ZTNA Administrator using RSA SAML Identity (IDP) Server for authentication of users.
Using 'Generic SAML' Identity Server, build trust relationship with RSA IDP server but did not populate SCIM URL field as none existed.
Users are redirected to authenticate via RSA IDP server but when assertion sent over to ZTNA, a login page appears asking user for their credentials i.e. there is no single sign on.
ZTNA admin then used the ZTNA APIs to manually create SCIM users/groups - when done, this successfully allowed a user to single sign on via the RSA SAML IDP server.
When trying to assign users/'entities' to any ZTNA applications, none of the SCIM created users or groups appear for selection, so ZTNA admin cannot use this option.
How does one assign users to applications when SAML authentication is required but no SCIM server exists?
ZTNA.
SAML Authentication.
SAML IDP server has no SCIM component.
Generic SAML identity provider.
REST APIs do not provision users within ZTNA for selection by application.
Create a SAML assertion with required attributes, and use the new SAML provisioning feature (available June '24) provided by ZTNA.
To enable this:
When user authenticates via their SAML IDP server, the SSO with ZTNA will now complete successfully AND the user will be provisioned within the ZTNA environment.
When adding entities to Application policies, the ZTNA admin can browse to the 'Generic SAML' identity provider in the selection list and now see all the provisioned users and groups. Simply add user/group to application policy for it to be applied.