A question about Assign user & group to Zscaler

We had configured SCIM provisioning in Azure.
https://help.zscaler.com/zia/saml-scim-configuration-example-microsoft-azure-active-directory#configuring-saml-sso-azure
But after we complete the configuration, we still cannot see the user or group we assigned in zscaler.
Does Zscaler need time to update the information?

Is there any updated information for this issue?

Is there any updated information for this issue?

Hi @111, welcome to the Zscaler community.

The SCIM should push within 15 mins, then every 15 mins thereafter the deltas should follow. You can verify the logging in the Azure AD Audit Logs. here’s an example of how to locate the Audit logs. Do you see anything there?

You can also check the last status under the provisioning tab:

Hope this helps you move forward.

Cheers,
Scott-

We have our production cloud configured with SAML auto-provisioning via on-prem ADFS, which is working fine and bringing in groups using custom claim rules.

We have our beta cloud configured with SAML auto-provisioning via Azure AD and switched to SCIM auto-provisioning, which tests out successful. However, we are trying to bring in groups as the documentation doesn’t appear to make sense. Below it says not to follow the steps if SCIM is enabled and SAML is disabled for auto-provisioning (which is recommended).

https://help.zscaler.com/zia/saml-scim-configuration-guide-azure-active-directory

Using Roles for Group Mapping

If you are using SCIM for provisioning and have SAML auto-provisioning disabled, the following steps do not apply. If you have enabled SAML auto-provisioning, you need to take additional steps for group mapping. To configure this in Azure, you must customize the role claim type in the SAML response token to push groups to Zscaler. If you decide to use SAML and SCIM for provisioning, ensure that the role name and group name are identical.

How do we get all the users and specific groups into Azure AD and Zscaler User Management?

Hi @Raj909,
Azure AD SAML Group Mapping has historically been very difficult, there was no native way to send groups as an assertion and much had to be done with Graph to map roles, to groups, to users; it was very convoluted, that is where the above caveat comes from.

Azure recently added support for Groups in the SAML assertion, however, you still need to take care and be sure that SCIM and SAML will use the exact same group name to ensure users are not mapped to multiple groups on the Zscaler side. This should be simpler now, but take care to double check.

Hope that helps clear things up.

Cheers,
@skottieb

When we have the provisioning scope set to “Sync only assigned users and groups” it brings in the users manually defined in Users and groups. However, we are looking to bring in all users within the domain or specific AD group.

When I change the provisioning scope to "Sync all users and groups, it brings in al the users and groups within the domain. We definitely need to filter this out.

Do you have any recommendations for the attribute mappings to bring in specific AD groups? ie: Domain Users and Security Group wildcards?