You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx
+22-10Lines changed: 22 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ updated: 2024-12-04
5
5
6
6
---
7
7
8
-
Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare and quickly onboard and manage users and their permissions. Cloudflare supports SCIM onboarding with Okta and Microsoft Entra.
8
+
Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare and quickly onboard and manage users and their permissions. Cloudflare supports SCIM onboarding with Okta and Microsoft Entra.
9
9
10
10
:::note
11
11
Cloudflare Zero Trust also supports SCIM for onboarding users to Cloudflare Access. [Learn more](/cloudflare-one/identity/users/scim/)
@@ -14,7 +14,7 @@ Cloudflare Zero Trust also supports SCIM for onboarding users to Cloudflare Acce
14
14
## Limitations
15
15
16
16
- If a user is the only Super Administrator on an Enterprise account, they will not be deprovisioned.
17
-
- Cloudflare currently only supports [Account-scoped Roles](/fundamentals/setup/manage-members/roles/#account-scoped-roles) and does not support Domain-scoped Roles provisioning via SCIM.
17
+
- Cloudflare currently only supports [Account-scoped Roles](/fundamentals/setup/manage-members/roles/#account-scoped-roles) and does not support Domain-scoped Roles provisioning via SCIM.
18
18
- Cloudflare does not allow custom user groups.
19
19
20
20
## Prerequisites
@@ -31,7 +31,7 @@ Accounts provisioned with SCIM need to verify their email addresses.
31
31
---
32
32
## Gather the required data
33
33
34
-
To start, you will need to collect a couple of pieces of data from Cloudflare and set these aside for later use.
34
+
To start, you will need to collect a couple of pieces of data from Cloudflare and set these aside for later use.
35
35
36
36
### Get your Account ID
37
37
@@ -91,26 +91,26 @@ To start, you will need to collect a couple of pieces of data from Cloudflare an
91
91
1. In **Provisioning to App**, select **Edit**.
92
92
2. Enable **Create Users** and **Deactivate Users**. Select **Save**.
93
93
3. In the integration page, go to **Assignments** > **Assign** > **Assign to Groups**.
94
-
4. Choose the group(s) that you want to provision to Cloudflare.
94
+
4. Choose the group(s) that you want to provision to Cloudflare.
95
95
5. Select **Done**.
96
96
97
97
This will provision all of the users in the group(s) affected to your Cloudflare account with "minimal account access."
98
98
99
-
### Configure user permissions
99
+
### Configure user permissions
100
100
101
101
There are two options for managing user permissions:
102
102
103
-
* Manage your user permissions on a per-user basis in the Cloudflare dashboard, API, or using Terraform.
104
-
* Map your IdP groups to a Cloudflare built-in [Role](/fundamentals/setup/manage-members/roles/). Groups may only be linked to one role.
103
+
* Manage your user permissions on a per-user basis in the Cloudflare dashboard, API, or using Terraform.
104
+
* Map your IdP groups to a Cloudflare built-in [Role](/fundamentals/setup/manage-members/roles/). Groups may only be linked to one role.
105
105
106
106
1. Go to your SCIM application in the App Integration Catalog, then select **Provisioning**.
107
107
2. Under **To App*, select **Edit**.
108
108
3. Enable **Create Users** and **Deactivate Users**. Select **Save**.
109
109
4. Go to **Push Groups**.
110
110
5. Select **+ Push Groups**, then **Find groups by name**.
111
-
6. Enter the name of the group(s) that you want to sync to Cloudflare.
111
+
6. Enter the name of the group(s) that you want to sync to Cloudflare.
112
112
7. Choose **Link Group**.
113
-
8. Cloudflare provisioned user groups are named in the pattern `CF-<accountID> - <Role Name>`. Choose the appropriate group that maps to your target role.
113
+
8. Cloudflare provisioned user groups are named in the pattern `CF-<accountID> - <Role Name>`. Choose the appropriate group that maps to your target role.
114
114
9. Disable **Rename groups**. Select **Save**.
115
115
10. Within the **Push Groups** tab, select **Push Groups**.
116
116
11. Add the groups you created.
@@ -153,5 +153,17 @@ Refer to the list of [Roles](/fundamentals/setup/manage-members/roles/) for more
153
153
7. Select **Start provisioning** to view the new users and groups populated on the Cloudflare dashboard.
154
154
155
155
:::note
156
-
To successfully provision with Microsoft Entra ID, the `user principal name` and `email` fields must match. These values are case-sensitive.
156
+
To successfully provision with Microsoft Entra ID, the `user principal name` and `email` fields must match. These values are case-sensitive.
157
157
:::
158
+
159
+
## Expected behaviors
160
+
161
+
Expectations for user lifecycle management with SCIM:
| User is added to account as member | Assign the user to a SCIM application. They will be assigned the Minimal Account Access role so that their dash experience is not broken. |
166
+
| User is removed from account as member | Unassign the user from the SCIM application. |
167
+
| Add role to user | Add the user to a group in the IdP which is pushed via SCIM. They must also be assigned to the SCIM application and exist as an account member. |
168
+
| Remove role from user | Remove the user from the corresponding group in the IdP. |
169
+
| Retain user in account but with no permissions | Remove the user from all role groups but leave them assigned to the SCIM application. They will be an account member with only the role Minimal Account Access. |
0 commit comments