Configure Zscaler user provisioning

You can set up automated user provisioning (autoprovisioning) so that any changes you make to user accounts in Google Workspace are automatically synced with this third-party app. 

Before you begin

Before you can set up automated user provisioning, you need to set up SSO for Zscaler. For the steps, go to Zscaler cloud app

Set up automated user provisioning

 Expand section  |  Collapse all & go to top

Get API access token and endpoint URL for Zscaler app
  1. Go to your Zscaler sign-in page and sign in with your Zscaler administrator account.

  2. To enable SCIM provisioning in the ZIA admin portal and to obtain API access token and endpoint URL, see Configuring SCIM.

Set up autoprovisioning for app
You must be signed in as a super administrator for this task.
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Click Zscaler.
  4. For Autoprovisioning, click Configure autoprovisioning.
  5. For Access token, paste the API token that you copied from Zscaler.
  6. Click Continue.
  7. For Endpoint URL, paste the endpoint URL that you copied from Zscaler.
  8. For App attributes, verify that all mandatory attributes—those marked with an asterisk (*)—are mapped to Google directory attributes. If not, click the Down arrow and map them to the appropriate attribute.
  9. Click Continue.
  10. (Optional) To limit autoprovisioning to specific groups of users:

    If a group has users from a secondary domain or from outside of your organization, those users are not provisioned.

    1. For Search groups, enter one or more letters of the group name, select the group name, and choose a scope.
    2. Add any additional groups.
    3. (Optional) To remove a group, click Remove .
  11. Decide how long users have access to the app after the app is turned off for them, or their Google Workspace account is suspended or deleted. You can suspend and then hard delete their account in Zscaler. Or, just suspend or hard delete them. You can set the time frame individually for each option and choose within 24 hours or after one, seven, or 21 days.  
    1. Choose options for each of these settings, as needed:
      • When an app is turned off for a user
      • When a user is suspended from Google
      • When a user is deleted from Google
    2. Click Finish.
  12. Turn on Autoprovisioning.
  13. Click Turn on to confirm.

Edit provisioning information

  Expand section  |  Collapse all & go to top

Edit user groups subject to autoprovisioning
You must be signed in as a super administrator for this task.
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Click Zscaler.
  4. Click Autoprovisioning.
  5. For Provisioning scope, click Edit.
  6. For Search groups, enter one or more letters of the group name, select the group name, and choose a scope.
  7. Add any additional groups.
  8. (Optional) To remove a group, click Remove .

    If a group has users from a secondary domain or from outside of your organization, those users are not provisioned.

  9. Click Update.

If you turned on the Zscaler app for certain organizational units, only users in the added groups who are also members of those organizational units are subject to autoprovisioning. 

Edit deprovisioning time frames
You must be signed in as a super administrator for this task.
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Click Zscaler.
  4. Click Autoprovisioning.
  5. For Deprovisioning, click Edit.
  6. Decide how long users have access to the app after the app is turned off for them, or their Google Workspace account is suspended or deleted. You can suspend and then hard delete their account in Zscaler. Or, just suspend or hard delete them. You can set the time frame individually for each option and choose within 24 hours or after one, seven, or 21 days. 
    1. Choose options for each of these settings, as needed:
      • When an app is turned off for a user
      • When a user is suspended from Google
      • When a user is deleted from Google
    2. Click Finish.

Turn off autoprovisioning & delete configuration information

  Expand section  |  Collapse all & go to top

You can turn off autoprovisioning for the Zscaler app without losing configuration information. Or, you can turn off autoprovisioning and remove all configuration information.

Turn off autoprovisioning
You must be signed in as a super administrator for this task.
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Click Zscaler.
  4. Choose an option:
    • Turn off Autoprovisioning.
    • Click AutoprovisioningStatusTurn off.
  5. Click Turn off to confirm.
Turn off autoprovisioning & delete configuration information
 You must be signed in as a super administrator for this task.
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Click Zscaler.
  4. Click Autoprovisioning.
  5. For Delete configuration, click Delete.
  6. Click Delete to turn off autoprovisioning and remove all the configuration information.
    Existing users will not be removed from Zscaler and can still use the app.

 

Review usage information

After you turn on autoprovisioning, you can review usage information. For details, go to Monitor automated user provisioning.

You can review the following usage information for the last 30 days:

Admin log event

Description

Create User By Auto Provisioning

Users created by autoprovisioning

Update Auto Provisioned User

Users updated by autoprovisioning

Suspend Auto Provisioned User

Users suspended by autoprovisioning

Unsuspend Auto Provisioned User

Users reactivated by autoprovisioning

Hard Delete Auto Provisioned User

Users deleted by autoprovisioning

Failures

Failed requests

If autoprovisioning stops working…

Sometimes, due to account inactivity or if the admin password for Zscaler changes, autoprovisioning stops working. To continue syncing user accounts in Google Workspace to the app, you need to reauthorize autoprovisioning.

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Click Zscaler.
  4. Click Autoprovisioning.
  5. For App authorization, click Reauthorize.
  6. For Access token, enter the API token from Zscaler.

    If you need to generate another token, follow the steps in Get API access token and endpoint URL for ZScaler app.

  7. Click Re-authorize.

For details on other reasons why autoprovisioning might stop working, refer to the app’s documentation.

 


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu