Provisioning ZScaler ZPA with SCIM using PingOne
You can use a SCIM connection in PingOne to provision users and groups to your ZScaler Private Access (ZPA) account.
ZScaler ZPA is a zero trust network access (ZTNA) solution that enables secure, seamless, and identity-based access to internal applications without placing users on the network.
Before you begin
Make sure that you have:
-
A ZScaler ZPA administrator account. Learn more on the ZScaler website or contact ZScaler sales.
-
Users created and assigned to a group specifically for ZScaler ZPA provisioning in PingOne. Learn more in Adding a user and Managing groups.
Steps
-
In the PingOne admin console, Create a SCIM provisioning connection to ZScaler ZPA.
Configure the SCIM connection with the following values specific to your ZScaler ZPA account:
-
Name: Enter a name for your connection, such as
ZScaler ZPA SCIM Provisioning
. -
(Optional) Description: Enter a description for your ZScaler ZPA provisioning connection.
-
SCIM Base URL: Enter the full URL of your ZScaler ZPA SCIM endpoint, such as
https://zscaler-zpa-example.com/v2/
. -
Authentication Method: Select OAuth 2 Bearer Token.
-
OAuth Access Token: Enter the SCIM API token provided by ZScaler ZPA.
-
In the Actions section, ensure the following options remain selected:
-
Allow Users to be Created
-
Allow Users to be Updated
-
Allow Users to be Disabled
-
Allow Users to be Deprovisioned
-
-
-
Create an outbound rule and select the ZScaler ZPA connection as the target.
-
Configure attribute mapping for outbound provisioning and map PingOne user attributes to the corresponding attributes expected by ZScaler ZPA.
The Username attribute used for ZScaler ZPA sign-on must be in email address format.
-
Add a user filter to specify which identities should be provisioned. Filters are based on attributes such as population, group membership, or other user details. Learn more in Example user filters.
-
Configure outbound group provisioning and add the groups you created in PingOne for ZScaler ZPA.
-
Confirm users and groups are successfully provisioned to ZScaler ZPA. View the sync status to review synchronization results and any errors. You can find examples in Outbound provisioning sync summary examples.