Secure Private Access (ZPA)
About SCIM
System for Cross-domain Identity Management (SCIM) is a standard protocol for automating the exchange of identity information. Enabling SCIM allows ZPA to quickly remove users from ZPA when a user is disabled or deleted in your user directory and to enforce policies based on SCIM attributes and SCIM groups. To learn more, see Deleting Users in SCIM.
SCIM provides the following benefits and enables you to:
- Automatically modify a user's access when their attributes, group membership, or status changes.
- Enforce policies based on SCIM user attributes and SCIM groups.
- Improve the admin experience by populating SCIM user attributes and SCIM groups when configuring policies.
Setting up SCIM requires configuration in the ZPA Admin Portal and the use of an identity provider (IdP) partnered with Zscaler for SCIM:
- SCIM Configuration Guide for Microsoft Azure AD
- SCIM Configuration Guide for Okta
- PingFederate integration with ZPA
ZPA works with any IdP that supports the SCIM standard (e.g., SailPoint).
Users might encounter a connection error in Zscaler Client Connector when enabling SCIM sync with Okta. Okta does not sync users to ZPA in the Okta IdP before you enable SCIM. As a result, users do not initially appear in the SCIM user database when SCIM is enabled in ZPA. Zscaler recommends the following to resolve the connection error in Zscaler Client Connector:
- Enable PROVISION_OUT_OF_SYNC_USERS in Okta.
- Unassign and reassign all users and groups from Zscaler Private Access in Okta, and then wait for the sync to occur.
Most of the time, the IdP you set up for SAML authentication will be the same one you use for SCIM identity management.
Zscaler only supports SCIM version 2.0.
You can also use custom SCIM clients to make REST API calls to Zscaler. To learn more, see About SCIM APIs and SCIM API Examples.
About the SCIM Attributes Page
The SCIM Attributes page is a read-only table, and ZPA does not support custom attributes. You must enable SCIM for any information to appear on this page. To learn more, see Enabling SCIM for Identity Management.
On the SCIM Attributes page (Authentication > User Authentication > SCIM Management > SCIM Attributes), you can do the following:
- View a list of applied filters available from the current and previous user sessions. Applied filters must be saved to the user session first before they can be viewed. Use the drop-down menu to select the applied filters to view. To learn more, see Using Tables.
- Hide the filters on the page by clicking Hide Filters. Click Show Filters to display the filters.
- Refresh the SCIM Attributes page to reflect the most current information.
- Enter a SCIM attribute associated with the IdP, and click Apply to filter the table.
- Select a SCIM-enabled IdP to generate a list of attributes in the table.
- View a list of SCIM attributes. For each attribute, you can see:
- SCIM Attribute Name: The name of the SCIM attribute as it is specified in the IdP.
- SCIM Attribute: The SCIM attribute as it is specified in the IdP.
Required Attribute: The attributes that must sync between an IdP and Zscaler. Currently, only a username is required.
The SCIM username attribute must match nameID in the SAML attribute.
- Unique Attribute: The attribute with a unique value used to identify the user or group. For example, two users cannot share the same username. Currently, the username is the only unique attribute.
- Copy the SCIM attribute to your clipboard.
- Modify the columns displayed in the table.
- Display more rows or a different page of the table.
- Open the Zscaler Help Browser and view Help Portal articles without leaving the ZPA Admin Portal.
- Go to the SCIM Users page to view the users provisioned for the IdP using SCIM.
- Go to the SCIM Groups page to view the groups provisioned for the IdP using SCIM.
- Go to the SCIM Sync Logs page to view the logs associated with the IdP using SCIM.
Supported SCIM Attributes
The following table includes the supported SCIM attributes and their values:
| SCIM Attribute Name | SCIM Attribute | Description |
|---|---|---|
| Active | active | When "active=false", Zscaler deletes this user. When "active=true", Zscaler enables this user. |
| Cost Center | costCenter | The cost center that the user belongs to |
| Department | department | The department that the user belongs to |
| Display Name | displayName | The display name of the user |
| Division | division | The division that the user belongs to |
| emails.value | The email address of the user | |
| First Name | names.givenName | The first name of the user |
| Formatted Name | name.formatted | The formatted name of the user |
| Last Name | name.familyName | The last name of the user |
| id | <unique_id> | Unique ID generated by Zscaler (e.g., 1a1234567-1b23-1200-1234-123c) |
| Organization | organization | The organization of the user |
| Title | title | The title of the user |
| Username | userName | The user ID used for authentication. The expected format is user@domain.com (e.g., user1@safemarch.com). |
| UserType | userType | Indicates the type of user |