[ZT] Custom OIDC claim details (#23293)

* Added steps to pass Entra OID through Access

Found adding OID to ODIC claims is pretty simple but not really documented anywhere. Added steps to add these steps.

* add custom oidc claim details

* point other IdP guides to custom OIDC claims

---------

Co-authored-by: dledfordcf <[email protected]>

Author: ranbel

src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas.mdx

@@ -96,7 +96,7 @@ To add additional OIDC claims onto the ID token sent to your SaaS application, c
 
 	- **Name**: OIDC claim name
 	- **Scope**: Select the OIDC scope where this claim should be included. In most cases, we recommend selecting `profile` since it already includes other custom claims from the IdP.
-	- **IdP claim**: The identity provider value that should map to this OIDC claim. You can select any [SAML attribute](/cloudflare-one/identity/idp-integration/generic-saml/#saml-headers-and-attributes) or [OIDC claim](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that was configured in a Zero Trust IdP integration.
+	- **IdP claim**: The identity provider value that should map to this OIDC claim. You can select any [SAML attribute](/cloudflare-one/identity/idp-integration/generic-saml/#saml-headers-and-attributes) or [OIDC claim](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims) that was configured in a Zero Trust IdP integration.
 	- **Required**: If a claim is marked as required but is not provided by an IdP, Cloudflare will fail the authentication request and show an error page.
 	- **Add per IdP claim**: (Optional) If you turned on multiple identity providers for the SaaS application, you can choose different attribute mappings for each IdP. These values will override the parent **IdP claim**.
 

src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx

@@ -99,7 +99,7 @@ To send additional SAML attributes to your SaaS application, configure the follo
 			- `Unspecified`: (default) No specific format required.
 			- `URI`: Name is in a format such as `urn:ietf:params:scim:schemas:core:2.0:User:userName` or `urn:oid:2.5.4.42`.
 			- `Basic`: Name is a normal string such as `userName`.
-	- **IdP claim**: The identity provider value that should map to this SAML attribute. You can select any [SAML attribute](/cloudflare-one/identity/idp-integration/generic-saml/#saml-headers-and-attributes) or [OIDC claim](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that was configured in a Zero Trust IdP integration.
+	- **IdP claim**: The identity provider value that should map to this SAML attribute. You can select any [SAML attribute](/cloudflare-one/identity/idp-integration/generic-saml/#saml-headers-and-attributes) or [OIDC claim](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims) that was configured in a Zero Trust IdP integration.
 	- **Required**: If an attribute is marked as required but is not provided by an IdP, Cloudflare will fail the authentication request and show an error page.
 	- **Add per IdP claim**: (Optional) If you turned on multiple identity providers for the SaaS application, you can choose different attribute mappings for each IdP. These values will override the parent **IdP claim**.
 

src/content/docs/cloudflare-one/identity/idp-integration/awscognito-oidc.mdx

@@ -79,7 +79,7 @@ To retrieve those values:
 
 5. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
 
-6. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity).
+6. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims) that you wish to add to users' identity.
 
 7. Select **Save**.
 

src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx

@@ -66,8 +66,7 @@ Centrify secures access to infrastructure, DevOps, cloud, and other modern enter
 
 4. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups).
 
-5. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity).
-
+5. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims) that you wish to add to your users' identity.
 6. Select **Save**.
 
 To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test.

src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx

@@ -110,7 +110,7 @@ More narrow permissions may be used, however this is the set of permissions that
    - **Entra ID Policy Sync**: Refer to our [Entra ID Conditional Access tutorial](/cloudflare-one/tutorials/entra-id-conditional-access/).
    - **Enable SCIM**: Refer to [Synchronize users and groups](#synchronize-users-and-groups).
    - **Email claim**: Enter the Entra ID claim that you wish to use for user identification (for example, `preferred_username`).
-   - **OIDC Claims**: Enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity).
+   - **OIDC Claims**: Enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims) that you wish to add to your users' identity.
 
 </TabItem> <TabItem label="API">
 
@@ -165,6 +165,10 @@ To receive an email claim in the `id_token` from Microsoft Entra, you must:
 3. If you gave your email claim another name than `email`, you must update your configuration in the Cloudflare dashboard. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication** > **Azure AD** > **Edit**.
 4. Under **Optional configurations** > **Email claim**, enter the name of the claim representing your organization's email addresses.
 
+#### Object ID
+
+If you are concerned that users' emails or UPNs may change, you can pass the user's object ID (`oid`) from Microsoft Entra to Cloudflare Access. To configure Access to receive the object ID, refer to [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims).  No additional configuration is required in Microsoft Entra.
+
 ## Synchronize users and groups
 
 The Microsoft Entra ID integration allows you to synchronize IdP groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/).
@@ -308,4 +312,4 @@ You can require users to re-enter their credentials into Entra ID whenever they
 			code = {{
 				mark: [16]
 			}}
-		/>
+		/>

src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx

@@ -135,9 +135,26 @@ If you would like to build policies based on IdP groups:
 
 ## Optional configurations
 
-### OIDC claims
+### Custom OIDC claims
 
-OIDC integrations support the use of custom OIDC claims. Custom OIDC claims can be referenced in [Access policies](/cloudflare-one/policies/access/), offering a means to control user access based on these specific attributes. Custom OIDC claims are not currently supported in Gateway policies.
+All OIDC IdP integrations support the use of custom OIDC claims. Once configured, Access will add the claims to the [Access JWT](/cloudflare-one/identity/authorization-cookie/application-token/) for consumption by your origin services. You can reference the custom OIDC claims in [Access policies](/cloudflare-one/policies/access/), offering a means to control user access to applications based on custom identity attributes. Custom OIDC claims are not currently supported in Gateway policies.
+
+To add a custom OIDC claim to an IdP integration:
+
+1. In your identity provider, ensure that the custom claim is included in your OIDC ID token.
+2. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
+3. Under **Login methods**, find your identity provider and select **Edit**.
+4. Under **OIDC Claims**, enter the name of your custom claim (for example, `oid`).
+5. Select **Save**.
+6. Select **Test** and verify that the custom claim appears in `oidc_fields`. For example,
+
+		```json
+			"oidc_fields": {
+				"oid": "54eb1ed2-7150-44e6-bbe4-ead24c132fd4"
+			},
+		```
+
+You can now build an Access policy for the custom claim using the **OIDC Claim** or **IdP OIDC Claim** selector. The custom claim will also be passed to origins behind Access in a [JWT](/cloudflare-one/identity/authorization-cookie/application-token/#custom-saml-attributes-and-oidc-claims).
 
 #### Email claim
 

src/content/docs/cloudflare-one/identity/idp-integration/google-workspace.mdx

@@ -85,7 +85,7 @@ You do not need to be a Google Cloud Platform user to integrate Google Workspace
 
 4. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts.
 
-5. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/).
+5. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims) that you wish to add to your user's identity.
 
 6. Select **Save**. To complete setup, you must visit the generated link. If you are not the Google Workspace administrator, share the link with the administrator.
 

src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx

@@ -60,11 +60,11 @@ Additionally, you can configure Okta to use risk information from Zero Trust [us
 
 14. (Optional) Create an Okta API token and enter it in Zero Trust (the token can be read-only). This will prevent your Okta groups from failing if you have more than 100 groups.
 
-15. (Optional) To configure [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims):
+15. (Optional) To configure [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims):
 
     1. In Okta, create a [custom authorization server](https://developer.okta.com/docs/guides/customize-authz-server/main/) and ensure that the `groups` scope is enabled.
     2. In Zero Trust, enter the **Authorization Server ID** obtained from Okta.
-    3. Under **Optional configurations**, enter the claims that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity)
+    3. Under **Optional configurations**, enter the claims that you wish to add to your users' identity.
 
 16. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts.
 

src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx

@@ -50,7 +50,7 @@ OneLogin provides SSO identity management. Cloudflare Access supports OneLogin a
 
 5. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups).
 
-6. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/).
+6. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims) that you wish to add to your user's identity.
 
 7. Select **Save**.
 

src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx

@@ -35,7 +35,7 @@ The PingOne cloud platform from PingIdentity provides SSO identity management. C
 4. Input the **Client ID**, **Client Secret**, and **Environment ID** generated previously.
 5. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts.
 6. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups).
-7. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity).
+7. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims) that you wish to add to your users' identity.
 8. Select **Save**.
 
 You can now [test your connection](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) and create [Access policies](/cloudflare-one/policies/access/) based on the configured login method.