ZTNA admin integrating with Cloud SWG to avail of segment based applications.

One requirement is that ZTNA needs to align with SWG documentation SAML configuration.

This Cloud SWG SAML document references group configurations and SCIM (steps 6-8), but we don't have a need for either in our setup. Do we need this if we only want to use ZTNA Segment Application related features?

The ZTNA documentation also references tokens and not SAML for Azure integration, and it appears that there is no need to specify groups for Segment Applications because group resolution is handled on the ZTNA side via API calls into Azure".

Cloud SWG.

ZTNA.

SAML integration with Azure.

Documentation clarity.

The Cloud SWG SAML documentation references configuration steps for Cloud SWG only, and hence includes the best practice steps for sending group information to the Cloud Proxy, and synchronising users/groups via SCIM for policy configuration tasks.

When integrating with ZTNA, the users name identifier (Subject NameID from SAML assertion) is sent over from Cloud SWG environment to ZTNA. ZTNA takes this unique identifier and assuming it has a successful integration with Azure, does lookups to find the users groups. As a result of this, there is no need to send the users groups over to Cloud SWG via a SAML assertion, unless Cloud SWG policies reference groups.