Building a Zscaler Lab Part 3 (SCIM enablement)

Welcome back, so far we’ve stood up our Azure and Zscaler tenants and connected them with SAML Authentication. Next we need to enable the SCIM (System for Cross-domain Identity Management). If you’re an old Systems and Data Center person like me, don’t feel bad if you had to look up what SCIM is. I had to look it up too.

A quick check of the Book of Knowledge (aka Wikipedia) tells us…”SCIM  is a standard for automating the exchange of user identity information between identity domains, or IT systems.”

Easy enough, essentially it’s a trusted method for managing CRUD. With the added benefit of also being about to tell the system it’s updating specific attributes about the user or group that it’s changing.

Let’s get started , Zscaler official documentation for this process is here.

Login to your Zscaler Admin portal , I’m doing this in the ZIA admin portal. Then we’ll navigate to the Administration > Authentication Settings section.

Now let’s go to Identity Providers tab, Edit the IdP we setup before.

Scroll to the Provisioning Options section.

Click Enable SCIM Provisioning.
Copy the Base URL URL and the Bearer Token to your secure notes.
Click Save when complete.
Activate your changes.

Now let’s add in the Exempted URL’s. Browse to Administration → Cloud Configuration → Advanced Settings

Scroll to AUTHENTICATION EXEMPTIONS and add the following URLs.

login.windows.net

login.microsoftonline.com

*.windowsazure.com

Click SAVE, and of course, Activate your changes!

Next we’re going to login to Azure and connect everything together. On your Azure Portal, browse to your Entra ID service > Manage > Enterprise Applications , then Select your Zscaler ZIA Tenant Cloud we setup earlier. In my case it’s Zscaler Two.

From there, expand under Manage and select Provisioning.

Select the Get Started button to launch the Provisioning wizard. First change the Provisioning Mode to Automatic.

Under Admin Credentials enter the following:

Tenant URL: Paste in the Base URL from your Secure Notes

Secret Token: Paste in the Bearer Token from your Secure Notes

Click Test Connection

You should get a message indicating a success. If you get an error, double check your Tenant URL and Bearer Token are correct. If needed re-generate a new Bearer Token in the ZIA Admin Console.

After getting a Confirmation of a Successful Test, Click Save.

Now Exit the Provisioning by clicking the X in the right corner. Then we need to re-enter Provisioning by Edit Provisioning. This is because the Settings section won’t update without exiting first.

Once back in the Provisioning page, Expand the Settings section and set the Scope to Sync Only assigned users and groups make sure the Provisioning Status is On, then click Save at the Top. Exit the Provisioning pane.

Assigning users and groups

Now in the Enterprise Application in Azure for your Tenant, Select Users and Groups. We will add the appropriate Users/Groups that we want to use Entra ID for IdP into Zscaler.

Select Add user/group and assign your resources. Be sure to save of course.

At this point you should be able to Test Logging into Zscaler Client Connector with your Entra ID Credentials.

When you sign if you are brought to your iDP sign in page, Success!

Next series of Posts we’ll start digging into some additional lab content and how the services for Secure Internet and Remote Application Access work.