How to avoid ZPA "Connection Error" when enabling SCIM sync with Okta

If you’re using Okta as your IdP for ZPA, here’s a quick heads-up on a corner case that may result in users getting “Connection Error” on ZPA in the Zscaler Client Connector when you enable SCIM sync.

Problem

If you have Okta as your SAML IdP in your ZPA tenant, and you configure and enable SCIM sync, some - but not all! - users may encounter this error in the Zscaler Client Connector:

Root Cause

Okta does not sync users that were assigned to the Zscaler Private Access app in the Okta IdP before SCIM was turned on. As a result, when SCIM is enabled in ZPA, those users do not appear in the SCIM user database. This will cause the Client Connector to show “Connection Error” under service status for Private Access, which will cause a disruption to the service for the user. This is due to the fact that the username has not been synced into the ZPA SCIM database.

Resolution

Okta has a feature called PROVISION_OUT_OF_SYNC_USERS in preview (as of this writing in early March 2021), so if you have that feature available, enable it to prevent this problem from occurring.

Otherwise, the solution is to unassign all users and groups from Zscaler Private Access in Okta, then reassign these users and groups, and wait for the sync to happen. This will resolve the issue as all users and groups will now be populated in the ZPA SCIM database.

Thanks to @dhume and @mjasyal for collaboration on this post!

6 Likes