Zscaler Private Access 2.0 provisioning flow fails with the following error visible in the Okta dashboard:

Automatic provisioning of user <user> to app Zscaler Private Access 2.0 failed: Error while creating user <user>: Invalid externalNamespace: urn_ietf:params:scim:schemas:core:2.0:User for property: department
 

• Zscaler Private Access 2.0
• Provisioning
• Error

The "External Namespace" property configured for the department attribute in Okta does not match a supported namespace.

For example, the following external namespaces are supported by SCIM 2.0:

• urn:ietf:params:scim:schemas:core:2.0:User

• urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

Here,  urn_ietf:params:scim:schemas:core:2.0:User  has an underscore instead of a colon (:).

1. Go to Okta Admin Console and navigate to Directory > Profile Editor > locate and click the Zscaler Private Access 2.0 application.

2. Delete the attribute that has an invalid External namespace property associated with it.

   1. Note that a prompt may appear to remove the attribute from any mappings where it might be referenced.

3. Re-add the attribute that was deleted in Step 2, and be sure to configure the correct External namespace. For example, external namespaces, see SCIM Protocol, or if unsure what to fill in, please contact Zscaler support.

4. Click Save Attribute.

5. Attempt the failed tasks again. Navigate to Dashboard > Tasks. Any failed assignments should appear under Tasks.

6. After identifying the failed task for the user that should be retried, click on Retry Selected.