--- title: Zscaler ZPA SCIM API Integration on Truto slug: zscalerzpascim category: Default canonical: "https://truto.one/integrations/detail/zscalerzpascim/" --- # Zscaler ZPA SCIM API Integration on Truto **Category:** Default **Status:** Generally available ## Unified APIs ### Unified User Directory API - **Users** — The User object represents a User. ## How it works 1. **Link your customer's Zscaler ZPA SCIM account.** Use Truto's frontend SDK; we handle every OAuth and API key flow so you don't need to create the OAuth app. 2. **Authentication is automatic.** Truto refreshes tokens, stores credentials securely, and injects them into every API request. 3. **Call Truto's API to reach Zscaler ZPA SCIM.** The Proxy API is a 1-to-1 mapping of the Zscaler ZPA SCIM API. 4. **Get a unified response format.** Every response uses a single shape, with cursor-based pagination and data in the `result` field. ## Use cases - **Automate Zero Trust onboarding and offboarding** — HRIS and IT orchestration platforms can automatically provision users into Zscaler ZPA and assign them to the correct SCIM groups on Day 1, then instantly revoke access when employees are terminated — eliminating manual admin work and security gaps. - **Contain threats by dynamically adjusting network access** — Security operations and XDR platforms can integrate with ZPA SCIM to instantly move compromised users into restricted groups or disable their accounts, cutting off access to sensitive internal applications in real time without waiting for a human response. - **Reconcile access for compliance and audit readiness** — Governance, risk, and compliance (GRC) SaaS products can pull the full user and group directory from Zscaler ZPA to detect orphaned accounts, verify least-privilege group assignments, and generate audit-ready access reports. - **Orchestrate directory sync during IdP migrations** — IAM and directory migration platforms can keep Zscaler ZPA in sync with a new identity source during transition periods, pushing bulk user and group updates through a single integration layer without requiring enterprises to write custom scripts. - **Enforce role-based access policies from a central platform** — IT management SaaS products can map organizational roles to ZPA SCIM groups, ensuring that when an employee changes departments or job functions, their network-level access policies update automatically. ## What you can build - **Zero-touch user provisioning to Zscaler ZPA** — Automatically create user accounts in Zscaler ZPA with correct group assignments the moment a new hire is confirmed in your platform. - **Instant access revocation kill switch** — Deactivate a user's ZPA account in one click or via automated trigger, terminating active sessions and blocking future private application access. - **Dynamic SCIM group membership management** — Add or remove users from ZPA SCIM groups programmatically to change which internal applications they can reach based on role changes, risk signals, or policy rules. - **Full directory state sync and reconciliation** — Pull all users and groups from Zscaler ZPA to reconcile against your platform's system of record and flag drift, orphaned accounts, or over-privileged access. - **Bulk user lifecycle operations during migrations** — Push batch user creation, updates, and group reassignments to Zscaler ZPA to keep access policies intact during directory or IdP migration projects. - **Threat-triggered quarantine workflow** — Automatically move a flagged user into a restricted SCIM group when your platform detects anomalous behavior, limiting their network access without fully disabling their account. ## FAQs ### What protocol does Zscaler ZPA use for identity management? Zscaler ZPA implements the SCIM 2.0 standard for user and group provisioning. All identity operations — creating, reading, updating, and deactivating users, as well as managing group memberships — follow the SCIM 2.0 specification. ### What authentication method is required for the ZPA SCIM API? ZPA SCIM endpoints are typically authenticated using a Bearer token generated within the Zscaler ZPA admin portal. Your end users will need to provide this token when connecting their Zscaler account through your integration. ### What data can I read and write through ZPA SCIM? You can manage User objects (userName, name, active status, title, department) and Group objects (displayName, members). Core operations include creating users, updating user attributes, toggling active status, and modifying group membership — all of which map to Truto's Unified User Directory API. ### Can I deactivate a user without deleting them? Yes. SCIM 2.0 supports setting the 'active' attribute to false via a PATCH or PUT request on the User resource. This disables the user's access and terminates active sessions while preserving the account and its audit trail. ### Is the ZPA SCIM integration available out of the box on Truto? The Zscaler ZPA SCIM integration is built on request. Truto supports it under the Unified User Directory API for Users. Contact the Truto team to get this integration activated for your account — setup is fast since ZPA follows the SCIM 2.0 standard. ### How are access policies affected by SCIM group changes? In Zscaler ZPA, access policies are typically bound to SCIM groups. When you add or remove a user from a group via the SCIM API, their ability to reach specific internal applications changes accordingly. This makes group membership the primary lever for controlling Zero Trust access.