[CF1] generic saml cert expiration (#20325)

deadlypants1973 · Oxyjun · web-flow · commit 1d6690cd1fb5 · 2025-03-06T14:25:30.000Z
* [CF1] generic saml cert expiration

* Update src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx

Co-authored-by: Jun Lee &lt;junlee@cloudflare.com&gt;

* fix indent

* editing for indentation

* Update src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx

* indentation

* Update src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx

---------

Co-authored-by: Jun Lee &lt;junlee@cloudflare.com&gt;
diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx
@@ -5,7 +5,7 @@ sidebar:
   order: 2
 ---
 
-import { Tabs, TabItem, Render } from '~/components';
+import { Tabs, TabItem, Render } from "~/components";
 
 Cloudflare Zero Trust integrates with any identity provider that supports SAML 2.0. If your identity provider is not listed in the integration list of login methods in Zero Trust, it can be configured using SAML 2.0 (or OpenID if OIDC based). Generic SAML can also be used if you would like to pass additional SAML headers or claims for an IdP in the integration list.
 
@@ -43,7 +43,6 @@ To download the SAML metadata file, copy-paste the metadata endpoint into a web
 
 ## 2. Add a SAML identity provider to Zero Trust
 
-
 <Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication** > **Login methods**.
@@ -60,28 +59,36 @@ To download the SAML metadata file, copy-paste the metadata endpoint into a web
 The following example requires Cloudflare provider version `>=4.40.0`.
 :::
 
-1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+1.  Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+
 	- `Access: Organizations, Identity Providers, and Groups Write`
 
-2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource:
-
-		```tf
-		resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" {
-			account_id = var.cloudflare_account_id
-			name       = "Generic SAML example"
-			type       = "saml"
-			config {
-				sso_target_url = "https://example.com/1234/sso/saml"
-				issuer_url = "https://example.com/1234"
-				idp_public_cert = "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----"
-				sign_request = false
-				email_attribute_name = "email"
-				attributes = ["employeeID", "groups"]
-			}
-		}
-		```
+2.  Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource:
+
+        ```tf
+        resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" {
+        	account_id = var.cloudflare_account_id
+        	name       = "Generic SAML example"
+        	type       = "saml"
+        	config {
+        		sso_target_url = "https://example.com/1234/sso/saml"
+        		issuer_url = "https://example.com/1234"
+        		idp_public_cert = "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----"
+        		sign_request = false
+        		email_attribute_name = "email"
+        		attributes = ["employeeID", "groups"]
+        	}
+        }
+        ```
+
 </TabItem> </Tabs>
 
+:::caution
+
+Set a reminder for the expiry date of the signing certificate obtained from your generic SAML identity provider. After the certificate expires, you will need to generate a new signing certificate and re-add it to your Cloudflare configuration via the Cloudflare dashboard or Terraform.
+
+:::
+
 ## 3. Test the connection
 
 You can now [test the IdP integration](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust). A success response should return the configured SAML attributes.
@@ -96,10 +103,7 @@ Your identity provider must support SCIM version 2.0.
 
 ### 1. Enable SCIM in Zero Trust
 
-<Render
-	file="access/enable-scim-on-dashboard"
-	params={{ idp: "IdP"}}
-/>
+<Render file="access/enable-scim-on-dashboard" params={{ idp: "IdP" }} />
 
 ### 2. Configure SCIM in the IdP
 
@@ -114,7 +118,7 @@ If you would like to build policies based on IdP groups:
 
 ### 3. Verify SCIM provisioning
 
-<Render file="access/verify-scim-provisioning"/>
+<Render file="access/verify-scim-provisioning" />
 
 ## Optional configurations
 
