Skip to main content

About Zscaler

Zscaler is a zero trust security platform for internet access, private access, digital experience, and cloud security. Serval connects through Zscaler OneAPI using a ZIdentity API client, then runs workflows against your tenant on demand. Authentication: OAuth 2.0 client credentials from ZIdentity. Serval stores your Client ID, Client Secret, vanity domain, and cloud setting, then exchanges them for short-lived access tokens during workflow runs. Data sync: on demand only. Serval does not run a background sync for Zscaler; workflows call OneAPI live.

What the Zscaler integration enables

CapabilityDescription
Review ZIA statusCheck whether ZIA configuration is active or waiting for activation.
Audit ZIA admins and rolesList administrator users and role summaries for access reviews.
Export ZIA audit logsCreate, check, and download administrator audit log reports for a chosen time range.
Inspect ZIA policy inventoryList locations and URL categories used by ZIA policy.
Inspect ZPA inventoryList ZPA customers, application segments, segment groups, server groups, app connectors, and posture profiles.

Get your credentials

You need a ZIdentity API client with access to the Zscaler APIs your workflows will call.
1

Create or choose a ZIdentity API client

In ZIdentity, create an API client for Serval or choose an existing automation client.
2

Grant API resource access

Add the ZIA and ZPA API resources required for the workflows you plan to run. Start with read-only access for inventory workflows.
3

Copy the Client ID and Client Secret

Copy the Client ID and Client Secret. Store the Client Secret before leaving the creation screen.
4

Record your vanity domain

Record the vanity domain prefix from your token URL. For https://acme.zslogin.net/oauth2/v1/token, enter acme in Serval.
5

Record your ZPA customer ID

If you plan to run ZPA workflows, copy the ZPA customer ID from the ZPA Admin Portal.

Connect in Serval

1

Open the Zscaler connect form

In Serval, open the Zscaler integration and start a new connection.
2

Enter the instance name

Use a name like Production or Corporate.
3

Enter the vanity domain

Enter only the vanity prefix, such as acme.
4

Enter the cloud

Leave this blank for production. Enter values like beta or alpha only when your Zscaler tenant uses that OneAPI cloud. GOV and GOVUS tenants are not supported by Zscaler OneAPI.
5

Enter the client credentials

Paste the ZIdentity Client ID and Client Secret.
6

Optionally enter ZPA fields

Enter the ZPA customer ID and microtenant ID if you want them stored on the connection. ZPA workflows also ask for the customer ID explicitly.

Verifying the connection

The Zscaler integration ships health checks for OneAPI status, ZIA admin users, ZIA admin roles, and ZIA locations. If a check fails, verify that the vanity domain, cloud, client credentials, and ZIdentity API resource grants match the Zscaler tenant you are connecting.

Audit log reports

Serval can create a ZIA administrator audit log report for an epoch timestamp range, check the report generation status, and download the latest generated report. Creating a new ZIA audit log report overwrites the previous generated report in Zscaler.
These workflows use Zscaler’s audit report API. They do not replace NSS, LSS, or Cloud NSS streaming for web, firewall, DNS, or ZPA activity logs.
ZPA workflows require a ZPA customer ID. The ID is part of each ZPA request path and is not interchangeable with the Serval integration ID or ZIA organization IDs.