Zscaler Local Database Group Membership using Azure AD and SCIM

Hi All,

We just changed IDP from ADFS to Azure AD. There’s no problem in authenticating users as well as user and group provisioning when we migrated to AAD with SCIM.

The problem is user@company.com doesn’t have members in the Zscaler local database. We’re using onprem AD groups which are syncrhonized to AAD.

When we were using ADFS, tokenGroup - Unqualified Names is used as LDAP Attribute, which is mapped to Outgoing Claim Type of “memberOf”

From: https://help.zscaler.com/zia/saml-configuration-guide-adfs


In Zscaler admin page this SAML Auto-provisioning options:


Now the question, since we moved from ADFS to Azure AD with SCIM, do we also need to configure group claims for user attributes and claims (the logic is similar with TokenGroups when using ADFS)?:

I’m not really a systems guy so maybe some of you may have experienced this.