[ZT] add Terraform IdP to implementation guide (#20238)

* update OTP

* update generic oidc

* update generic saml

* update entra ID

* add IdP TF tab to implementation guide

* Update src/content/partials/learning-paths/zero-trust/configure-idp.mdx

* Update src/content/partials/cloudflare-one/access/idp-integration.mdx

Co-authored-by: marciocloudflare <[email protected]>

---------

Co-authored-by: marciocloudflare <[email protected]>

Author: ranbel

src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx

@@ -3,7 +3,7 @@ pcx_content_type: how-to
 title: Microsoft Entra ID
 ---
 
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
 
 You can integrate Microsoft Entra ID (formerly Azure Active Directory) with Cloudflare Zero Trust and build policies based on user identity and group membership. Users will authenticate to Zero Trust using their Entra ID credentials.
 
@@ -93,6 +93,8 @@ More narrow permissions may be used, however this is the set of permissions that
 
 ### 3. Add Entra ID as an identity provider
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
 
 2. Under **Login methods**, select **Add new**.
@@ -114,6 +116,45 @@ More narrow permissions may be used, however this is the set of permissions that
 
 To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) that your connection is working, select **Test**.
 
+</TabItem> <TabItem label="API">
+
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+		| Type    | Item             | Permission |
+		| ------- | ---------------- | ---------- |
+		| Account | Access: Organizations, Identity Providers, and Groups   | Edit    |
+
+2. Make a `POST` request to the [Identity Providers](/api/resources/zero_trust/subresources/identity_providers/methods/create/) endpoint:
+
+		```sh
+		curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers \
+		--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+		--data '{
+			"name": "Entra ID example",
+			"type": "azureAD",
+			"config": {
+			  "client_id": "<your client id>",
+		    "client_secret": "<your client secret>",
+		    "directory_id": "<your azure directory uuid>",
+		    "support_groups": true
+			}
+		}'
+		```
+
+</TabItem> <TabItem label="Terraform">
+
+:::note[Provider versions]
+The following example requires Cloudflare provider version `>=4.40.0`.
+:::
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+	- `Access: Organizations, Identity Providers, and Groups Write`
+
+2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource:
+
+		<Render file="access/entra-id-terraform" />
+
+</TabItem> </Tabs>
+
 #### UPN and email
 
 If your organization's UPNs do not match users' email addresses, you must add a custom claim for email. For example, if your organization's email format is `[email protected]` but the UPN is `[email protected]`, you must create an email claim if you are configuring email-based policies.
@@ -264,18 +305,3 @@ You can require users to re-enter their credentials into Entra ID whenever they
    		"scim_base_url": "https://<TEAM_NAME>.cloudflareaccess.com/populations/f174e90a-fafe-4643-bbbc-4a0ed4fc8415/scim/v2"
    }'
    ```
-
-## Example API Configuration
-
-```json
-{
-	"config": {
-		"client_id": "<your client id>",
-		"client_secret": "<your client secret>",
-		"directory_id": "<your azure directory uuid>",
-		"support_groups": true
-	},
-	"type": "azureAD",
-	"name": "my example idp"
-}
-```

src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx

@@ -80,16 +80,16 @@ Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you inte
 		}'
 		```
 
-</TabItem> <TabItem label="Terraform (v4)">
+</TabItem> <TabItem label="Terraform">
 
 :::note[Provider versions]
 The following example requires Cloudflare provider version `>=4.40.0`.
 :::
 
-1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
 	- `Access: Organizations, Identity Providers, and Groups Write`
 
-2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_identity_provider) resource:
+2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource:
 
 		```tf
 		resource "cloudflare_zero_trust_access_identity_provider" "generic_oidc_example" {

src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx

@@ -54,16 +54,16 @@ To download the SAML metadata file, copy-paste the metadata endpoint into a web
 6. (Optional) Under **Optional configurations**, configure [additional SAML options](#optional-configurations).
 7. Select **Save**.
 
-</TabItem> <TabItem label="Terraform (v4)">
+</TabItem> <TabItem label="Terraform">
 
 :::note[Provider versions]
 The following example requires Cloudflare provider version `>=4.40.0`.
 :::
 
-1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
 	- `Access: Organizations, Identity Providers, and Groups Write`
 
-2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_identity_provider) resource:
+2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource:
 
 		```tf
 		resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" {

src/content/docs/cloudflare-one/identity/one-time-pin.mdx

@@ -21,16 +21,35 @@ For example, if your team uses Okta but you are collaborating with someone outsi
 2. Under **Login methods**, select **Add new**.
 3. Select **One-time PIN**.
 
-</TabItem> <TabItem label="Terraform (v4)">
+</TabItem> <TabItem label="API">
+
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+		| Type    | Item             | Permission |
+		| ------- | ---------------- | ---------- |
+		| Account | Access: Organizations, Identity Providers, and Groups   | Edit    |
+
+2. Make a `POST` request to the [Identity Providers](/api/resources/zero_trust/subresources/identity_providers/methods/create/) endpoint:
+
+		```sh
+		curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers \
+		--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+		--data '{
+			"name": "One-time PIN login",
+			"type": "onetimepin",
+			"config": {}
+		}'
+		```
+
+</TabItem> <TabItem label="Terraform">
 
 :::note[Provider versions]
 The following example requires Cloudflare provider version `>=4.40.0`.
 :::
 
-1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
 	- `Access: Organizations, Identity Providers, and Groups Write`
 
-2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_identity_provider) resource:
+2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource:
 
 		```tf
 		resource "cloudflare_zero_trust_access_identity_provider" "onetimepin_login" {
@@ -72,12 +91,3 @@ By design, blocked users will not receive an email. The login page will always s
 Access only logs an authentication attempt after the user enters a code. If the user enters their email but never submits a code, the event will not appear in your [audit logs](/cloudflare-one/insights/logs/audit-logs/#authentication-audit-logs).
 :::
 
-## Example API Config
-
-```json
-{
-	"config": {},
-	"type": "onetimepin",
-	"name": "my example idp"
-}
-```

src/content/partials/cloudflare-one/access/entra-id-terraform.mdx

@@ -0,0 +1,18 @@
+---
+{}
+---
+
+
+```tf
+resource "cloudflare_zero_trust_access_identity_provider" "microsoft_entra_id" {
+	account_id = var.cloudflare_account_id
+	name       = "Entra ID example"
+	type       = "azureAD"
+	config {
+		client_id                  = var.entra_id_client_id
+		client_secret              = var.entra_id_client_secret
+		directory_id               = var.entra_id_directory_id
+		support_groups             = true
+	}
+}
+```

src/content/partials/cloudflare-one/access/idp-integration-note.mdx

@@ -0,0 +1,6 @@
+---
+params:
+  - verb
+---
+
+If you do not see your identity provider listed, these providers can typically still be enabled. If they support OIDC or OAuth, {props.verb} the [generic OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/) option. If they support SAML, {props.verb} the [generic SAML](/cloudflare-one/identity/idp-integration/generic-saml/) option. Cloudflare supports all SAML and OIDC providers and can integrate with the majority of OAuth providers. If your provider supports both SAML and OIDC, we recommend OIDC for ease of configuration.

src/content/partials/cloudflare-one/access/idp-integration.mdx

@@ -2,16 +2,35 @@
 {}
 ---
 
+import {Render, Tabs, TabItem} from "~/components"
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
 
 2. In the **Login methods** card, select **Add new**.
 
 3. Select the identity provider you want to add.
 
-   If you do not see your identity provider listed, these providers can typically still be enabled. If they support OIDC or OAuth, select the generic OIDC option. If they support SAML, select the generic SAML option. Cloudflare supports all SAML and OIDC providers and can integrate with the majority of OAuth providers. If your provider supports both SAML and OIDC, we recommend OIDC for ease of configuration.
+		<Render file="access/idp-integration-note" product="cloudflare-one" params={{verb: "select" }}/>
 
 4. Fill in the necessary fields to set up your identity provider.
 
-   Each identity provider will have different required fields for you to fill in. Step-by-step instructions are shown in the dashboard side panel.
+   Each identity provider will have different required fields for you to fill in. Step-by-step instructions are shown in the dashboard side panel. Alternatively, refer to the [IdP-specific documentation](/cloudflare-one/identity/idp-integration/).
 
 5. Once you have filled in the necessary fields, select **Save**.
+
+</TabItem> <TabItem label="Terraform">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+	- `Access: Organizations, Identity Providers, and Groups Write`
+
+2. Add an identity provider to Zero Trust using the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource.  For example, to add a Microsoft Entra ID integration:
+
+		<Render file="access/entra-id-terraform" product="cloudflare-one" />
+
+		Each identity provider integration has different required attributes. You will need to obtain these attribute values from your identity provider. For more information, refer to the [IdP-specific documentation](/cloudflare-one/identity/idp-integration/).
+
+		<Render file="access/idp-integration-note" product="cloudflare-one" params={{verb: "use" }} />
+
+</TabItem> </Tabs>

src/content/partials/learning-paths/zero-trust/configure-idp.mdx

@@ -3,7 +3,7 @@
 
 ---
 
-import { GlossaryTooltip, Render } from "~/components"
+import { GlossaryTooltip, Render} from "~/components"
 
 An <GlossaryTooltip term="identity provider" link="https://www.cloudflare.com/learning/access-management/what-is-an-identity-provider/">identity provider (IdP)</GlossaryTooltip> stores and manages users' digital identities. You can integrate your existing identity provider with Cloudflare Zero Trust in order to manage user access to your private network. This requires configuration both in Cloudflare and with the identity provider itself.
 
@@ -16,4 +16,4 @@ To add an identity provider:
 
 <Render file="access/idp-integration" product="cloudflare-one" />
 
-Users will now be able to select this IdP when they are prompted to authenticate. To learn more about IdP configuration, refer to [SSO integration](/cloudflare-one/identity/idp-integration/).
+Users will now be able to select this IdP when they are prompted to authenticate.