Zscaler Internet Access DOES NOT support IDP Initiated Signon for enrolling users into the platform. ZIA also doesn’t support periodic re-authentication of users. To get group memberships updated for an enrolled user you should consider SCIM or LDAP-sync to push or pull data from your directory store.
However - you can use IDP Initiated Signon to update group membership for users already enrolled. This is a user driven function which triggers the IDP to re-authenticate the user and generate a SAML response to Zscaler which updates the group membership.
In this configuration I’m using ADFS. I have configured a relying party identifier of ZS2
In the Zscaler administration interface, under https://admin.zscalertwo.net/#administration/company-profile I identify my organisation ID as 103550
In ADFS, update the endpoints. I’ve kept index 0 as the default SSO page for SP-Initiated signon, however I’ve added another consumer endpoint of https://login..net/sso_upd/ (e.g. https://login.zscalertwo.net/sso_upd/103550 ). I set this as the default so it’s easily triggered during the IDP Initiated SSO.
Now I can trigger an IDP-Initiated request by logging onto https:///adfs/ls/idpinitiatedsignon?logintorp=ZS2 . When the user signs in, they’ll be redirected straight to Zscaler which will consume the assertion and update the users credentials.
If you’re feeling inventive, you can add this URL to your block page to enable the user to trigger the IDP-Initiated SSO if they’ve been blocked and believe they should have access based on their group membership.
Similarly, you could add this URL as an automatic logon when the user opens their homepage, or you could send the user the link in an email as part of the workflow to add/remove users to groups in Active Directory.
A video demonstrating this functionality is available here https://www.youtube.com/watch?v=ar82EBJ2mzc