ZPA issues - Zscaler and Azure sync

Hi All,
I am trying to understand how sycn between Zscaler and Azure works. The issue I have sometimes is that access to app segments are restricted using SAML and SCIM Attributes

e.g.
SAML and SCIM Attributes
IDP: User SSO
SAML Attributes
memberOf = ZScaler-Archive

What happens is that after a new user is added to a existing group/role, in the example above Zscaler-Archive it seems to take up to two days for it to take effect so new users can only connect to the application remotely after 2 days.

Any ideas? Is there a way to force a sync?

Thanks

Hello Murilo,

“memberOf” sounds like the SAML attribute. For group assignment to work reliably you have to use roles in case of AAD cloud only. It is possible to use memberOf, but IMHO the SAML group membership is sync’ed initially and afterwards is only updated when the user is re-authenticated.

I would recommend to use SCIM for group based access which works within Azure predefined sync intervall of 40 minutes and also can be triggered manually by “Provision on demand”.

See also here and here.

BR
Manuel

1 Like

Thanks Manuel. It was really helpful and I will do some research and discuss it internally.

What was found out after “struggling” to get some policies working is that it seems like ”, the attribute “memberOf” is mapped to “user.assignedroles”. That means AAD will return the “user.assignedroles” to ZPA as part of the SAML instead of the AAD group.

Is that correct?

However even if we create the “role” we need to do it two days prior to the policy change which is not ideal. It seems like SCIM is the way to go.

In the meantime the workaround according to one of the links you sent me is to do a logout and login at the Zscaler Client Connector for the group membership to be synced. I don’t remember if I ever tried that but I have a feeling that I did.

Concerning roles and AAD please check Zscaler help here.

And yes, roles and SAML is not really straight forward. Thats why we also use SCIM here.

BR
Manuel

1 Like