ZSCALER AND SAILPOINT

DEPLOYMENT GUIDE

Syncing Users and Groups from

Zscaler to Sailpoint

APRIL 2023, VERSION 1.2 BUSINESS DEVELOPMENT GUIDE

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

Contents
Terms and Acronyms 4

About This Document 5

Zscaler Overview 5
SailPoint Overview 5
Audience 5
Software Versions 5
Prerequisites 5
Request for Comments 6
Zscaler and SailPoint Introduction 7
PLEASE READ 7
ZIA Overview 7
ZPA Overview 7
Zscaler Resources 8
SailPoint IdentityIQ 8
SailPoint IdentityNow 8
SailPoint Resources 8
Configuring SailPoint IdentityIQ for ZIA 9
Create the Zscaler Application 9
Configuring Aggregation Tasks 19
Confirm Account Provisioning 27
Configuring SailPoint IdentityIQ for ZPA 32
Creating the Zscaler Application 32
Configuring Aggregation Tasks 42
Confirm Account Provisioning 49
Configuring SailPoint IdentityNow for ZIA 54
Creating the Zscaler Source 54

©2023 Zscaler, Inc. All rights reserved. 2

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

Additional Resources 57
Working with Connectors and Sources 57
Provisioning 57

Configuring SailPoint IdentityNow for ZPA 58

Creating the Zscaler Source 58
Additional Resources 61
Working with Connectors and Sources 61
Provisioning 61

Appendix A: Requesting Zscaler Support 62

Save Company ID 63
Enter Support Section 64

©2023 Zscaler, Inc. All rights reserved. 3

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

Terms and Acronyms

The following table defines the acronyms used in this deployment guide. When applicable, a Request for Change (RFC) is
included in the Definition column for your reference.

Acronym Definition
DPD Dead Peer Detection (RFC 3706)
GRE Generic Routing Encapsulation (RFC2890)
IKE Internet Key Exchange (RFC2409)
IPSec Internet Protocol Security (RFC2411)
OAM Operation, Administration, and Management
PFS Perfect Forward Secrecy
SD-WAN Software Defined Wide Area Network
SSL Secure Socket Layer (RFC6101)
TLS Transport Layer Security (RFC5246)
XFF X-Forwarded-For (RFC7239)
ZIA Zscaler Internet Access (Zscaler)
ZPA Zscaler Private Access (Zscaler)

©2023 Zscaler, Inc. All rights reserved. 4

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

About This Document

This section describes the partners involved in the integration described in this guide.

Zscaler Overview
Zscaler (NASDAQ: ZS) enables the world’s leading organizations to securely transform their networks and applications for
a mobile and cloud-first world. Its flagship Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services create
fast, secure connections between users and applications, regardless of device, location, or network. Zscaler delivers its
services 100% in the cloud and offers the simplicity, enhanced security, and improved user experience that traditional
appliances or hybrid solutions can’t match. Used in more than 185 countries, Zscaler operates a massive, global cloud
security platform that protects thousands of enterprises and government agencies from cyberattacks and data loss. For
more information on Zscaler, see Zscaler’s website or follow Zscaler on Twitter @zscaler.

SailPoint Overview
SailPoint (NYSE: SAIL) provides security software products and services. The company offers identity governance software
that integrates role, access request, and compliance management solutions. SailPoint Technologies serves banks, property
and casualty insurers, telecommunication providers, and healthcare sectors worldwide.

Audience
This guide is for network administrators, endpoint / IT administrators, and security analysts responsible for deploying,
monitoring, and managing enterprise security systems. For additional product and company resources, refer to:

• Zscaler Resources
• SailPoint Resources
• Appendix A: Requesting Zscaler Support

Software Versions
This document was written using the latest version of Zscaler software and SailPoint IdentityIQ 8.0 and SailPoint
IdentityNow.

Prerequisites
This guide provides GUI examples for configuring Zscaler Internet Access (ZIA) or Zscaler Private Access (ZPA) and
SailPoint. All examples in this guide presume the reader has a basic comprehension of Identity and Access Management
(IAM). All examples in this guide explain how to provision new service with Zscaler and with SailPoint. The prerequisites to
use this guide are:

• ZPA and ZIA

• A working instance of ZPA or ZIA (any cloud)
• Administrator login credentials

• SailPoint
• A working instance of SailPoint IdentityIQ with administrator login credentials, or
• A working instance of SailPoint IdentityNow with administrator login credentials

©2023 Zscaler, Inc. All rights reserved. 5

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

Request for Comments

• For prospects and customers: Zscaler values reader opinions and experiences. Contact partner-doc-support@
zscaler.com to offer feedback or corrections for this guide.
• For Zscaler employees: Contact [email protected] to reach the team that validated and authored the
integrations in this document.

©2023 Zscaler, Inc. All rights reserved. 6

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

Zscaler and SailPoint Introduction

This guide covers the specific use case of syncing users/groups from Zscaler to SailPoint via SCIM to provide visibility of
identity and entitlements to an organization. For other use cases regarding SailPoint, consult Zscaler Professional Services.

exclamation-triangle This guide does not cover configuring SailPoint for user authentication and provisioning as with a traditional IdP.
Zscaler currently does not support that integration use case.

The following are overviews of the Zscaler and SailPoint applications described in this section.

ZIA Overview
ZIA is a secure internet and web gateway delivered as a service from the cloud. Think of it as a secure internet on-ramp—
all you do is make Zscaler your next hop to the internet via one of the following methods:

• Setting up a tunnel (GRE or IPSec) to the closest Zscaler data center (for offices).
• Forwarding traffic via our lightweight Zscaler Client Connector or PAC file (for mobile employees).

No matter where users connect—a coffee shop in Milan, a hotel in Hong Kong, or a VDI instance in South Korea—they get
identical protection. ZIA sits between your users and the internet and inspects every transaction inline across multiple
security techniques (even within SSL).

You get full protection from web and internet threats. The Zscaler cloud platform supports Cloud Firewall, IPS,
Sandboxing, DLP, and Browser Isolation, allowing you to start with the services you need now and activate others as your
needs grow.

ZPA Overview
Zscaler Private Access (ZPA) is a cloud service that provides secure remote access to internal applications running on a
cloud or data center using a Zero Trust framework. With ZPA, applications are never exposed to the internet, making
them completely invisible to unauthorized users. The service enables the applications to connect to users via inside-out
connectivity rather than extending the network to them.

ZPA provides a simple, secure, and effective way to access internal applications. Access is based on policies created by
the IT administrator within the ZPA Admin Portal and hosted within the Zscaler cloud. On each user device, software
called Zscaler Client Connector is installed. Zscaler Client Connector ensures the user’s device posture and extends a
secure microtunnel out to the Zscaler cloud when a user attempts to access an internal application.

©2023 Zscaler, Inc. All rights reserved. 7

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

Zscaler Resources
The following table contains links to Zscaler resources based on general topic areas.

Name and Link Description

ZIA Help Portal Help articles for ZIA.

ZPA Help Portal Help articles for ZPA.

Zscaler Tools Troubleshooting, security and analytics, and browser extensions that help
Zscaler determine your security needs.

Zscaler Training and Certification Training designed to help you maximize Zscaler products.

Submit a Zscaler Support Ticket Zscaler Support portal for submitting requests and issues.

SailPoint IdentityIQ
SailPoint IdentityIQ is an identity and access management (IAM) solution for enterprise customers that delivers automated
access certifications, policy management, access request and provisioning, password management, and identity
intelligence. IdentityIQ has a flexible connectivity model that simplifies the management of applications running on-
premises or in the cloud.

SailPoint IdentityNow
SailPoint IdentityNow is a SaaS identity governance solution that allows you to control user access to all systems and
applications, enhance audit response, and increase your operational efficiency.

It’s delivered from the cloud as multi-tenant SaaS, so IdentityNow can be up and running quickly with no additional
hardware or software to purchase, install, or maintain.

• Easy to deploy with rapid time to business value.

• Automatically delivers new features and enhancements.
• Scales up or down to meet your evolving needs.
• Can be managed by a business analyst, no identity expertise required.
• Simple, cloud software subscription model.
• Proven to reduce help desk calls by up to 90 percent.

SailPoint Resources
The following table contains links to SailPoint support resources.

Name and Link Description

SailPoint Getting Started Guide Help articles for using SailPoint software.

SailPoint Customer Service Site for getting SailPoint support.

SailPoint Community Site for accessing the SailPoint online technical community.

SailPoint Developer Community Site for developer help and support.

©2023 Zscaler, Inc. All rights reserved. 8

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

Configuring SailPoint IdentityIQ for ZIA

The following describes how to configure SailPoint IdentityIQ for ZIA.

Create the Zscaler Application

1. From the Applications drop-down menu, select Application Definition.

Figure 1. Create the Zscaler application definition

2. Click Add New Application.

Figure 2. Add new application

©2023 Zscaler, Inc. All rights reserved. 9

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

3. Select SCIM 2.0 from the Application Type drop-down menu to configure the application type.

Figure 3. Configure application type

©2023 Zscaler, Inc. All rights reserved. 10

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

4. Enter an application Name, and an application Owner for the ZIA application. For more information on how
IdentityIQ uses these fields, refer to the SailPoint product documentation.

Figure 4. Log into Zscaler

5. Test the connection by entering the connection parameters specific to your ZIA SCIM server:

a. Use the format https://scim.zscalerbeta.net/<your_tenant_id>/scim as the base URL.

b. Select API Token as the Authentication Type.
c. Enter the API token provided by your ZIA administrator.

©2023 Zscaler, Inc. All rights reserved. 11

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

6. Click Test Connection to ensure the parameters were entered correctly.

Figure 5. Test connection

©2023 Zscaler, Inc. All rights reserved. 12

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

7. To configure the schema, go to the Schema sub-tab under the Configuration tab. Click Discover Schema Attributes
in the Object Type: account section..

Figure 6. Schema Configuration

©2023 Zscaler, Inc. All rights reserved. 13

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

The ZIA user attributes are populated into the object.

Figure 7. ZIA user attributes

©2023 Zscaler, Inc. All rights reserved. 14

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

8. Click Discover Schema Attributes in the Object Type: group section of the Schema sub-tab..

Figure 8. Discover schema attributes

9. Verify the ZIA group attributes populated in the group object.

Figure 9. Verify attributes

©2023 Zscaler, Inc. All rights reserved. 15

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

10. Test the schema configuration by clicking Preview under each Object Type (account, group).

Figure 10. Test configuration

11. Click Preview to display the live data from the ZIA SCIM server connection (account preview shown).

Figure 11. Preview Live Data

12. Configure provisioning plans. For this tutorial, an account creation plan is shown. First, click
Configuration > Provisioning Policies in the application definition. Then click Add Policy next to the Create type in
the Object Type: account section.

Figure 12. Configure provisioning plan

©2023 Zscaler, Inc. All rights reserved. 16

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

13. Click Create Policy Form.

Figure 13. Create Policy Form

14. Configure the policy form for ZIA. For more information, refer to SailPoint’s provisioning documentation.

a. Enter a name of the create account policy.

b. (Optional) Enter a description.
c. Add a section to the policy form. In this case, it was edited and named Required Attributes.
d. Click the Add (+) icon next to the section to add a new field.
e. For ZIA, new accounts require that a Name and Display Name are populated. Create a field for
each of these.

For each field, make sure to select the Required checkbox under Type Settings.

Figure 14. Configure policy form for ZIA

15. Click Save.

©2023 Zscaler, Inc. All rights reserved. 17

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

16. Verify that the new provisioning policy appears next to the Create type on the application definition.

Figure 15. Verify configuration policy

17. Click Save at the bottom of the main application definition screen.

Figure 16. Save configuration policy

©2023 Zscaler, Inc. All rights reserved. 18

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

The new application is listed in the Application view of IdentityIQ.

Figure 17. Verify new application

Configuring Aggregation Tasks

1. From the Setup drop-down menu, select Tasks.

Figure 18. Configuring aggregation tasks

©2023 Zscaler, Inc. All rights reserved. 19

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

2. To create an account aggregation task, click New Task in the top-right of the window, and then select Account
Aggregation.

Figure 19. Create new task

©2023 Zscaler, Inc. All rights reserved. 20

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

3. Give the task a name, and make sure to select the previously-defined ZIA application from the Select applications
to scan drop-down menu.

Figure 20. Configure task settings

4. Click Save and Execute at the bottom of the task configuration page.

Figure 21. Save and Execute

©2023 Zscaler, Inc. All rights reserved. 21

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

5. Verify that the new task displays under the Type: Account Aggregation section of the task list.
Click the Task Results tab.

Figure 22. Verify account aggregation task

6. Confirm that the account aggregation completed.

Figure 23. Config account aggregation task completion

©2023 Zscaler, Inc. All rights reserved. 22

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

7. View the task execution details by clicking the successful task.

Figure 24. View task execution details

©2023 Zscaler, Inc. All rights reserved. 23

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

8. Return to the main tasks window to create a group aggregation task. Click New Task, and then select Account Group
Aggregation.

Figure 25. Create group aggregation task

©2023 Zscaler, Inc. All rights reserved. 24

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

9. Like the account aggregation, give the group aggregation a name and select the ZIA application from the Select
applications to scan drop-down menu.

Figure 26. Link account aggregation

10. Click Save and Execute.

Figure 27. Save and Execute

©2023 Zscaler, Inc. All rights reserved. 25

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

11. Confirm the group aggregation was successful by switching to the Task Results tab.

Figure 28. Confirm group aggregation

12. View a detailed summary of the task by clicking the task.

Figure 29. View task detailed summary

©2023 Zscaler, Inc. All rights reserved. 26

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

Confirm Account Provisioning

Confirm that the account provisioning was accurately set up.

1. Click the menu in the top left of any screen in IdentityIQ. Go to Manage User Access >
Manage Accounts.

Figure 30. Navigate to Manage Accounts

©2023 Zscaler, Inc. All rights reserved. 27

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

2. Find the identity for which you are creating a new ZIA account. Click Manage for that user’s tile.

Figure 31. Manage ZIA user

3. Click Request Account, which displays the identities currently-provisioned application accounts.

Figure 32. Request ZIA user

©2023 Zscaler, Inc. All rights reserved. 28

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

4. Select the ZIA application from the Application drop-down menu.

Figure 33. Request ZIA application

5. Click Confirm.

Figure 34. Confirm ZIA application

©2023 Zscaler, Inc. All rights reserved. 29

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

6. Submit the user request by clicking Submit.

Figure 35. Submit user request

7. Since the create provisioning policy had several required fields (userName, displayName), IdentityIQ prompts the
requester with a form to provide those values. Click Complete Form.

Figure 36. Enter in user required fields

©2023 Zscaler, Inc. All rights reserved. 30

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

8. Fill in the User Name. The user name must be in the format of a valid email address. Click Ok.

Figure 37. Verify user email address

9. To confirm if the account was correctly provisioned, run another account aggregation for the ZIA application.
Otherwise, confirm directly in ZIA.

Figure 38. Confirm account provisioning

©2023 Zscaler, Inc. All rights reserved. 31

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

Configuring SailPoint IdentityIQ for ZPA

The following section reviews how to configure SailPoint IdentityIQ for ZPA.

Creating the Zscaler Application

1. From the Applications drop-down menu, select Application Definition.

Figure 39. Create the Zscaler application definition

2. Click Add New Application.

Figure 40. Add new application

©2023 Zscaler, Inc. All rights reserved. 32

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

3. To set the application type, select SCIM 2.0 from the Application Type drop-down menu.

Figure 41. Configure application type

©2023 Zscaler, Inc. All rights reserved. 33

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

4. Create a Zscaler application by entering an application name and an application owner for the ZPA application. For
more information on how IdentityIQ uses these fields, refer to the SailPoint Product Documentation.

Figure 42. Log into Zscaler

5. Test the connection by entering the connection parameters specific to your ZPA SCIM server:

• Use https://scim.zscalerbeta.net/<your_tenant_id>/scim as the base URL to the SCIM server.

• Select API Token as the Authentication Type.
• Enter the API token provided by your ZPA administrator.

©2023 Zscaler, Inc. All rights reserved. 34

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

6. Click Test Connection to ensure the parameters were entered correctly.

Figure 43. Test connection

©2023 Zscaler, Inc. All rights reserved. 35

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

7. Go to Configuration > Schema to set the schema configuration. Click Discover Schema Attributes under the Object
Type: account section.

Figure 44. Schema configuration

©2023 Zscaler, Inc. All rights reserved. 36

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

8. Review the populated ZPA attributes for a user.

Figure 45. ZPA user attributes

©2023 Zscaler, Inc. All rights reserved. 37

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

9. Click Discover Schema Attributes under the Object Type: group section of the Schema sub-tab.

Figure 46. Discover schema attributes

10. Verify that the attributes for the ZPA group were populated.

Figure 47. Verify attributes

©2023 Zscaler, Inc. All rights reserved. 38

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

11. Test the configuration. Click Preview under each Object Type (account, group).

Figure 48. Test configuration

12. Review the live data from the ZPA SCIM server connection (account preview shown).

Figure 49. Preview live data

13. Configure provisioning plans. This tutorial shows an account creation plan. First, click the Configuration >
Provisioning Policies sub-tab in the application definition.
14. Click Add Policy next to the Create type in the Object Type: account section.

Figure 50. Configure provisioning plan

©2023 Zscaler, Inc. All rights reserved. 39

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

15. Click Create Policy Form.

Figure 51. Create policy form

16. Configure the policy form for ZPA. For more information, refer to SailPoint’s provisioning documentation:

a. Enter a name of the create account policy.

b. (Optional) Enter a description.
c. Add a section to the policy form. In this case, it was edited and named Required Attributes.
d. Click the Add (+) icon next to the section to add a new field.
e. For ZPA, new accounts require that a Name and Display Name are populated. Create a field for each of these.
f. For each field, make sure to select the Required checkbox under Type Settings.
g. When completed, click Save.

Figure 52. Configure policy form for ZPA

©2023 Zscaler, Inc. All rights reserved. 40

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

17. Verify that the new provisioning policy appears next to the Create type on the application definition.

Figure 53. Verify configuration policy

18. Save the configuration policy. Click Save.

Figure 54. Save configuration policy

©2023 Zscaler, Inc. All rights reserved. 41

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

The new application is listed in the Application view of IdentityIQ.

Figure 55. Verify new application

Configuring Aggregation Tasks

In this section, aggregation tasks for ZPA and SailPoint IdentityIQ are identified.

1. From the Setup drop-down menu, select Tasks.

Figure 56. Configuring aggregation tasks

©2023 Zscaler, Inc. All rights reserved. 42

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

2. To create an account aggregation task, click New Task, and then select Account Aggregation.

Figure 57. Create new task

©2023 Zscaler, Inc. All rights reserved. 43

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

3. Give the task a name, and make sure to select the previously-defined ZPA application from the Select applications
to scan drop-down menu.

Figure 58. Configure task settings

4. Click Save and Execute at the bottom of the task configuration page.

Figure 59. Save and Execute

©2023 Zscaler, Inc. All rights reserved. 44

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

5. Verify that the new task is displayed under the Type: Account Aggregation section of the task list. Click the Task
Results tab.

Figure 60. Verify account aggregation task

6. Confirm that the account aggregation completed.

Figure 61. Config account aggregation task completion

©2023 Zscaler, Inc. All rights reserved. 45

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

7. View task execution details by clicking the successful task.

Figure 62. View task execution details

8. Return to the main tasks window to create a group aggregation task. Click New Task, and then select Account Group
Aggregation.

Figure 63. Create group aggregation task

©2023 Zscaler, Inc. All rights reserved. 46

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

9. Link the account aggregation, give the group aggregation a name, and select the ZPA application from the Select
applications to scan drop-down menu.

Figure 64. Link account aggregation

10. Click Save and Execute.

Figure 65. Save and execute

©2023 Zscaler, Inc. All rights reserved. 47

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

11. Confirm the group aggregation was successful by switching to the Task Results tab.

Figure 66. Confirm group aggregation

12. View a detailed summary of the task by clicking the task.

Figure 67. View task detailed summary

©2023 Zscaler, Inc. All rights reserved. 48

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

Confirm Account Provisioning

Confirm the account provisioning in SailPoint and ZPA.

1. Click the menu in the top left of any screen in IdentityIQ. Go to Manage User Access >
Manage Accounts.

Figure 68. Navigate to Manage Accounts

©2023 Zscaler, Inc. All rights reserved. 49

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

2. Find the identity for which you are creating a new ZPA account. Click Manage for that user’s tile.

Figure 69. Manage ZPA user

3. Click Request Account, which displays the identities currently-provisioned application accounts. Click Request
Account.

Figure 70. Request ZPA user

©2023 Zscaler, Inc. All rights reserved. 50

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

4. Select the ZPA application from the Application drop-down menu and click Submit.

Figure 71. Request ZPA application

5. Click Confirm.

Figure 72. Confirm ZPA application

©2023 Zscaler, Inc. All rights reserved. 51

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

6. Submit a user request by clicking Submit.

Figure 73. Submit user request

7. Since the Create Provisioning policy had several required fields (Name, Display Name), IdentityIQ prompts the
requester with a form to provide those values.
Click Complete Form.

Figure 74. Enter user required fields

©2023 Zscaler, Inc. All rights reserved. 52

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

8. Fill in the User Name. The user name must be a valid email address. Click Ok to launch the request.

Figure 75. Verify user email address

9. To confirm if the account was correctly provisioned, run another account aggregation for the ZPA application.
Otherwise, confirm directly in ZPA.

Figure 76. Confirm account provisioning

©2023 Zscaler, Inc. All rights reserved. 53

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

Configuring SailPoint IdentityNow for ZIA

In this section, you’ll configure SailPoint IdentityNow for ZIA.

Creating the Zscaler Source

1. Log into IdentityNow as an administrator and go to the administrative dashboard. Define a new Source by selecting
Sources from the Connections drop-down menu.

Figure 77. Navigating to sources page

2. Click New.

Figure 78. Creating new source

3. Select SCIM 2.0 from the Source Type drop-down menu. Give the source a Source Name, a Description, and select
Direct Connection as the Connection Type. Click Continue.

Figure 79. Source creation fields

4. Enter the connection parameters specific to your ZIA SCIM server:

• Select your virtual appliance from the drop-down menu.

• Provide any governance group selection (if applicable).

©2023 Zscaler, Inc. All rights reserved. 54

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

5. Click Save.

Figure 80. Virtual application selection

6. Configure connection settings:

• Set the Host URL to the SCIM server in the format
https://scim.zscalerbeta.net/<your_tenant_id>/scim.
• Select API Token as the Authentication Type.
• Enter the API token provided by your ZIA administrator in the API token field.
7. Click Save.

Figure 81. Host URL, Authentication Type, and API Token configuration

©2023 Zscaler, Inc. All rights reserved. 55

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

8. From the left-side navigation, select Review and Test. Then click Test Connection to verify connectivity to the
Zscaler SCIM server.

Figure 82. Test connection successful

9. Click Back and then click Go To Source Page to continue configuration.

Figure 83. Return to source configuration page

10. From the left-side navigation, go to Import Data > Account Schema. From the Options drop-down menu, select
Discover Schema.

Figure 84. Schema discovery

©2023 Zscaler, Inc. All rights reserved. 56

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

11. The attributes for a user in ZIA are populated. Flag the id attribute as Account ID. Flag the userName attribute as
Account Name. Flag the groups attribute as Entitlement and Multi-Valued.

Figure 85. Flagging account id, userName, and groups attributes in schema

12. Set up account correlation. This is likely a mapping of the attribute that includes a username in Zscaler (email
address) and the Work Email attribute of the identity. This might be different or require additional correlation
depending on your organization.

Figure 86. Correlation definition

Source configuration is now complete.

Additional Resources
For additional information regarding standard IdentityNow and its configuration (such as Identity Profiles, source
aggregation, and provisioning) refer to the following SailPoint community articles.

Working with Connectors and Sources

https://community.sailpoint.com/t5/IdentityNow-Connectors/Guide-to-IdentityNow-Sources-and-Connectors/ta-
p/73888

Provisioning
• Populate the required attributes, Name and Display Name, to provision a new user account. The username must be
a valid email format. Creation fails if these conditions are not met.
• https://documentation.sailpoint.com/saas/help/?_gl=1*u1djs1*_ga*OTQ1MzE3NzU5LjE2ODU1NjI4MDI.*_ga_
SS72Z4HXJM*MTY4NTY0MjI3My42LjEuMTY4NTY0MjYzOC4zNS4wLjA.&_ga=2.33746017.130981577.1685562802-
945317759.1685562802#_gl=1*l3gs0*_gcl_au*MTM5NTA5NzYyOC4xNjg1NTYyODAy

©2023 Zscaler, Inc. All rights reserved. 57

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

Configuring SailPoint IdentityNow for ZPA

This section shows you how to configure SailPoint IdentityNow for ZPA.

Creating the Zscaler Source

1. Log into IdentityNow as an administrator and go to the administrative dashboard. Define a new Source by selecting
Sources from the Connections drop-down menu.

Figure 87. Navigating to Sources page

2. Click New.

Figure 88. Creating new source

3. Select SCIM 2.0 from the Source Type drop-down menu. Give the source a Source Name, a Description, and select
Direct Connection as the Connection Type. Click Continue.

Figure 89. Source creation fields

©2023 Zscaler, Inc. All rights reserved. 58

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

4. Enter the Virtual Appliance information for the connection to the ZPA SCIM server:

• Select your virtual appliance from the drop-down menu.

• Provide any governance group selection (if applicable).
• Click Save.

Figure 90. Virtual application selection

5. Configure connection settings:

• Set the Host URL to the SCIM server and in the format
https://scim1.zpabeta.net/scim/1/<your_tenant_id>/v2.
• Select API Token as the Authentication Type.
• Enter the API token provided by your ZPA administrator in the API token field.
• Click Save.

Figure 91. Host URL, Authentication Type, and API Token configuration

©2023 Zscaler, Inc. All rights reserved. 59

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

6. From the left-side navigation, select Review and Test. Then click Test Connection to verify connectivity to the
Zscaler SCIM server..

Figure 92. Test connection successful

7. Click Back and then click Go To Source Page to continue configuration.

Figure 93. Return to source configuration page

8. From the left-side navigation, select Import Data > Account Schema. From the Options drop-down menu, select
Discover Schema.

Figure 94. Schema discovery

©2023 Zscaler, Inc. All rights reserved. 60

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

9. The attributes for a user in ZPA are populated. Flag the id attribute as Account ID. Flag the userName attribute as
Account Name. Flag the groups attribute as Entitlement and Multi-Valued.

Figure 95. Flagging account id, userName, and groups attributes in schema

10. Set up account correlation. This is likely a mapping of the attribute representing a username in Zscaler (email
address) and Work Email attribute of the identity. This might be different and require additional correlation for your
organization.

Figure 96. Correlation definition

Source configuration is now complete.

Additional Resources
For additional information regarding standard IdentityNow and its configuration, such as Identity Profiles, source
aggregation, and provisioning, refer to the following SailPoint community articles.

Working with Connectors and Sources

https://community.sailpoint.com/t5/IdentityNow-Connectors/Guide-to-IdentityNow-Sources-and-Connectors/ta-
p/73888

Provisioning
• Populate the required attributes, Name and Display Name, to provision a new user The username must be a valid
email format. Creation fails if these conditions are not met.
• https://documentation.sailpoint.com/saas/help/?_gl=1*u1djs1*_ga*OTQ1MzE3NzU5LjE2ODU1NjI4MDI.*_ga_
SS72Z4HXJM*MTY4NTY0MjI3My42LjEuMTY4NTY0MjYzOC4zNS4wLjA.&_ga=2.33746017.130981577.1685562802-
945317759.1685562802#_gl=1*l3gs0*_gcl_au*MTM5NTA5NzYyOC4xNjg1NTYyODA

©2023 Zscaler, Inc. All rights reserved. 61

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

Appendix A: Requesting Zscaler Support

You might need Zscaler Support for provisioning certain services, or to help troubleshoot configuration and service issues.
Zscaler Support is available 24/7/365.

To contact Zscaler Support, go to Administration > Settings > and then click Company Profile.

Figure 97. Collecting details to open support case with Zscaler TAC

©2023 Zscaler, Inc. All rights reserved. 62

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

Save Company ID
Copy the Company ID, as shown below.

Figure 98. Company ID

©2023 Zscaler, Inc. All rights reserved. 63

 ZSCALER AND SAILPOINT DEPLOYMENT GUIDE

Enter Support Section

Now that you have your company ID, you can open a support ticket. Go to Dashboard > Support > Submit a Ticket.

Figure 99. Submit a ticket

©2023 Zscaler, Inc. All rights reserved. 64