Because ZScaler doesn’t offer an API connection to allow for true user provisioning, users are provisioned through a system called Just In Time provisioning. This method of provisioning utilizes the SAML assertion to create users on the fly instead of needing to generate accounts ahead of time.
For example, if you’re adding a new employee in ZScaler, their account doesn’t need to be manually generated for them. Instead, when they log in via single sign-on, their ZScaler account is automatically generated for them, nullifying any need for user on-boarding.
To enable Just In Time provisioning, do the following:
- Starting in the Zscaler admin dashboard, click Administration.
- Go to Authentication Settings > Configure SAML.
- Toggle on Enable SAML Auto-Provisioning, and then fill out the attributes with the following:
User Display Name Attribute: DisplayName OR a macro of {firstname} {lastname}
Group Name Attribute: memberOf
Department Name Attribute: department OR <your_chosen_department_value> - Click Save.
Now whenever a user logs into Zscaler through OneLogin for the first, an account will be created for them instantaneously.