Integrating Azure Entra ID with Symantec ZTNA Using SAML + SCIM

1. Overview

This guide describes how to integrate Azure Entra ID with Symantec Zero Trust Network Access (ZTNA) using both SAML (for authentication) and SCIM (for user and group provisioning).

Goals

• Authenticate users to ZTNA through Azure Entra ID
• Synchronize users and groups automatically using SCIM
• Enforce Azure Conditional Access and MFA
• Map Azure groups to ZTNA policies

SAML = Authentication  SCIM = User / Group Provisioning

2. Configuration Steps

Step 1 – Verify a Custom Domain

If you want users to log in with user@yourdomain.com, you must verify your domain in Entra ID:

• Go to Azure Portal → Entra ID → Custom domain names
• Select + Add custom domain
• Enter your domain, e.g., lihaifeng.net
• Copy the TXT record(or MX) provided by Microsoft and add it to your DNS provider

• Once DNS propagation is complete, return to the portal and select Verify
• After verification, the domain will be available for user UPNs

Without domain verification, Entra ID accounts can only use the onmicrosoft.com suffix.

Step 2 – User and Group Assignment

• In Entra ID → Groups, create a new group
  • Ensure the Group type is set to Security

• Go to the Users tab → create a new user
  • Choose the verified domain as the UPN suffix
  
  • Assign the user to the group created earlier
  
• In the application Symantec Web Security Service (WSS) → Users and groups
  • Select + Add user/group
  • Add the created user
  • Alternatively, assign the security group so that all members gain access (requires a higher plan level)
  

Step 3 – Verify Azure User Information

Before enabling SCIM provisioning, confirm that each Azure user has:

Missing attributes (especially email) will prevent SCIM synchronization.

Step 2 – Create a Generic SAML Application in Azure

1. Sign in to the Azure Portal.
2. Navigate to Entra ID → Enterprise Applications → New application.
3. Select Create your own application.
4. Name it —for example Symantec ZTNA SCIM.
5. Choose Integrate any other application you don’t find in the gallery.
6. Click Create.
7. Open the new app → Single sign-on → SAML.
8. In SAML Certificates, copy the App Federation Metadata URL.
9. Open that URL in a browser and note the following:
   • entityID (from <EntityDescriptor entityID="...">)
   • SingleSignOnService Location (from <SingleSignOnService Location="...">)
     Keep this page open for Step 5 to copy the X.509 certificate.

Step 3 – Create the Generic SAML Azure IdP in ZTNA

• Log in to the ZTNA Admin Portal.
• Go to Settings → Directory → Identity Providers.
• Click New – Generic SAML.
• In Basic Data:

• Under User Group Resolution, select SCIM.
• Click Save & Continue.

ZTNA generates these values — record them for later:

• Click Save.

Step 4 – Add ZTNA Audience URI and SSO Values to Azure

1. Return to Azure Portal → open the app created in Step 2.
2. Go to Single sign-on → Basic SAML Configuration.
3. Enter the ZTNA values:

4. Click Save.

Step 5 – Paste the X.509 Certificate into ZTNA

1. Go back to the Azure Federation Metadata XML page.
2. Copy the text between <X509Certificate> and </X509Certificate> (only the base64 content).
3. In ZTNA, edit the SAML IdP created in Step 3.
4. Paste the certificate to replace the temporary text.
5. Click Save & Continue → Continue → Save.

Step 6 – Create a ZTNA API Client with a Non-Expiring Token

• In ZTNA Portal → Settings → Directory → API Clients.
• Click New.
• Choose Type: Token.
• Give it a name (e.g. Azure SCIM Client).
• Click Save.
• Copy the Client ID and Client Token immediately — they cannot be retrieved again.
• Assign the Tenant Admin Role to this API client.

• Edit the client → check Enforce Roles → Save.

Step 7 – Configure Azure SCIM Provisioning

1. In Azure Portal, open the ZTNA app → Provisioning tab.
2. Click Get Started (if not yet configured).
3. Set Provisioning Mode to Automatic.
4. In Tenant URL, enter:

<ZTNA SCIM Base URL>?aadOptscim062020

Example:

https://admin.tenantname.luminatesec.com/v1/identities/abc?aadOptscim062020

5. In Secret Token, paste the ZTNA API Client Token.
6. Click Test Connection, verify success, then Save.

Step 8 – Set Azure Entra ID as the Default Identity Provider in ZTNA

1. In the ZTNA Admin Portal, go to Settings → Identity Providers.
2. Click Set as Default button.

Once saved, ZTNA will use Azure Entra ID as the default authentication source for user logins and policy assignments.

Note: You can always login with a different identity provider (such as Symantec ZTNA’s Local Account) by using the following address: (https://tenantname.luminatesec.com/accezz-login?noIdpRedirect=true)

Step 9 – Verify User Access

1. Assign a User in Azure

• Azure → Enterprise Applications → your ZTNA app → Users and Groups → Add user/group
• Select a test user and click Assign.

2. Provision the User

• Go to Provisioning → Provision on demand.
• Select the test user → click Provision.
• If you see Modified attributes (successful), the provisioning succeeded.

3. Verify in ZTNA

• Search for the user email (using the ZTNA Domain Alias).
• The user should appear.

4. Test Login

• Open your ZTNA Portal, e.g. https://tenant-name.luminatesite.com
• Sign in with the Azure user you just provisioned.
• Successful access confirms the integration is working.