SCIM - Active Directory

SAML auto-provisions users, and their group membership/department/attributes to ZIA and ZPA. However, it requires either a re-authentication event or an IDP-Initiated SAML event to update these attributes.
User Deletion, or Update, without a user interaction can be achieved with a Zscaler Authentication Bridge for ZIA - but this doesn’t exist for ZPA, and runs infrequently (as in, it’s not immediate).
SCIM provides this functionality natively. SCIM is currently supported on a number of platforms - Azure AD, Okta, etc - however for customers using Active Directory and using ADFS for user authentication/federation, there is no native SCIM client for CRUD functions.

SCIM is an open API protocol, using HTTP Bearer Authentication over HTTPS. Reading users/groups/attributed from Active Directory is simply an LDAP query. It would be entirely achievable to write a SCIM client to pull attributes, etc from AD and push to ZIA and ZPA using SCIM.

I’ve written a python SCIM client which achieves this. It pulls attributes from Active Directory and flattens Nested Groups. It creates a local “store” of users/groups to figure out what needs to be updated, and can be automated to run periodically.
The client is 100% UNSUPPORTED by Zscaler Inc. However the process of using SCIM itself is a standard. Please feel free to review the code, and adapt as necessary to your needs.
The code is available on my private GitHub here - https://github.com/thewelshgeek/ZPAScripts/tree/master/SCIM .

I’m happy to take feedback on the code (I’m not a developer, so I’m sure it can be tidied up and procedurised better). However - don’t expect support on this code!

4 Likes

Nice work.

I’m still amazed that Zscaler has not developed a similar supported SCIM client solution that customers with on-prem ADFS can leverage. Otherwise, they should not recommend using on-prem ADFS. Instead either use a cloud SAML IdP solution that supports SCIM or just do LDAP Integration with automatic nightly sync.

Since Zscaler no longer allows ZIA administrators to manually update users on the ZIA portal, it is now even more urgent that they stop recommending on-prem ADFS. Otherwise, they should provide a supported SCIM client for on-prem ADFS customers.

Just my two cents…

Thanks for the feedback.
This isn’t specifically an ADFS issue. Zscaler supports any SAML 2.0 compliant IDP, and with SAML Autoprovisioning we can consume attributes for user policy through the authentication process. You can trigger the user authentication to update the user attributes through another SAML authentication round.
API could be used to revoke user access if needed.

The Zscaler Authentication Bridge can be used to synchronise user attributes, rather than using SAML Autoprovisioning. The synchronisation is periodic, so not immediate, which is where API/SCIM/SAML may be preferable.

A SCIM client would need an amount of tailoring for different customer environments. Similarly, if a customer is using ADFS (or any other non-SCIM IDP) they would likely want SCIM for other Service Providers. This Python code is a good example (in my opinion) which could therefore be extended by a customer to support their other environments.

It may be good for Zscaler to look at a fully supported SCIM client we could provide to customers - however this is not currently on any roadmap. Hopefully this Python code could bridge the gap in the interim.