Note: You can follow these steps to create a new SP connection, or you can modify your provisioning connection.
  1. In the PingFederate administrator console, configure the data store that PingFederate will use as the source of user data. For instructions, see Datastores in the PingFederate documentation.
    • When targeting users and groups for provisioning, exclude the user account that you will use to administer users in your connection to Zscaler Private Access. This prevents the PingFederate provisioning engine from interfering with the account that provisions users and groups.
  2. Enable provisioning.
    1. On the System > Protocol Settings > Roles & Protocols screen, select Enable Identity Provider IdP Role and Support the Following.
    2. Select Outbound Provisioning. Click Save.
  3. On the Identity Provider screen, in the SP Connections area, open an existing connection or create a new one as follows:
    1. Click Create new.
    2. On the Connection Template screen, select Use a template for this connection.
    3. In the Connection Template list, select Zscaler ZPA Connector.
    4. Click Choose File, select the sp_metadata.xml file that you downloaded in Enabling provisioning and single sign-on in Zscaler, and then click Open. Click Next.
  4. On the Connection Type screen, select Outbound Provisioning and clear any unwanted types. Click Next.
  5. On the General Info screen, the basic connection information is populated by the metadata XML file. Click Next.
  6. On the Outbound Provisioning screen, configure the provisioning target and channel as shown in Configuring outbound provisioning in the PingFederate documentation.
    1. Click Configure Provisioning.
    2. On the Target screen, in the Base URL field, enter the SCIM Service Provider Endpoint that you noted in Enabling provisioning and single sign-on in Zscaler.
    3. On the Target screen, enter the Bearer Token that you noted in Enabling provisioning and single sign-on in Zscaler.
      Note: PingFederate verifies the access token when you activate the channel and SP connection.
    4. Under Provisioning Options, customize the provisioning connector actions as shown in Provisioning options reference. Click Next.
    5. On the Manage Channels screen, create a channel as shown in Managing channels in the PingFederate documentation. Click Done.
    Note: For more information about the attributes available in your channel configuration, see Supported attributes reference.
    1. On the Outbound Provisioning screen, click Next.
  7. On the Activation and Summary screen, above the Summary section, turn on the connection. Click Save.