You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx
+5-4Lines changed: 5 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -68,11 +68,12 @@ Your identity provider must support SCIM version 2.0.
68
68
69
69
Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [Jumpcloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides.
70
70
71
-
If you would like to use groups based policies, ensure that your identity provider sends a "groups" field. The naming must match exactly (case insensitive). All other values will be sent as a OIDC claim.
71
+
#### IdP groups
72
72
73
-
:::note
74
-
If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
75
-
:::
73
+
If you would like to build policies based on IdP groups:
74
+
75
+
- Ensure that your IdP sends a `groups` field. The naming must match exactly (case insensitive). All other values will be sent as a OIDC claim.
76
+
- If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx
+5-4Lines changed: 5 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -74,11 +74,12 @@ Your identity provider must support SCIM version 2.0.
74
74
75
75
Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](#1-create-an-application-in-your-identity-provider) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [JumpCloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides.
76
76
77
-
If you would like to use groups based policies, ensure that your identity provider sends a "groups" field. The naming must match exactly (case insensitive). All other values will be sent as a SAML attribute.
77
+
#### IdP groups
78
78
79
-
:::note
80
-
If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-saml/#1-create-an-application-in-your-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
81
-
:::
79
+
If you would like to build policies based on IdP groups:
80
+
81
+
- Ensure that your IdP sends a `groups` field. The naming must match exactly (case insensitive). All other values will be sent as a SAML attribute.
82
+
- If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-saml/#1-create-an-application-in-your-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -81,19 +81,21 @@ The JumpCloud integration allows you to synchronize user groups and automaticall
81
81
82
82
1. In the [JumpCloud Admin Portal](https://console.jumpcloud.com/#/home), go to **SSO Applications**.
83
83
2. Select the Cloudflare application that was created when you [Set up JumpCloud as a SAML provider](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#set-up-jumpcloud-as-a-saml-provider).
84
-
3. Select the **Identity Management** tab.
85
-
4. Make sure that **Enable management of User Groups and Group Membership in this application** is turned on.
86
-
5. Select **Configure**.
87
-
6. In the **Base URL** field, enter the **SCIM Endpoint** obtained from Zero Trust.
88
-
7. In the **Token Key** field, enter the **SCIM Secret** obtained from Zero Trust.
89
-
8. Select **Activate**. You will receive a confirmation that the Identity Management integration has been successfully verified.
90
-
9. Select **Save**.
84
+
3. Select the **SSO** tab.
85
+
3. To provision user groups, select **Include group attribute** and enter `groups`. The group attribute name has to exactly match `groups` or else it will be sent as a SAML attribute.
86
+
5. Select the **Identity Management** tab.
87
+
6. Make sure that **Enable management of User Groups and Group Membership in this application** is turned on.
88
+
7. Select **Configure**.
89
+
8. In the **Base URL** field, enter the **SCIM Endpoint** obtained from Zero Trust.
90
+
9. In the **Token Key** field, enter the **SCIM Secret** obtained from Zero Trust.
91
+
10. Select **Activate**. You will receive a confirmation that the Identity Management integration has been successfully verified.
92
+
11. Select **Save**.
91
93
92
94
<Renderfile="access/verify-scim-provisioning"/>
93
95
94
96
### Provisioning attributes
95
97
96
-
Provisioning attributes define the user and group properties that JumpCloud will synchronize with Cloudflare Access. By default, JumpCloud will send the following attributes during a SCIM update event:
98
+
Provisioning attributes define the user properties that JumpCloud will synchronize with Cloudflare Access. By default, JumpCloud will send the following attributes during a SCIM update event:
97
99
98
100
| JumpCloud user attribute| Cloudflare Access attribute |
99
101
| ------------------ | ----------------------- |
@@ -105,8 +107,6 @@ Provisioning attributes define the user and group properties that JumpCloud will
105
107
| ------------------ | ----------------------- |
106
108
|`name`|`groups`|
107
109
108
-
The group attribute has to exactly match "groups" or else it will be sent as a SAML attribute.
0 commit comments