--- title: Zscaler Private Access Provisioner description: The Zscaler Private Access Provisioner allows PingFederate to integrate with Zscaler Private Access for user and group provisioning and single sign-on (SSO). component: zscaler page_id: zscaler:zscaler_private_access_provisioner:pf_zscaler_zpa_connector canonical_url: https://docs.pingidentity.com/integrations/zscaler/zscaler_private_access_provisioner/pf_zscaler_zpa_connector.html revdate: June 18, 2024 section_ids: features: Features intended-audience: Intended audience system-requirements: System requirements --- # Zscaler Private Access Provisioner The Zscaler Private Access Provisioner allows PingFederate to integrate with Zscaler Private Access for user and group provisioning and single sign-on (SSO). ## Features * Manages users and groups in Zscaler Private Access based on changes in an external data store that is attached to PingFederate. * Creates, updates, and deletes users. * Allows you to enable the create, update, and delete capabilities independently. * Create groups and update group memberships. * Browser-based single sign-on (SSO) initiated by the service provider (SP) or identity provider (IdP). * Pre-populates some connection settings with the included quick connection template. ## Intended audience This document is intended for PingFederate administrators working with the Zscaler Private Access Provisioner. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you use Zscaler Internet Access, see the [Zscaler Internet Access Provisioner](../zscaler_internet_access_provisioner/pf_zscaler_zia_connector.html) documentation. | Before you start, you should be familiar with the following: * The following sections of the Zscaler documentation: * [About IdP Configuration](https://help.zscaler.com/zpa/about-idp-configuration) * [Configuring an IdP for Single Sign-On](https://help.zscaler.com/zpa/configuring-idp-single-sign) * [About SAML Attributes](https://help.zscaler.com/zpa/about-saml-attributes) * [About SCIM](https://help.zscaler.com/zpa/about-scim) * [Enabling SCIM for Identity Management](https://help.zscaler.com/zpa/enabling-scim-identity-management) * The following sections of the PingFederate documentation: * [Identity provider SSO configuration](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_ident_provid_sso_config.html) * [Datastores](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_managedatasourcestasklet_managedatasourcesstate.html) * [Managing IdP adapters](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_managing_idp_adapters.html) * [Managing digital signing certificates and decryption keys](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_certmanagementtasklet_dsigsigningcert_certmanagementstate.html) * [SP connection management](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_sp_connect_management.html) * [Configuring outbound provisioning](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_spconnectionconfigtasklet_saasprovisioningstate.html) * [Configuring outbound provisioning settings](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_protocolsettingstasklet_saasglobalprovisioningsettingsstate.html) ## System requirements * PingFederate 9.0 or later. * A Zscaler Private Access administrator account. * To allow PingFederate to make outbound connections to the Zscaler API, you may need to whitelist the following domain in your firewall. * https\://scim.*your\_Zscaler\_domain*.net