryption.

        11. Click Import Certificate and upload the SAML Encryption Certificate file downloaded from the ZIdentity Admin Portal.

          Ensure that the SAML Encryption Certificate file was renamed by changing the file extension from .pem to .cer before uploading.

        12. In the left-side navigation, go to Manage > Single Sign-on, and click the Edit icon for the SAML Certificates section.

        13. In the SAML Signing Certificate window:

          1. Signing Option: Select Sign SAML response and assertion from the drop-down menu.
          2. Signing Algorithm: Select SHA-256 from the drop-down menu,
          3. Click Save.

      The configuration in the Azure Portal is completed. Finish the IdP configuration in the ZIdentity Admin Portal to set up Microsoft Entra ID as an IdP for ZIdentity.

      Assigning Users and Groups to ZIdentity

      To assign users to the ZIdentity service:

      1. Go to Identity > Applications > Enterprise applications from the left-side navigation.
      2. Search and open the ZIdentity application.

      3. From the left-side navigation, click Users and groups, then Add user/group.

        The Users and groups window appears.

      4. Search for the user or group you want to assign to ZIdentity service.

      5. Select the checkbox next to the user or group names you want to assign to the ZIdentity service, then click Select.

        If you want to pass group memberships as claims, make sure that the groups are assigned instead of individual users in the Users and groups window.

      6. In the Add Assignment panel, click Assign.

        You are redirected to the Users and groups page where you can see the users are successfully assigned to ZIdentity.

      Close

    • This section provides information on how to set up Microsoft Entra ID to use System for Cross-Domain Identity Management (SCIM) in ZIdentity. SCIM allows you to quickly remove, manage, or add users to ZIdentity. Before you proceed, ensure that you have the Enable SCIM Provisioning option selected when configuring Microsoft Entra ID as an IdP in the ZIdentity Admin Portal.

      Optionally, map the SCIM attributes (e.g., addresses) with the corresponding ZIdentity user attribute. This mapping is required only for attributes that need to be mapped to a custom user attribute in ZIdentity. To learn more about the SCIM attributes that require custom attribute mapping, see Understanding SCIM.

      To configure SCIM in Microsoft Entra ID:

      1. Log in to the Entra Admin Center and go to Identity > Applications > Enterprise applications.

      2. Locate and click the ZIdentity application that you created.

        The application overview page appears.

      3. In the left-side navigation, click Provisioning.

        The Provisioning window appears.

      4. In the Provisioning window:
        1. Provisioning Mode: Select Automatic from the Provisioning Mode drop-down menu.
        2. Under the Admin Credentials section:

          • Tenant URL: Enter the endpoint displayed in the SCIM Endpoint URL field while configuring the primary or secondary IdP in the ZIdentity Admin Portal.

            The SCIM Endpoint URL field appears only if the configurations for the IdP in the Basic tab are completed and saved.

          • Secret Token: Enter the bearer token that you generated and copied from the Bearer Token field while configuring the primary or secondary IdP in the ZIdentity Admin Portal.
        3. Click Test Connection. The Microsoft Entra ID attempts to connect to the SCIM endpoint. When the connection is successful, a verification message appears. If the attempt fails, error information is displayed, and you must resolve those errors before moving forward.

        4. Click Save after a successful connection.

          The provisioning configuration is saved and the Mappings section appears within the Provisioning window.

        5. Under the Mappings section:

          1. Click the groups attributes mapping.

            The Attribute Mapping window appears.

          2. In the Attributes Mapping window:
            1. Review the attributes that are synchronized from Microsoft Entra ID to your application.

            2. Verify the group attribute mappings as listed in the following table and change as needed by clicking Edit on an existing attribute or by clicking Add New Mapping.

              Zscaler Attribute (Target Attribute)Microsoft Entra Attribute (Source Attribute)Match Objects Using this Attribute
              displayNamedisplayNameYes
              externalIdobjectid
              membersmembers

            3. Click Save to save the attribute mapping changes.
            4. Return to the Provisioning screen.

          3. Click the users attribute mapping.

            The Attribute Mapping window appears.

          4. In the Attributes Mapping window:
            1. Review the attributes that are synchronized from Microsoft Entra ID to your application.

            2. Verify the users attribute mappings as listed in the following table and change as needed by clicking Edit on an existing attribute or by clicking Add New Mapping.

              Zscaler Attribute (Target Attribute)Microsoft Entra Attribute (Source Attribute)Match Objects Using this Attribute
              userNameuserPrincipalNameYes
              activeSwitch([IsSoftDeleted], , "False", "True", "True", "False")
              displayNamedisplayName
              emails[type eq "work"].valuemail
              name.givenNamegivenName
              name.familyNamesurname
              externalidobjectid
              urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:departmentdepartment

            3. Click Save to save the attribute mapping changes.
            4. Return to the Provisioning screen.

        6. Under the Settings section:

          1. Send an email notification when a failure occurs: (Optional) Select this and provide an email to receive a notification when there is a provisioning failure.
          2. Prevent accidental deletion: (Optional) Selecting this option allows you to set an Accidental deletion threshold. When the option is enabled, deleting a number of groups and users over the threshold requires approval from an admin.
          3. Scope: (Optional) Choose Sync only assigned users and groups. Zscaler recommends using this setting.

      5. Set the Provisioning Status to On.
      6. Click Save to start the Microsoft Entra ID provisioning service.
      Close

    IdP-Initiated SSO for ZIdentity Tenants Enabled with Experience Center

    In Experience Center-enabled tenants, during the IdP-initiated SSO flow, the user is redirected to Experience Center by default. To change this and ensure the user is redirected to ZIdentity you must configure the zidServiceId attribute in Entra ID.

    • To configure the attribute in Entra ID:

      1. Log in to the Entra Admin Center.
      2. Go to Identity > Applications > Enterprise applications.
      3. Locate the application created for ZIdentity and open it.
      4. Go to Manage > Single sign-on.

      5. Locate the Attributes & Claims section, and click Edit.

      6. In the Attributes & Claims page, click Add new claim.

      7. In the Manage Claim page:
        1. Enter zidServiceId as the attribute name.
        2. Under Claim conditions, configure administrator groups for which you want to send the claim:
          1. Select Members from the User type drop-down menu.
          2. Click Select groups under the Scoped Groups column, and select the administrator groups for which you want to send the claim.
          3. Select Attribute from the Source drop-down menu.

          4. Enter 800000000103 as the Value. This value is the same for all tenants.

          5. Click Save.
      Close
    Close
Related Articles
About External Identity ProvidersAdding OpenID ProvidersAdding SAML Identity ProvidersConfiguring Okta as an External IdPConfiguring Microsoft Entra ID as an External IdPConfiguring Microsoft AD FS as an External IdPConfiguring PingOne as an External IdPConfiguring Auth0 as an External IdPConfiguring OneLogin as an External IdPConfiguring PingFederate as an External IdP