Zscaler

Known issues and limitations

The following are known issues or limitations for the Zscaler Internet Access Provisioner.

Known issues

There are no known issues.

Known limitations

  • When an LDAP user is deleted in a targeted group distinguished name (DN), the provisioning connector does not propagate the deletion until a new user is added to the group. This limitation is compounded when the User Create provisioning option is disabled. For solutions, see SaaS provisioner does not remove the user in the Knowledge Base.

  • Because of PingFederate limitations, user attributes cannot be cleared once set.

  • Because of PingFederate limitations, the group name is the only supported group attribute and must be the Common Name (CN) of the LDAP group being provisioned. Additional group attributes are not supported in PingFederate.

  • Performance:

    • Zscaler Internet Access System for Cross-domain Identity Management (SCIM) servers have a rate limit of 5 requests per second. In order to avoid retries, reduce the number of threads in the PingFederate channel configuration. For more information, see Specifying channel information in the PingFederate documentation and SCIM API Examples in the Zscaler Internet Access documentation.

    • When provisioning users to a group, all users must be set to active. If an inactive user is present, the active users and group will be provisioned but no users will be added to the group.

    • Rate limiting can prevent the connector from provisioning users to groups. If rate limiting forces a retry, and a user is created on the retry, the user’s group memberships are applied the next time the relevant groups are updated.