SAML Auto-Provisioning vs SCIM Auto-Provisioning

Hi All,

Just a quick question, what the difference between SAML Auto-Provisioning vs SCIM Auto-Provisioning for IdP like for example Microsoft AD or Microsoft Azure?

Thank you.

Matthews Loke

Hi Matthews,

SAML auto provisioning creates and gathers user update based on authentication event. For example, you have to have authentication for a specific user to happen before you can see that user in the admin portal the first time. Also, you need at least one user from a specific AD group to authenticate before you can see the AD group first time in the portal. And in future if that user move to or acquire other new AD group, Zscaler will only be “informed” through the information included in the “next” SAML auth event.

However, SCIM decouples user info creation and update from auth event. Which means you will be able to see user group even no user has ever authenticated with Zscaler, and you will be able to see user’s new group even there is no re-auth happened. SCIM is API based way to update info to Zscaler admin portal.

Best Regards,

Jones Leung


User deprovisioning is manual in SAML.
User deprovisioning is automatic user removes from the portal whenever the next sync happens after the user entry deleted from AD repository.

Hi Jones,

Thanks for the great explanation, really helps me out when I am doing IdP deployment for customers.

Best Regards,
Matthews Loke

U r welcome Matthews!

We use OneLogin SCIM provisioning. It uses the Groups attribute to create groups and add users to groups. In OL, these can be filtered by rules to limit the groups sent. MemberOf isn’t used as far as I can tell.

SAML provisioning uses the MemberOf attribute, and can’t be filtered.