How to provision users/groups into ZTNA using SAML without any SCIM service
search cancel

How to provision users/groups into ZTNA using SAML without any SCIM service

book

Article ID: 371729

calendar_today

Updated On:

Products

Symantec ZTNA

Issue/Introduction

ZTNA Administrator using RSA SAML Identity (IDP) Server for authentication of users.

Using 'Generic SAML' Identity Server, build trust relationship with RSA IDP server but did not populate SCIM URL field as none existed.

Users are redirected to authenticate via RSA IDP server but when assertion sent over to ZTNA, a login page appears asking user for their credentials i.e. there is no single sign on.

ZTNA admin then used the ZTNA APIs to manually create SCIM users/groups - when done, this successfully allowed a user to single sign on via the RSA SAML IDP server.

When trying to assign users/'entities' to any ZTNA applications, none of the SCIM created users or groups appear for selection, so ZTNA admin cannot use this option.

How does one assign users to applications when SAML authentication is required but no SCIM server exists?

 

Environment

ZTNA.

SAML Authentication.

SAML IDP server has no SCIM component.

Generic SAML identity provider.

Cause

REST APIs do not provision users within ZTNA for selection by application.

Resolution

Create a SAML assertion with required attributes, and use the new SAML provisioning feature (available June '24) provided by ZTNA.

To enable this:

  • Create a new 'Generic SAML' identity provider as previously done. SCIM fields will be empty as no SCIM component exists for IDP server.
  • Set the 'User group resolution' field to be 'SAML attributes'.
  • Make sure that the IDP server sends the assertion with the following attributes:

    display_name
    email
    first_name
    last_name
    user_groups
    user_name

When user authenticates via their SAML IDP server, the SSO with ZTNA will now complete successfully AND the user will be provisioned within the ZTNA environment.

When adding entities to Application policies, the ZTNA admin can browse to the 'Generic SAML' identity provider in the selection list and now see all the provisioned users and groups. Simply add user/group to application policy for it to be applied.