SAML authentication group sync


we have an issues in our environment when it comes to authentication.

Our current authentication method is SAML and we are facing issues when user’s Active Directory groups will change.

For example User-A is in AD group “Group-A”. Everything works fine, we see the AD group in the Zscaler Admin Portal’s users and groups menu and User-A is assiged to this group. Policies and the app profiles are also correctly assigned.

If we now deside to move User-A in AD group “TEST” it will not happen in the Zscaler Admin Portal. User-A is still assigned to Group-A and of course still to the same policies/app profile in Zscaler Admin Portal.
Only after doing a logout and login at the Zscaler Client Connector the group membership will be synced.

For a single user we can provide the 1-time-password to logout/login but we are planning to move 4000 users into another AD group and want to assign a new app profile to exact this AD group.

So what’s the correct way to do it or do we need to rethink the SAML authentication method? I read something about SCIM.
What are other Zscaler customers doing when using SAML and changing AD group memberships, because this is a typical process.


Hi Jonas,

to make things work as you expect IMHO you have to use SAML for authenication and SCIM for provisioning users and groups. See also About SCIM | Zscaler.

If you only want to use SAML you would have to do some extra work via role-assignments.