Split out SCIM provisioning

Author: dcpena

src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx renamed to src/content/docs/fundamentals/setup/account/account-security/scim-provisioning/entra.mdx

@@ -1,126 +1,27 @@
 ---
 pcx_content_type: how-to
-title: Dashboard SCIM provisioning
-updated: 2024-12-04
-
----
-
-Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare and quickly onboard and manage users and their permissions. Cloudflare supports SCIM onboarding with Okta and Microsoft Entra.
-
-:::note
-This section covers SCIM provisioning for the Cloudflare dashboard only. If you need to provision SCIM for Cloudflare Zero Trust, refer to [Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim/).
-:::
-
-## Limitations
-
-- If a user is the only Super Administrator on an Enterprise account, they will not be deprovisioned.
-- Cloudflare currently only supports [Account-scoped Roles](/fundamentals/setup/manage-members/roles/#account-scoped-roles) and does not support Domain-scoped Roles provisioning via SCIM.
-- Cloudflare does not allow custom user groups.
-
-## Prerequisites
-
-- Cloudflare provisioning with SCIM is only available to Enterprise customers using Okta or Microsoft Entra ID.
-- You must be a [Super Administrator](/fundamentals/setup/manage-members/roles/) on the account.
-- In your identity provider, you must have the ability to create applications and groups.
-
----
-## Gather the required data
-
-To start, you will need to collect a couple of pieces of data from Cloudflare and set these aside for later use.
-
-### Get your Account ID
-
-
-1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to the Cloudflare account that you want to configure for SCIM provisioning.
-2. Copy your account ID from the account home page.
-
-### Create an API token
-
-1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
-
-   | Type    | Item              | Permission |
-   | ------- | ----------------- | ---------- |
-   | Account | SCIM Provisioning | Edit       |
-
-   :::note
-
-   Cloudflare recommends using Account Owned API Tokens for SCIM Provisioning. Using user-specific API tokens, while supported, will lead to a broken SCIM connection in the event that the user's policies are revoked from the account with the SCIM integration. Learn more about [account owned tokens](/fundamentals/api/get-started/account-owned-tokens/).
-   :::
-
-2. Select **Continue to summary**.
-
-3. Validate the permissions and select **Create Token**.
-
-4. Copy the token value.
-
+title: Provision with Microsoft Entra
+sidebar:
+  label: Microsoft Entra
 ---
 
-## Provision with Okta
-
-### Set up your Okta SCIM application
-
-1. In the Okta dashboard, go to **Applications** > **Applications**.
-2. Select **Browse App Catalog**.
-3. Locate and select **SCIM 2.0 Test App (OAuth Bearer Token)**.
-4. Select **Add Integration** and name your integration.
-5. Enable the following options:
-
-   * **Do not display application icon to users**
-   * **Do not display application icon in the Okta Mobile App**
-
-6. Disable **Automatically log in when user lands on login page**.
-7. Select **Next**, then select **Done**.
-
-### Integrate the Cloudflare API
-
-:::note
-The **Update User Attributes** option is not supported.
-:::
-
-1. In your integration page, go to **Provisioning** > **Configure API Integration**.
-2. Enable **Enable API Integration**.
-3. In SCIM 2.0 Base URL, enter: `https://api.cloudflare.com/client/v4/accounts/<accountID>/scim/v2`, substituting `accountID` for your [Cloudflare Account ID](/fundamentals/setup/account/account-security/scim-setup/#get-your-account-id).
-4. In the **OAuth Bearer Token** field, enter your API token value.
-5. Deselect **Import Groups**.
-
-
-### Set up your SCIM users and groups
-
-1. In **Provisioning to App**, select **Edit**.
-2. Enable **Create Users** and **Deactivate Users**. Select **Save**.
-3. Select **Done**.
-4. In the Assignments tab, add the users you want to synchronize with Cloudflare Dash. You can add users in batches by assigning a group. If a user is removed from the application assignment via either direct user assignment or removed from the group that was assigned to the app, this will trigger a deprovisioning event from Okta to Cloudflare. 
-5. In the Push Groups tab, add the Okta groups you want to synchronize with Cloudflare Dash. You can view these groups in the dash under Manage Account > Manage members > Members > User Groups.
-
-:::note
-You must have opted into the Cloudflare User Groups Public Beta to synchronize groups from Okta to Cloudflare. Refer to the [User Groups](/fundamentals/setup/manage-members/user-groups/) documentation for more information.
-:::
-
-To verify the integration, select **View Logs** in the Okta SCIM application, and check the Cloudflare Dash Audit Logs by navigating to **Manage Account** > **Audit Log**. 
-
-To grant permissions to Users & Groups in Cloudflare, refer to the Permission Policies guide.
-
-This will provision all of the users in the group(s) affected to your Cloudflare account with "minimal account access."
-
-## Provision with Microsoft Entra ID
-
-### Set up the Microsoft Entra ID Enterprise application
+## Set up the Enterprise application
 
 1. Go to your Microsoft Entra ID instance and select **Enterprise Applications**.
 2. Select **Create your own application** and name your application.
 3. Select **Integrate any other application you do not find in the gallery (Non-gallery)**.
 4. Select **Create**.
 
-### Provision the Microsoft Entra ID Enterprise application
+## Provision the Enterprise application
 
 1. Under **Manage** on the sidebar menu, select **Provisioning**.
 2. Select **Automatic** on the dropdown menu for the Provisioning Mode.
 3. Enter your API token value and the tenant URL: `https://api.cloudflare.com/client/v4/accounts/<your_account_ID>/scim/v2`.
 4. Select **Test Connection**, then select **Save**.
 
-### Configure user permissions in Microsoft Entra ID
+## Configure user permissions in Microsoft Entra ID
 
-1. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal.)
+1. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal).
 
 :::note
 You must have opted into the Cloudflare User Groups Public Beta to synchronize groups from Okta to Cloudflare. Refer to the [User Groups](/fundamentals/setup/manage-members/user-groups/) documentation for more information.
@@ -139,13 +40,13 @@ To successfully provision with Microsoft Entra ID, the `user principal name` and
 5. To grant permissions to Users & Groups in Cloudflare, refer to the Permission Policies guide.
 
 
-### Automate Cloudflare's SCIM integration
+## (Optional) Automate Cloudflare's SCIM integration
 
 Cloudflare's SCIM integration requires one external application per account. Customers with many accounts may want to automate part of the setup to save time and reduce the amount of time spent in the Entra administrative UI.
 
 The initial setup of creating the non-gallery applications and adding the provisioning URL and API key are scriptable via API, but the rest of the setup is dependent on your specific need and IDP configuration.
 
-1. Get an access token
+**1. Get an access token**
 
 Get an Entra access token. Note that the example below is using the Azure CLI.
 
@@ -156,7 +57,7 @@ az account get-access-token --resource https://graph.microsoft.com
 
 (payload with accessToken returned)
 ```
-2. Create a new application via template.
+**2. Create a new application via template.**
 
 The template ID 8adf8e6e-67b2-4cf2-a259-e3dc5476c621 is the suggested template to create non-gallery apps in the Entra docs. Replace `<accessToken>` and `displayName` with your values.
 
@@ -193,7 +94,7 @@ curl -X POST 'https://graph.microsoft.com/v1.0/applicationTemplates/8adf8e6e-67b
 }
 ```
 
-3. Create a provisioning job
+**3. Create a provisioning job**
 
 To enable provisioning, you will also need to create a job. Note the SERVICE_PRINCIPAL_ID in the previous request will be used in the request below. The SCIM templateId is an Entra provided template.
 
@@ -219,7 +120,7 @@ curl -X POST 'https://graph.microsoft.com/v1.0/servicePrincipals/<SERVICE_PRINCI
 // ... snipped rest of JSON payload
 ```
 
-4. Configure the SCIM provisioning URL and API token
+**4. Configure the SCIM provisioning URL and API token**
 
 Next, configure the Tenant URL (Cloudflare SCIM endpoint) and API token (SCIM Provisioning API Token). 
 
@@ -252,10 +153,10 @@ After completing the tasks above, the next steps in Entra include:
 
 Expectations for user lifecycle management with SCIM:
 
-| Expected Cloudflare dash behavior              | Identity provider action                                                                                                                                        |
-| ---------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| User is added to account as member             | Assign the user to a SCIM application. They will be assigned the Minimal Account Access role so that their dash experience is not broken.                       |
-| User is removed from account as member         | Unassign the user from the SCIM application.                                                                                                                    |
+| Expected Cloudflare dash behavior              | Identity provider action      |
+| ---------------------------------------------- |-------------------------------|
+| User is added to account as member             | Assign the user to a SCIM application. They will be assigned the Minimal Account Access role so that their dash experience is not broken.   |
+| User is removed from account as member         | Unassign the user from the SCIM application.    |
 | Add role to user                               | Add the user to a group in the IdP which is pushed via SCIM. They must also be assigned to the SCIM application and exist as an account member.                 |
-| Remove role from user                          | Remove the user from the corresponding group in the IdP.                                                                                                        |
+| Remove role from user                          | Remove the user from the corresponding group in the IdP.   |
 | Retain user in account but with no permissions | Remove the user from all role groups but leave them assigned to the SCIM application. They will be an account member with only the role Minimal Account Access. |

src/content/docs/fundamentals/setup/account/account-security/scim-provisioning/index.mdx

@@ -0,0 +1,54 @@
+---
+pcx_content_type: how-to
+title: Dashboard SCIM provisioning
+updated: 2024-12-04
+
+---
+
+Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare and quickly onboard and manage users and their permissions. Cloudflare supports SCIM onboarding with Okta and Microsoft Entra.
+
+:::note
+This section covers SCIM provisioning for the Cloudflare dashboard only. If you need to provision SCIM for Cloudflare Zero Trust, refer to [Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim/).
+:::
+
+## Limitations
+
+- If a user is the only Super Administrator on an Enterprise account, they will not be deprovisioned.
+- Cloudflare currently only supports [Account-scoped Roles](/fundamentals/setup/manage-members/roles/#account-scoped-roles) and does not support Domain-scoped Roles provisioning via SCIM.
+- Cloudflare does not allow custom user groups.
+
+## Prerequisites
+
+- Cloudflare provisioning with SCIM is only available to Enterprise customers using Okta or Microsoft Entra ID.
+- You must be a [Super Administrator](/fundamentals/setup/manage-members/roles/) on the account.
+- In your identity provider, you must have the ability to create applications and groups.
+
+---
+## Gather the required data
+
+To start, you will need to collect a couple of pieces of data from Cloudflare and set these aside for later use.
+
+### Get your Account ID
+
+
+1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to the Cloudflare account that you want to configure for SCIM provisioning.
+2. Copy your account ID from the account home page.
+
+### Create an API token
+
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+
+   | Type    | Item              | Permission |
+   | ------- | ----------------- | ---------- |
+   | Account | SCIM Provisioning | Edit       |
+
+   :::note
+
+   Cloudflare recommends using Account Owned API Tokens for SCIM Provisioning. Using user-specific API tokens, while supported, will lead to a broken SCIM connection in the event that the user's policies are revoked from the account with the SCIM integration. Learn more about [account owned tokens](/fundamentals/api/get-started/account-owned-tokens/).
+   :::
+
+2. Select **Continue to summary**.
+
+3. Validate the permissions and select **Create Token**.
+
+4. Copy the token value.

src/content/docs/fundamentals/setup/account/account-security/scim-provisioning/okta.mdx

@@ -0,0 +1,49 @@
+---
+pcx_content_type: how-to
+title: Provision with Okta
+sidebar:
+  label: Okta
+---
+
+## Set up your Okta SCIM application
+
+1. In the Okta dashboard, go to **Applications** > **Applications**.
+2. Select **Browse App Catalog**.
+3. Locate and select **SCIM 2.0 Test App (OAuth Bearer Token)**.
+4. Select **Add Integration** and name your integration.
+5. Enable the following options:
+   * **Do not display application icon to users**
+   * **Do not display application icon in the Okta Mobile App**
+6. Disable **Automatically log in when user lands on login page**.
+7. Select **Next**, then select **Done**.
+
+## Integrate the Cloudflare API
+
+:::note
+The **Update User Attributes** option is not supported.
+:::
+
+1. In your integration page, go to **Provisioning** > **Configure API Integration**.
+2. Enable **Enable API Integration**.
+3. In SCIM 2.0 Base URL, enter: `https://api.cloudflare.com/client/v4/accounts/<accountID>/scim/v2`, substituting `accountID` for your [Cloudflare Account ID](/fundamentals/setup/account/account-security/scim-setup/#get-your-account-id).
+4. In the **OAuth Bearer Token** field, enter your API token value.
+5. Deselect **Import Groups**.
+
+
+## Set up your SCIM users and groups
+
+1. In **Provisioning to App**, select **Edit**.
+2. Enable **Create Users** and **Deactivate Users**. Select **Save**.
+3. Select **Done**.
+4. In the Assignments tab, add the users you want to synchronize with Cloudflare Dash. You can add users in batches by assigning a group. If a user is removed from the application assignment via either direct user assignment or removed from the group that was assigned to the app, this will trigger a deprovisioning event from Okta to Cloudflare. 
+5. In the Push Groups tab, add the Okta groups you want to synchronize with Cloudflare Dash. You can view these groups in the dash under Manage Account > Manage members > Members > User Groups.
+
+:::note
+You must have opted into the Cloudflare User Groups Public Beta to synchronize groups from Okta to Cloudflare. Refer to the [User Groups](/fundamentals/setup/manage-members/user-groups/) documentation for more information.
+:::
+
+To verify the integration, select **View Logs** in the Okta SCIM application, and check the Cloudflare Dash Audit Logs by navigating to **Manage Account** > **Audit Log**. 
+
+To grant permissions to Users & Groups in Cloudflare, refer to the Permission Policies guide.
+
+This will provision all of the users in the group(s) affected to your Cloudflare account with "minimal account access."