[ZT] Terraform IdP examples (#20183)

* one-time-pin

* move import command

* generic oidc examples

* saml example

* fix numbering

Author: ranbel

src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx

@@ -5,11 +5,11 @@ sidebar:
   order: 1
 ---
 
-import { Render } from "~/components";
+import { Tabs, TabItem, Render } from '~/components';
 
 Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you integrate IdPs not already set in Access.
 
-## Set up a generic OIDC
+## 1. Create an application in your identity provider
 
 1. Visit your identity provider and create a client/app.
 
@@ -31,21 +31,87 @@ Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you inte
 
    You can find these values on your identity provider's **OIDC discovery endpoint**. Some providers call this the "well-known URL".
 
-4. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
+## 2. Add an OIDC provider to Zero Trust
 
-5. Under **Login methods**, select **Add new**.
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
-6. Choose **OpenID Connect**..
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
 
-7. Name your identity provider and fill in the required fields with the information obtained in Step 3.
+2. Under **Login methods**, select **Add new**.
 
-8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
+3. Choose **OpenID Connect**.
 
-9. (Optional) To enable SCIM, refer to [Synchronize users and groups](#synchronize-users-and-groups).
+4. Name your identity provider and fill in the required fields with the information obtained in Step 3.
 
-10. (Optional) Under **Optional configurations**, enter [custom OIDC claims](#oidc-claims) that you wish to add to users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity).
+5. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
 
-11. Select **Save**.
+6. (Optional) To enable SCIM, refer to [Synchronize users and groups](#synchronize-users-and-groups).
+
+7. (Optional) Under **Optional configurations**, enter [custom OIDC claims](#oidc-claims) that you wish to add to users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity).
+
+8. Select **Save**.
+
+</TabItem> <TabItem label="API">
+
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+		| Type    | Item             | Permission |
+		| ------- | ---------------- | ---------- |
+		| Account | Access: Organizations, Identity Providers, and Groups   | Edit    |
+
+2. Make a `POST` request to the [Identity Providers](/api/resources/zero_trust/subresources/identity_providers/methods/create/) endpoint:
+
+		```sh
+		curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers \
+		--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+		--data '{
+			"name": "Generic OIDC example",
+			"type": "oidc",
+			"config": {
+				"client_id": "<your client id>",
+				"client_secret": "<your client secret>",
+				"auth_url": "https://accounts.google.com/o/oauth2/auth",
+				"token_url": "https://accounts.google.com/o/oauth2/token",
+				"certs_url": "https://www.googleapis.com/oauth2/v3/certs",
+				"pkce_enabled": false,
+				"email_claim_name": "email",
+				"claims": ["employeeID", "groups"],
+				"scopes": ["openid", "email", "profile"]
+			}
+		}'
+		```
+
+</TabItem> <TabItem label="Terraform (v4)">
+
+:::note[Provider versions]
+The following example requires Cloudflare provider version `>=4.40.0`.
+:::
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+	- `Access: Organizations, Identity Providers, and Groups Write`
+
+2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_identity_provider) resource:
+
+		```tf
+		resource "cloudflare_zero_trust_access_identity_provider" "generic_oidc_example" {
+			account_id = var.cloudflare_account_id
+			name       = "Generic OIDC example"
+			type       = "oidc"
+			config {
+				client_id = "<your client id>"
+				client_secret = "<your client secret>"
+				auth_url = "https://accounts.google.com/o/oauth2/auth"
+				token_url = "https://accounts.google.com/o/oauth2/token"
+				certs_url = "https://www.googleapis.com/oauth2/v3/certs"
+				pkce_enabled = false
+				email_claim_name = "email"
+				claims = ["employeeID", "groups"]
+				scopes = ["openid", "email", "profile"]
+			}
+		}
+		```
+</TabItem> </Tabs>
+
+## 3. Test the connection
 
 To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test. On success, a confirmation screen displays.
 
@@ -92,23 +158,6 @@ Cloudflare Access extends support for multi-record OIDC claims. These claims are
 
 Cloudflare Access does not support partial OIDC claim value references or OIDC scopes.
 
-## Example API Configuration
-
-```json
-{
-	"config": {
-		"client_id": "<your client id>",
-		"client_secret": "<your client secret>",
-		"auth_url": "https://accounts.google.com/o/oauth2/auth",
-		"token_url": "https://accounts.google.com/o/oauth2/token",
-		"certs_url": "https://www.googleapis.com/oauth2/v3/certs",
-		"scopes": ["openid", "email", "profile"]
-	},
-	"type": "oidc",
-	"name": "Generic Google"
-}
-```
-
 ## Supported algorithms for generic OIDC tokens
 
 Cloudflare supports the following algorithms for verifying generic OIDC tokens:

src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx

@@ -5,7 +5,7 @@ sidebar:
   order: 2
 ---
 
-import { Render } from "~/components";
+import { Tabs, TabItem, Render } from '~/components';
 
 Cloudflare Zero Trust integrates with any identity provider that supports SAML 2.0. If your identity provider is not listed in the integration list of login methods in Zero Trust, it can be configured using SAML 2.0 (or OpenID if OIDC based). Generic SAML can also be used if you would like to pass additional SAML headers or claims for an IdP in the integration list.
 
@@ -43,6 +43,9 @@ To download the SAML metadata file, copy-paste the metadata endpoint into a web
 
 ## 2. Add a SAML identity provider to Zero Trust
 
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication** > **Login methods**.
 2. Select **Add new** and select **SAML**.
 3. Choose a descriptive name for your identity provider.
@@ -51,6 +54,34 @@ To download the SAML metadata file, copy-paste the metadata endpoint into a web
 6. (Optional) Under **Optional configurations**, configure [additional SAML options](#optional-configurations).
 7. Select **Save**.
 
+</TabItem> <TabItem label="Terraform (v4)">
+
+:::note[Provider versions]
+The following example requires Cloudflare provider version `>=4.40.0`.
+:::
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+	- `Access: Organizations, Identity Providers, and Groups Write`
+
+2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_identity_provider) resource:
+
+		```tf
+		resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" {
+			account_id = var.cloudflare_account_id
+			name       = "Generic SAML example"
+			type       = "saml"
+			config {
+				sso_target_url = "https://example.com/1234/sso/saml"
+				issuer_url = "https://example.com/1234"
+				idp_public_cert = "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----"
+				sign_request = false
+				email_attribute_name = "email"
+				attributes = ["employeeID", "groups"]
+			}
+		}
+		```
+</TabItem> </Tabs>
+
 ## 3. Test the connection
 
 You can now [test the IdP integration](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust). A success response should return the configured SAML attributes.

src/content/docs/cloudflare-one/identity/one-time-pin.mdx

@@ -5,7 +5,7 @@ sidebar:
   order: 2
 ---
 
-import { Render } from "~/components";
+import { Tabs, TabItem, Render } from '~/components';
 
 Cloudflare Access can send a one-time PIN (OTP) to approved email addresses as an alternative to integrating an identity provider. You can simultaneously configure OTP login and the identity provider of your choice to allow users to select their own authentication method.
 
@@ -15,7 +15,35 @@ For example, if your team uses Okta but you are collaborating with someone outsi
 
 ## Set up OTP
 
-<Render file="access/one-time-pin" />
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
+2. Under **Login methods**, select **Add new**.
+3. Select **One-time PIN**.
+
+</TabItem> <TabItem label="Terraform (v4)">
+
+:::note[Provider versions]
+The following example requires Cloudflare provider version `>=4.40.0`.
+:::
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+	- `Access: Organizations, Identity Providers, and Groups Write`
+
+2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_identity_provider) resource:
+
+		```tf
+		resource "cloudflare_zero_trust_access_identity_provider" "onetimepin_login" {
+			account_id = var.cloudflare_account_id
+			name       = "One-time PIN login"
+			type       = "onetimepin"
+		}
+		```
+</TabItem> </Tabs>
+
+:::tip
+If your organization uses a third-party email scanning service (for example, Mimecast or Barracuda), add `[email protected]` to the email scanning allowlist.
+:::
 
 To grant a user access to an application, simply add their email address to an [Access policy](/cloudflare-one/policies/access/policy-management/#create-a-policy).