[CF1] generic saml cert expiration

deadlypants1973 · deadlypants1973 · commit 85bd10253084 · 2025-02-26T16:39:05.000Z
diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx
@@ -5,7 +5,7 @@ sidebar:
   order: 2
 ---
 
-import { Tabs, TabItem, Render } from '~/components';
+import { Tabs, TabItem, Render } from "~/components";
 
 Cloudflare Zero Trust integrates with any identity provider that supports SAML 2.0. If your identity provider is not listed in the integration list of login methods in Zero Trust, it can be configured using SAML 2.0 (or OpenID if OIDC based). Generic SAML can also be used if you would like to pass additional SAML headers or claims for an IdP in the integration list.
 
@@ -43,7 +43,6 @@ To download the SAML metadata file, copy-paste the metadata endpoint into a web
 
 ## 2. Add a SAML identity provider to Zero Trust
 
-
 <Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication** > **Login methods**.
@@ -60,28 +59,36 @@ To download the SAML metadata file, copy-paste the metadata endpoint into a web
 The following example requires Cloudflare provider version `>=4.40.0`.
 :::
 
-1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
-	- `Access: Organizations, Identity Providers, and Groups Write`
-
-2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource:
-
-		```tf
-		resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" {
-			account_id = var.cloudflare_account_id
-			name       = "Generic SAML example"
-			type       = "saml"
-			config {
-				sso_target_url = "https://example.com/1234/sso/saml"
-				issuer_url = "https://example.com/1234"
-				idp_public_cert = "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----"
-				sign_request = false
-				email_attribute_name = "email"
-				attributes = ["employeeID", "groups"]
-			}
-		}
-		```
+1.  Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+
+- `Access: Organizations, Identity Providers, and Groups Write`
+
+2.  Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource:
+
+```tf
+resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" {
+	account_id = var.cloudflare_account_id
+	name       = "Generic SAML example"
+	type       = "saml"
+	config {
+		sso_target_url = "https://example.com/1234/sso/saml"
+		issuer_url = "https://example.com/1234"
+		idp_public_cert = "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----"
+		sign_request = false
+		email_attribute_name = "email"
+		attributes = ["employeeID", "groups"]
+	}
+}
+```
+
 </TabItem> </Tabs>
 
+:::caution
+
+Set a reminder noting when the signing certificate obtained from your generic SAML identity provider will expire. After the certificate expires, you will need to generate a new signing certificate and re-add it to your Cloudflare configuration via the Cloudflare dashboard or Terraform.
+
+:::
+
 ## 3. Test the connection
 
 You can now [test the IdP integration](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust). A success response should return the configured SAML attributes.
@@ -96,10 +103,7 @@ Your identity provider must support SCIM version 2.0.
 
 ### 1. Enable SCIM in Zero Trust
 
-<Render
-	file="access/enable-scim-on-dashboard"
-	params={{ idp: "IdP"}}
-/>
+<Render file="access/enable-scim-on-dashboard" params={{ idp: "IdP" }} />
 
 ### 2. Configure SCIM in the IdP
 
@@ -114,7 +118,7 @@ If you would like to build policies based on IdP groups:
 
 ### 3. Verify SCIM provisioning
 
-<Render file="access/verify-scim-provisioning"/>
+<Render file="access/verify-scim-provisioning" />
 
 ## Optional configurations
 
