Hi Keerthivarman,
That's my understanding of SAML as well.
When you enable SAML you're allowing that 3rd party (Zscaler) to 'identify' your users.
On the Azure AD side you are 'authorizing' the user to access specific resources.
So if you have no user in Azure AD that matches the SAML user then they won't have access to any resouces, even though Zscaler has 'identified' them on their end.
reference: