Page created: 15 Apr 2020 |
Page updated: 8 Feb 2022
To allow PingFederate to manage users in Zscaler Private Access, create a service provider (SP) connection.
Note: You can follow these steps to create a new SP connection, or you can modify your provisioning connection.
In the PingFederate administrator console, configure the data store that
PingFederate will use as the source of user data. For instructions, see Datastores in the
- When targeting users and groups for provisioning, exclude the user account that you will use to administer users in your connection to Zscaler Private Access. This prevents the PingFederate provisioning engine from interfering with the account that provisions users and groups.
- On the Enable Identity Provider IdP Role and Support the Following. screen, select
- Select Outbound Provisioning. Click Save.
On the Identity Provider screen, in the SP
Connections area, open an existing connection or create a new one as
- Click Create new.
- On the Connection Template screen, select Use a template for this connection.
- In the Connection Template list, select Zscaler ZPA Connector.
- Click Choose File, select the sp_metadata.xml file that you downloaded in Enabling provisioning and single sign-on in Zscaler, and then click Open. Click Next.
- On the Connection Type screen, select Outbound Provisioning and clear any unwanted types. Click Next.
- On the General Info screen, the basic connection information is populated by the metadata XML file. Click Next.
On the Outbound Provisioning screen, configure the
provisioning target and channel as shown in Configuring outbound provisioning in the PingFederate
Note: For more information about the attributes available in your channel configuration, see Supported attributes reference.
- Click Configure Provisioning.
- On the Target screen, in the Base URL field, enter the SCIM Service Provider Endpoint that you noted in Enabling provisioning and single sign-on in Zscaler.
On the Target screen, enter the Bearer
Token that you noted in Enabling provisioning and single sign-on in Zscaler.
Note: PingFederate verifies the access token when you activate the channel and SP connection.
- Under Provisioning Options, customize the provisioning connector actions as shown in Provisioning options reference. Click Next.
- On the Manage Channels screen, create a channel as shown in Managing channels in the PingFederate documentation. Click Done.
- On the Outbound Provisioning screen, click Next.
- On the Activation and Summary screen, above the Summary section, turn on the connection. Click Save.