User and group management

Page created: 7 May 2020 |

Page updated: 8 Feb 2022

| 2 min read

Product PingFederate Integration Zscaler Private Access Zscaler Language English Integration Content Type Product documentation Audience Administrator

The Zscaler Private Access Provisioner links users and groups from the data store to Zscaler. The behavior of each provisioning capability is described below.

Synchronizing existing users

By default, the provisioning connector synchronizes users from the data store to Zscaler by matching the mail attribute in the data store to the Username attribute in Zscaler. You can change the default mapping in Creating a provisioning connection.

For example:

In Zscaler, Janet's Username is jsmith@example.com.
In your data store, Janet's mail is jsmith@example.com.
On the Attribute Mapping screen of your PingFederate channel configuration, you map the Username attribute to mail.
When the provisioning connector runs, the data store user is provisioned with a Username of jsmith@example.com. That matches Janet's existing Username in Zscaler, so her information in the data store is synchronized to her Zscaler account.

User provisioning

Triggered when a user is added to the data store group or filter that is targeted by the provisioning connector.

The target is determined by the Source Location screen in the provisioning connector configuration.

User updates

Triggered when a change occurs to a user attribute that is mapped in the provisioning connector configuration.

User deprovisioning

Triggered by any of the following:

A user is deleted from the user store.
A user is disabled in the user store.
A user is removed from the data store group or filter that is targeted by the provisioning connector.

The Remove User Action setting in the connection configuration determines whether the deprovisioning action disables or deletes the user.

Synchronizing existing groups

The provisioning connector synchronizes groups from the data store to Zscaler based on the group name.

For example:

In Zscaler Private Access, there is a group is named Accounting.
In your data store, there is a group with a CN of Accounting.
When the provisioning connector runs, the two groups are synchronized.

Group provisioning

Triggered when a group is added to the data store filter that is targeted by the provisioning connector.

The target is determined by the Source Location screen in the provisioning connector configuration.

Group name updates

Renaming the group in the data store will trigger PingFederate to rename the group in Zscaler.

Group membership updates

Changing group memberships through the group's properties or a user's properties will trigger PingFederate to update the group membership in Zscaler.

Group memberships in the data store overwrite the group memberships in Zscaler.

Group deletion

Triggered by any of the following:

Deleting the group in the data store will trigger PingFederate to delete the group in Zscaler Private Access. Group deletions are permanent and cannot be undone.

The group is removed from the data store group or filter that is targeted by the provisioning connector.