Changes in SAML Attribute required all users to log out from client connector and Log back in

Hi All,
we have recently integrated Zscaler in our organization and I am managing it.
when ever there is a change in SAML attribute from Google IDP I am manually asking all users to logout and loging to client so that SAML will be updated. but this is a huge task and not a practical way to go ahead
is there any way that end-users SAML will automatically get updated and use the right policy
or if anything I can do manually from the admin portal that will update everyone’s SAML

if not then anyway I can log out specific users so that they have to reloggin by once by default, that will also force them to log in instead of escalating that it’s not working.

Please help

Zscaler supports SCIM for attributes being updated. Through SCIM, you can update groups for users and the SCIM sync takes care of pushing those to Zscaler. SCIM is the better method for doing this.

<REMOVED - LINK to IDP INIT - this was a ZIA link, not applicable to ZPA>

Thanks for replying
we tried to enable SCIM but it was not working for us
we did took help from Zscaler team as well and they only suggested us to use SAML and disable SCIM as its not working for us
some issue with Google IDP I believe
they said it works perfectly with Azure AD

You can force remove that user’s device, which will require them to re-enroll… Alternately, you can review this topic for instructions on setting up a dummy app segment / URL which will trigger a reauth when they visit it. In the latter case, you would instruct the user to open a web browser and browse to something like and they would be prompted to reauthenticate due to the short timeout policy for that app segment.


I tested that for my account and it worked just as I wanted.
Thank you soo much…

Great, glad to hear that! :slight_smile: