Zscaler uses the User/Email attribute to verify the login name that a user enters when logging in to the service for authentication.
The login attribute must be unique and in the form of an email address.Though it does not have to be a valid email address, the domain name must belong to the organization. If the value is not an email address, the service creates an email address by appending the primary domain name registered with the organization. If your organization has registered multiple domains and the value is not an email address, authentication will fail. To resolve this issue, Zscaler recommends that you use userPrincipalName, regardless of the number of domains hosted by the Zscaler service because the userPrincipalName is unique. Use sAMAccountName only if you have one domain hosted by the Zscaler service. Otherwise, you can use proxyAddresses, userPrincipalName or mail attributes.