icon-zslogin.svg
ZIdentity

Configuring Okta as an External IdP

This guide provides information on how to configure Okta as an external Identity Provider (IdP) for ZIdentity to facilitate single sign-on (SSO) to various Zscaler services for admin access management. You can configure Okta as an external IdP to enable SSO to ZIdentity using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML) authentication protocols.

Zscaler and Okta are technology partners. To learn more about integrating Zscaler and Okta, see the Zscaler and Okta Deployment Guide.

Depending on the authentication protocol, you can provision users to ZIdentity from Okta using Just-in-Time (JIT) provisioning or System for Cross-domain Identity Management (SCIM) provisioning.

If you want to leverage step-up authentication, it is recommended to use OIDC-based integrations as most IdPs only support step-up authentication with the OIDC protocol.

  • This section provides information on how to use the Okta Integration Network (OIN) app integration to configure Okta as your OpenID Provider (OP) for ZIdentity for facilitating single sign-on (SSO) to various Zscaler services for admin access management.

    An OIN-based integration uses SCIM-based provisioning and Zscaler recommends the OIN-based integration. If your Okta subscription does not include SCIM provisioning, Zscaler recommends using the custom OIDC application as Okta does not support sending custom claims such as Groups or Departments with the OIN application. To learn more, see OIDC-Based Authentication via Custom App Integration.

    Prerequisites

    Ensure that you have:

    • An Okta account with admin privileges
    • A SCIM provisioning subscription for Okta
    • An existing user directory in Okta
    • A ZIdentity account with an admin role that allows you to add an IdP configuration

    Supported Features

    The following features are supported for OIDC and SCIM:

    Supported Features for OIDC

    • JIT Provisioning
    • IdP-Initiated SSO

    • After setting up the OIN-based integration, ZIdentity administrators can log in to the ZIdentity Admin Portal using Okta.

      To log in to ZIdentity Admin Portal via Okta:

      1. Go to the ZIdentity Admin Portal using your vanity URL specific to your ZIdentity tenant. For example, the vanity URL has the following format:

        https://customername.zslogin.net/

      2. Enter your username registered with Okta.

        If the username is valid, you are redirected to the Okta page for authentication. After successful authentication, you are logged in to the ZIdentity Admin Portal.

      Close

    Supported Features for SCIM

    • Create Users
    • Update User Attributes
    • Deactivate Users
    • Group Push

    Configuring Okta as OP for ZIdentity

    To set up Okta as an OP for ZIdentity:

      1. Log in to the Okta Admin Console.
      2. Go to Applications > Applications.

      3. Click Browse App Catalog.

      4. Search for zscaler.

      5. From the search results, locate and click the Zscaler app.

      6. In the app details page, click Add Integration.

      7. In the Add Zscaler window, enter a name for the Application label field.

      8. Click Done.

        An OIN app for ZIdentity is added.

      9. In the application page, on the Sign On tab, copy the Client ID and Client secret values. These values are used in a subsequent step when configuring Okta as an OP for ZIdentity.

      10. To obtain the metadata URL, right-click the OpenID Provider Metadata text, and copy the URL. This value is used in a subsequent step when configuring Okta as an OP for ZIdentity. The metadata URL has the following format:

        https://<your_subdomain>.okta.com/oauth2/default/.well-known/openid-configuration

        A screenshot highlighting the Metadata URL in the Sign On tab

      Close
      1. Log in to the ZIdentity Admin Portal.
      2. Go to Integration > External Identities.
      3. Click Add Primary IdP (or Add Secondary IdP).
        The Add Primary Identity Provider or Add Secondary Identity Provider window appears.
      4. On the Basic tab:

        1. Under the General section:

          1. Name: Enter a name for the IdP.
          2. Identity Vendor: Select Okta from the drop-down menu.
          3. Domain: Select the domain for which the IdP is responsible for authenticating the users. This allows the Zscaler service to display the correct IdP to authenticate an incoming user.
          4. Protocol: Select OIDC.
          5. Status: Select Enabled.

          6. Login ID Attribute: Enter an attribute to map it with the Login ID attribute. You can use any attribute that has the email address format e.g., <user_name>@domain.com>. However, Zscaler recommends using the preferred_username as the Login ID attribute.

            • If you are using email as the Login ID attribute, ensure that your email domain matches with one of the domains added to ZIdentity for the Primary Email attribute.
            • You can use any email domain for your primary email if you are using any attribute other than email as the source for the Login ID attribute.
            • Ensure that the attribute you enter in the Login ID field matches exactly with the attribute received in the ID tokens.

        2. Under the OIDC Configuration section:

          1. Enter the following value for the Metadata URL field copied from the Okta Admin Console.
          2. Click Fetch.

          3. Copy the Redirect URI value. This value is used in a subsequent step.

            If you are configuring Okta as your secondary IDP, the final segment in the Redirect URI is required for configuring Initiate Login URI in the Okta Admin Console.

          4. Paste the Client ID and Client Secret values copied from the Okta Admin Console.
          5. Add email and profile to the Requested Scopes field.

      5. Click Save.
      6. Go to the Okta Admin Console, and go to the OIN app added for ZIdentity.
      7. On the Sign On tab:
        1. Click Edit.
        2. Paste the Redirect URI copied from ZIdentity Admin Portal.
        3. Enter the following value for the Initiate Login URI field:

          • If you are configuring Okta as your primary IdP in the ZIdentity Admin Portal:

            https://<your_domain>.zslogin.net/?idp_id=default

          • If you are configuring Okta as your secondary IdP in the ZIdentity Admin Portal:

            https://<your_domain>.zslogin.net/?idp_id=<final_segment_from_redirect_URI>

        4. Click Save.
      Close
        1. In the ZIdentity Admin Portal, go to Integration > External Identities.
        2. Locate the IdP entry created for Okta under the Primary Identity Provider (or Secondary Identity Providers) tab and click the Edit icon.
        3. In the Edit Primary IdP (or Edit Secondary IdP) window:
          1. Go to the Provisioning tab and configure the following:
            1. Select Enable Just-in-time (JIT) Provisioning.

            2. Map the required attributes. The mapping of the Primary Email attribute is mandatory as it is required for functionalities, such as password resetting and multi-factor authentication. By default, the following attributes in ID tokens are mapped with the corresponding user attributes in ZIdentity.

              Attribute in ID TokensDefault ZIdentity User Attributes
              given_nameFirst Name
              family_nameLast Name
              nameDisplay Name
              • If the external IdP is configured to send different attributes for First Name, Last Name, or Display Name, then you must map those attributes. For example, if the ID token from the external IdP includes Surname instead of family_name, then you must map it with the Last Name user attribute in ZIdentity.

              • While mapping attributes, ensure that the attributes you enter in the Just-in-time Attribute field match exactly with the attributes that would be received in the ID tokens.

            3. Click Update.

            4. In the Okta Admin Console, go to Applications > Applications.
            5. Open the OIN app created for ZIdentity and go to the Assignments tab.

            6. Add users and groups to the application using the Assign drop-down menu.

              The JIT provisioning with Okta users is configured for ZIdentity.

        1. In the ZIdentity Admin Portal, go to Integration > External Identities.
        2. Locate the IdP entry created for Okta under the Primary Identity Provider (or Secondary Identity Providers) tab and click the Edit icon.
        3. In the Edit Primary IdP (or Edit Secondary IdP) window:
          1. Go to the Provisioning tab.
          2. Select Enable SCIM Provisioning.

          3. Copy the SCIM Endpoint URL. This value is used in a subsequent step.

            The SCIM Endpoint URL field appears only if the configurations for the IdP in the Basic tab are completed and saved.

          4. Click Generate Token and copy the Bearer Token value. This value is used in a subsequent step.

          5. (Optional) Map the SCIM attribute (e.g., addresses) with the corresponding ZIdentity user attribute. This mapping is required only for attributes that need to be mapped to a custom user attribute in ZIdentity. To learn more about the SCIM attributes that require custom attribute mapping, see Understanding SCIM.


            Enabling SCIM provisioning in ZIdentity

        4. Click Update.
        5. Go the Okta Admin Console, and go to the OIN app added for ZIdentity.
        6. On the Provisioning tab:

          1. Click Configure API Integration.


            A screenshot capturing the API button in ZSLogin OIN app

          2. Select Enable API integration.
          3. Paste the SCIM Endpoint URL value copied from the ZIdentity Admin Portal to the Base URL field.
          4. Paste the Bearer Token value copied from the ZIdentity Admin Portal to the API Token field.
          5. Click Test API Credentials.

          6. Click Save.

          7. Click Edit.

          8. Under the Provisioning to App section, enable the Create Users, Update Users to Attributes, and Deactivate Users options.

          9. Click Save.
          10. On the Assignments tab, click the Assign drop-down menu, and select an option to assign users or groups:

          11. To sync groups and the assigned users or members from Okta to ZIdentity, go to the Push Groups tab, and select an option to push groups by name or rule:

              1. Select the Find groups by name option from the Push Groups drop-down menu.

                By default, the Push group memberships immediately option is selected to push groups immediately to ZIdentity. However, you can disable it if you do not want to do this.

              2. Enter the name of the group that you want to push and select the group from the drop-down menu.

              3. Click Save or click Save & Add Another if you want to push multiple groups.
              4. Click Close.

              5. On the Push Groups tab, click By name on the left-side navigation and verify that all your groups have been added. Ensure that the Push Status for each group is Active.

              Close

              1. Select the Find groups by rule option from the Push Groups drop-down menu.

              2. In the Push groups by rule window:
                1. Rule name: Enter a name for the rule.
                2. Group name: Select a match condition from the drop-down menu and enter a string that should be used to find a group with the name matching the condition. For example, you can select Contains as the match condition and enter Admins as the string to match all groups that has the string "Admin" and push them to ZIdentity.

                3. Group description: Select a match condition from the drop-down menu and enter a string that should be used to find a group with the description matching the condition. For example, you can select Contains as the match condition and enter For Admins as the string to match all groups that has the string "For Admins" in the description and push them to ZIdentity.

                  By default, the Immediately push groups found by this rule option is selected to push groups immediately to ZIdentity. However, you can disable it if you do not want to do this.

                4. Click Create Rule.

                5. On the Push Groups tab, select the rule name created in the previous step under the By rule option on the left-side navigation, and verify that all of your groups have been added. Ensure that the Push Status for each group is Active.

              Close

            To learn more about group push, refer to the Okta technical documentation.

        The SCIM provisioning with Okta users is configured for ZIdentity.

        Close
      Close

    • You can configure step-up authentication to extend the existing authentication process by requiring multi-factor authentication (MFA) when needed, ensuring that access to high-risk or sensitive data is protected.

      Before configuring step-up authentication, make sure you have configured authentication levels and access policies. To learn more, see Understanding Step-Up Authentication.

      To enable step-up authentication:

      1. In the ZIdentity Admin Portal, go to Integration > External Identities.
      2. Locate the IdP entry created for Okta under the Primary Identity Provider (or Secondary Identity Providers) tab and click the Edit icon.
      3. In the Edit Primary IdP (or Edit Secondary IdP) window:
        1. Go to the Advanced tab.

        2. Under the Levels to Authentication context mapping section, enter the ACR Claim value for each authentication level. To learn more about the supported ACR Claims in Okta, refer to the Okta Technical documentation.

          Ensure that you map proper ACR claims for each level depending on the hierarchy. The highest level of authentication must be mapped to the ACR value for the strongest context.

      4. Click Update.
      Close
    Close

  • This section provides information on how to configure Okta as your OpenID Provider (OP) for ZIdentity to facilitate single sign-on (SSO) to various Zscaler services for admin access management.

    Prerequisites

    Ensure that you have:

    • An Okta account with admin privileges
    • An existing user directory in Okta
    • A ZIdentity account with an admin role that allows you to add an IdP configuration

    Configuring Okta as OP for ZIdentity

    To set up Okta as an OP for ZIdentity:

      1. Log in to the Okta Admin Console.
      2. Go to Applications > Applications.

      3. Click Create App Integration.


        A screenshot capturing the Okta Admin Console with the Create App option highlighted

      4. In the Create a new app integration window:

        1. Sign-in method: Select the OIDC - OpenID Connect option.
        2. Application type: Select the Web Application option.
        3. Click Next.

        The New Web App Integration window appears.

      5. In the New Web App Integration window:

        1. Under the General Settings section:

          1. App integration name: Enter a name for the ZIdentity integration.
          2. Ensure that Grant type is set to Authorization Code.

        2. Under the Assignments section:

          1. Controlled Access: Select an appropriate option.
          2. Disable the Enable immediate access with Federation Broker Mode option.

      6. Click Save.

      7. In the application page, under the General tab, copy the Client ID and Client Secret values.

      Close
      1. Log in to the ZIdentity Admin Portal.
      2. Go to Integration > External Identities.
      3. Click Add Primary IdP (or Add Secondary IdP).
        The Add Primary Identity Provider or Add Secondary Identity Provider window appears.
      4. On the Basic tab:

        1. Under the General section:

          1. Name: Enter a name for the IdP.
          2. Identity Vendor: Select Okta from the drop-down menu.
          3. Domain: Select the domain for which the IdP is responsible for authenticating the users. This allows the Zscaler service to display the correct IdP to authenticate an incoming user.
          4. Protocol: Select OIDC.
          5. Status: Select Enabled.

          6. Login ID Attribute: Enter an attribute to map it with the Login ID attribute. You can use any attribute that has the email address format e.g., <user_name>@domain.com>. However, Zscaler recommends using the preferred_username as the Login ID attribute.

            • If you are using email as the Login ID attribute, ensure that your email domain matches with one of the domains added to ZIdentity for the Primary Email attribute.
            • You can use any email domain for your primary email if you are using any attribute other than email as the source for the Login ID attribute.
            • Ensure that the attributes you enter in the Login ID field match exactly with the attribute that would be received in the ID tokens.

        2. Under the OIDC Configuration section:

          1. Enter the following value for the Metadata URL field:

            https://<your_subdomain>.okta.com/oauth2/default/.well-known/openid-configuration
          2. Click Fetch.
          3. Copy the Redirect URI value.
          4. Paste the Client ID and Client Secret values copied from the Okta Admin Console to the respective fields.
          5. Add email and profile to the Requested Scopes field.

      5. Click Save.
      6. Go to the Okta Admin Console, and go to the application integration created for ZIdentity.
      7. Under the General tab:
        1. Go the General Settings section.

        2. Click Edit.

        3. Under the Login section, paste the Redirect URI value copied from the ZIdentity Admin Portal in a previous step to the Sign-in redirect URIs field.

        4. Click Save.
      Close

    • This section explains how to provision Okta users in ZIdentity Admin Portal using Just-in-Time (JIT) provisioning. Okta does not support SCIM provisioning for custom OIDC applications. For configuring SCIM-based provisioning using Okta, Zscaler recommends using a SAML app integration.

        1. In the Okta Admin Console, go to Security > API.

        2. Click the Edit icon for the authorization server.

        3. Under the Scopes tab:

          1. Click Add Scope.

          2. Enter a name for the scope. For example, enter Groups-Scope.

          3. Click Create.

            The custom scope is added to the authorization server.

        4. Under the Claims tab:

          1. Click Add Claim.

          2. Enter a name for the claim. For example, enter Groups.
          3. Include in the Token Type: Select ID Token and select Always from the respective drop-down menus.
          4. Value type: Select Groups from the drop-down menu.
          5. Filter: Select Match regex from the drop-down menu and enter .* to return all of the user's groups.

          6. Include in: Select The following scopes and add the scope created in step iii (i.e., Groups-Scope).

          7. Click Create.

            The custom claim is added to the authorization server.

        Close
        1. In the ZIdentity Admin Portal, go to Integration > External Identities.
        2. Locate the IdP entry created for Okta under the Primary Identity Provider (or Secondary Identity Providers) tab and click the Edit icon.

        3. In the Edit Primary IdP (or Edit Secondary IdP) window:

          1. Go to the Provisioning tab.
          2. Select Enable Just-in-time (JIT) Provisioning.
          3. Just-in-time User Group Attribute: Enter the claim name created for group information retrieval (i.e., Groups). This retrieves the group membership information of the users from Okta.

          4. Map ZIdentity user attributes with the appropriate Okta attributes as necessary. The mapping of the Primary Email attribute is mandatory as it is required for functionalities, such as password resetting and multi-factor authentication. By default, the following attributes in ID tokens are mapped with the corresponding user attributes in ZIdentity.

            Attribute in ID TokensDefault ZIdentity User Attributes
            given_nameFirst Name
            family_nameLast Name
            nameDisplay Name
            • If the external IdP is configured to send different attributes for First Name, Last Name, or Display Name, then you must map those attributes. For example, if the ID token from the external IdP includes Surname instead of family_name, then you must map it with the Last Name user attribute in ZIdentity.

            • While mapping attributes, ensure that the attributes you enter in the Just-in-time Attribute field match exactly with the attributes that would be received in the ID tokens.



        4. Click Update.

          The JIT provisioning with Okta users is configured for ZIdentity.

        Close
      Close

    • You can configure step-up authentication to extend the existing authentication process by requiring multi-factor authentication (MFA) when needed, ensuring that access to high-risk or sensitive data is protected.

      Before configuring step-up authentication, make sure you have configured authentication levels and access policies. To learn more, see Understanding Step-Up Authentication.

      To enable step-up authentication:

      1. In the ZIdentity Admin Portal, go to Integration > External Identities.
      2. Locate the IdP entry created for Okta under the Primary Identity Provider (or Secondary Identity Providers) tab and click the Edit icon.
      3. In the Edit Primary IdP (or Edit Secondary IdP) window:
        1. Go to the Advanced tab.

        2. Under the Levels to Authentication context mapping section, enter the ACR Claim value for each authentication level. To learn more about the supported ACR Claims in Okta, refer to the Okta Technical documentation.

          Ensure that you map proper ACR claims for each level depending on the hierarchy. The highest level of authentication must be mapped to the ACR value for the strongest context.

      4. Click Update.
      Close
    Close

  • This section provides information on how to configure Okta as the SAML Identity Provider (IdP) for ZIdentity to facilitate single sign-on (SSO) to various Zscaler services for admin access management.

    Prerequisites

    • A subscription to Okta
    • An existing user directory in Okta
    • A ZIdentity account with an admin role that allows you to add an IdP configuration

    Configuring Okta as IdP for ZIdentity

    To set up Okta as an idP for ZIdentity:

      1. Log in to the ZIdentity Admin Portal.
      2. Go to Integration > External Identities.

      3. Click Add Primary IdP (or Add Secondary IdP).

        The Add Primary Identity Provider (or Add Secondary Identity Provider) window appears.

      4. On the Basic tab:

        1. Under the General section:
          1. Name: Enter a name for the IdP.
          2. Identity Vendor: Select Okta from the drop-down menu.
          3. Domain: Select the domain for which the IdP is responsible for authenticating the users. This allows the Zscaler service to display the correct IdP to authenticate an incoming user.
          4. Protocol: Select SAML.
          5. Status: Select Enabled.

          6. Login ID Attribute: Enter NameID to map it with the Login ID attribute.

            • If you are using email as the Login ID attribute, ensure that your email domain matches with one of the domains added to ZIdentity for the Primary Email attribute.
            • You can use any email domain for your primary email if you are using any attribute other than email as the source for the Login ID attribute.
            • Ensure that the attributes you enter in the Login ID field match exactly with the attribute that would be received in the SAML assertions.
        2. Under the SAML Configuration section, copy the SP Entity ID.

      Do not close the window as the SP Entity ID is going to be refreshed.

      1. Log in to the Okta Admin Console.
      2. Go to Applications > Applications.

      3. Click Create App Integration.

      4. In the Create a new app integration window:

        1. Sign-in method: Select the SAML 2.0 option.
        2. Click Next.

        The Create SAML Integration window appears.

      5. In the Create SAML Integration window:

        1. Under the General Settings section:

          1. App name: Enter a name for the ZIdentity integration.
          2. Click Next.

        2. Under the Configure SAML section:

          1. Enter the SP Entity ID value copied from ZIdentity Admin Portal in the previous step for both Single sign-on URL and Audience URI (SP Entity ID) fields.
          2. Attribute Statements: Enter a SAML attribute and an appropriate filter. This is used to pass any user attributes. For example, enter Email for the Name field and enter the appropriate variable name (e.g., user.email) from the Okta profile.
          3. Group Attribute Statements: Enter a group name and an appropriate filter. This is used to pass group information. For example, enter Groups for the Name field and set Filter to Matches regex for .* to retrieve group membership information of users.
          4. Click Next.

        3. Under the Feedback section:

          1. Select the This is an internal app that we have created option.
          2. Click Finish.

          The SAML application page appears.

      6. On the SAML application page, copy the Metadata URL from the Metadata details section.

      7. Go to the ZIdentity Admin Portal where the Add Primary Identity Provider (or Add Secondary Identity Provider) window that is already open.

      8. Under the SAML Configuration section:

        1. Enter the Metadata URL copied from the Okta Admin Console in the previous step for the IdP Metadata URL field.
        2. Click Fetch.
        3. Click Save.

        The SAML integration between Okta and ZIdentity is completed.

      Close

    • You can provision Okta users for ZIdentity using Just-in-time (JIT) provisioning or System for Cross-domain Identity Management (SCIM) provisioning.

        1. In the ZIdentity Admin Portal, go to Integration > External Identities.
        2. Locate the IdP entry created for Okta under the Primary Identity Provider (or Secondary Identity Providers) tab and click the Edit icon.

        3. In the Edit Primary IdP (or Edit Secondary IdP) window:

          1. Go to the Provisioning tab.
          2. Select Enable Just-in-time (JIT) Provisioning.

          3. Map the ZIdentity user and group attributes with the appropriate Okta attributes as necessary. The mapping of the Primary Email attribute is mandatory as it is required for functionalities, such as password resetting and multi-factor authentication. By default, the following attributes in SAML assertions are mapped with the corresponding user attributes in ZIdentity.

            Attribute in SAML AssertionsDefault ZIdentity User Attributes
            firstNameFirst Name
            lastNameLast Name
            displayNameDisplay Name
            • If the external IdP is configured to send different attributes for First Name, Last Name, or Display Name, then you must map those attributes. For example, if the SAML assertion from the external IdP includes Surname instead of lastName, then you must map it with the Last Name user attribute in ZIdentity.

            • While mapping attributes, ensure that the attributes you enter in the Just-in-time Attribute field match exactly with the attributes that would be received in the SAML assertions.

          4. Click Update.


        4. In the Okta Admin Console, go to Applications > Applications.
        5. Open the SAML application created for ZIdentity and go to the Assignments tab.

        6. Add users and groups to the application using the Assign drop-down menu.

          The JIT provisioning with Okta users is configured for ZIdentity.

        Close
        1. In the ZIdentity Admin Portal, go to Integration > External Identities.
        2. Locate the IdP entry created for Okta under the Primary Identity Provider (or Secondary Identity Providers) tab and click the Edit icon.

        3. In the Edit Primary IdP (or Edit Secondary IdP) window:

          1. Go to the Provisioning tab.
          2. Select Enable SCIM Provisioning.

          3. Copy the SCIM Endpoint URL. This value is used in a subsequent step.

            The SCIM Endpoint URL field appears only if the configurations for the IdP in the Basic tab are completed and saved.

          4. Click Generate Token and copy the Bearer Token.
          5. (Optional) Map the SCIM attributes (e.g., addresses) with the corresponding ZIdentity user attribute. This mapping is required only for attributes that need to be mapped to a custom user attribute in ZIdentity. To learn more about the SCIM attributes that require custom attribute mapping, see Understanding SCIM.

        4. In the Okta Admin Console, go to Applications > Applications.
        5. Open the SAML application created for ZIdentity and do the following:

          1. On the General tab:

            1. Click Edit next to App Settings.
            2. Select Enable SCIM provisioning.
            3. Click Save.


            A screenshot highlighting the SCIM provisoning option in Okta

          2. On the Provisioning tab:
            1. Click Edit for SCIM Connection.
            2. SCIM Connector Base URL: Enter the SCIM Endpoint URL copied from the ZIdentity Admin Portal.
            3. Unique identifier field for users: Enter userName as the value.
            4. Supported provisioning actions: Select the Push New Users and Push Groups options.
            5. Authentication mode: Select HTTP Header from the drop-down menu.

            6. Authorization: Enter the bearer token copied from the ZIdentity Admin Portal.

            7. Click Test Connector Configuration and make sure that Create users and Push Groups options are shown with green checkmarks.

            8. Close the Test Connector Configuration window.

            9. Click Save and ensure that the Create users option is enabled under the Provisioning tab.

          3. On the Assignments tab, click the Assign drop-down menu, and select an option to assign users or groups:

          4. To sync users between an Okta group and a ZIdentity group, go to the Push Groups tab, and select an option to push groups by name or rule:

              1. Select the Find groups by name option from the Push Groups drop-down menu.

                By default, the Push group memberships immediately option is selected to push groups immediately to ZIdentity. However, you can disable it if you do not want to push groups immediately.

              2. Enter the name of the group that you want to push and select the group from the drop-down menu.

              3. Click Save or click Save & Add Another if you want to push multiple groups.
              4. Click Close.

              5. On the Push Groups tab, click By name on the left-side navigation and verify that all of your groups have been added.

              Close

              1. Select the Find groups by rule option from the Push Groups drop-down menu.

              2. In the Push groups by rule window:
                1. Rule name: Enter a name for the rule.
                2. Group name: Select a match condition from the drop-down menu and enter a string that should be used to find a group with the name matching the condition. For example, you can select Contains as the match condition and enter Admins as the string to match all groups that has the string "Admin" and push them to ZIdentity.

                3. Group description: Select a match condition from the drop-down menu and enter a string that should be used to find a group with the description matching the condition. For example, you can select Contains as the match condition and enter For Admins as the string to match all groups that has the string "For Admins" in the description and push them to ZIdentity.

                  By default, the Immediately push groups found by this rule option is selected to push groups immediately to ZIdentity. However, you can disable it if you do not want to push groups immediately.

                4. Click Create Rule.

                5. On the Push Groups tab, select the rule name created in the previous step under the By rule option on the left-side navigation, and verify that all of your groups have been added.

              Close

            To learn more about group push, refer to the Okta technical documentation.

        The SCIM provisioning with Okta users is configured for ZIdentity.

        Close
      Close

    IdP-Initiated SSO for ZIdentity Tenants Enabled with Experience Center

    In Experience Center-enabled tenants, during the IdP-initiated SSO flow, the user is redirected to Experience Center by default. To change this and ensure the user is redirected to ZIdentity you must configure the zidServiceId attribute in Okta.

      1. Log in to the Okta Admin Console.
      2. Go to Applications > Applications.
      3. Locate the application created for ZIdentity and open it.

      4. Go to the General tab, locate the SAML Settings, and click Edit.

      5. In the Edit SAML Integration wizard, click Next in the General Settings tab.
      6. In the Configure SAML tab, locate the Attribute Statements (optional) section.
      7. Enter zidServiceId in the Name field.

      8. Enter 800000000103 in the Value field. This value is the same for all tenants.

      9. Click Next.

      10. In the Feedback tab, click Finish.

      Close
    Close
Related Articles
About External Identity ProvidersAdding OpenID ProvidersAdding SAML Identity ProvidersConfiguring Okta as an External IdPConfiguring Microsoft Entra ID as an External IdPConfiguring Microsoft AD FS as an External IdPConfiguring PingOne as an External IdPConfiguring Auth0 as an External IdPConfiguring OneLogin as an External IdPConfiguring PingFederate as an External IdP