Merge branch 'production' of https://github.com/cloudflare/cloudflare-docs into production

Author: daisyfaithauma

package-lock.json

@@ -36,7 +36,7 @@
 		"@astrojs/starlight-docsearch": "0.5.0",
 		"@astrojs/starlight-tailwind": "3.0.0",
 		"@astrojs/tailwind": "5.1.5",
-		"@cloudflare/vitest-pool-workers": "0.6.14",
+		"@cloudflare/vitest-pool-workers": "0.7.4",
 		"@cloudflare/workers-types": "4.20250204.0",
 		"@codingheads/sticky-header": "1.0.2",
 		"@expressive-code/plugin-collapsible-sections": "0.40.2",
@@ -50,7 +50,7 @@
 		"@types/react": "19.0.7",
 		"@types/react-dom": "19.0.4",
 		"@typescript-eslint/parser": "8.25.0",
-		"algoliasearch": "5.20.2",
+		"algoliasearch": "5.20.3",
 		"astro": "5.2.1",
 		"astro-breadcrumbs": "3.3.1",
 		"astro-icon": "1.1.5",

package.json

@@ -0,0 +1,28 @@
+---
+title: New SAML and OIDC Fields and SAML transforms for Access for SaaS
+description: Access for SaaS new SAML and OIDC Fields and SAML transforms
+date: 2025-03-03T6:00:00Z
+---
+
+[Access for SaaS applications](/cloudflare-one/applications/configure-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications.
+
+### SAML and OIDC Field Additions
+
+OIDC apps now include:
+
+- Group Filtering via RegEx
+- OIDC Claim mapping from an IdP
+- OIDC token lifetime control
+- Advanced OIDC auth flows including hybrid and implicit flows
+
+![OIDC field additions](~/assets/images/changelog/access/oidc-claims.png)
+
+SAML apps now include improved SAML attribute mapping from an IdP.
+
+![SAML field additions](~/assets/images/changelog/access/saml-attribute-statements.png)
+
+### SAML transformations
+
+SAML identities sent to Access applications can be fully customized using JSONata expressions. This allows admins to configure the precise identity SAML statement sent to a SaaS application.
+
+![Configured SAML statement sent to application](~/assets/images/changelog/access/transformation-box.png)

src/assets/images/changelog/access/oidc-claims.png

@@ -298,10 +298,10 @@ If you are using an [Admin override](/cloudflare-one/connections/connect-devices
 
 To prevent WARP from auto connecting while using an admin override code, disable Auto connect or set a longer **Timeout** for **Auto connect**. Note the changes you make to Auto connect while the end user is using the admin override code if you need to revert these changes later.
 
-## I am getting the error `Failed to fetch user/group information from the identity`.
+## I am getting the error `Failed to fetch user/group information from the identity provider`.
 
-This error is returned when proper API permissions are not set up in the identity provider. When Cloudflare attempts to fetch user/group information from the identity provider and proper API permissions have not been configured, the `Failed to fetch user/group information from the identify provider` error will appear. Review the [SSO integration](/cloudflare-one/identity/idp-integration/) guide for your identity provider to ensure your application has the appropriate API permissions.
+This error is returned when proper API permissions are not set up in the identity provider. When Cloudflare attempts to fetch user/group information from the identity provider and proper API permissions have not been configured, the `Failed to fetch user/group information from the identity provider` error will appear. Review the [SSO integration](/cloudflare-one/identity/idp-integration/) guide for your identity provider to ensure your application has the appropriate API permissions.
 
-For example, [Microsoft Entra](/cloudflare-one/identity/idp-integration/entra-id/#2-configure-api-permissions-in-entra-id) and [Okta](/cloudflare-one/identity/idp-integration/okta/#:~:text=(Optional)%20Create%20an%20Okta%20API%20token%20and%20enter%20it%20in%20Zero%20Trust%20(the%20token%20can%20be%20read%2Donly).%20This%20will%20prevent%20your%20Okta%20groups%20from%20failing%20if%20you%20have%20more%20than%20100%20groups) have required permissions stated in their integration guides.
+For example, [Microsoft Entra](/cloudflare-one/identity/idp-integration/entra-id/#2-configure-api-permissions-in-entra-id) and [Okta](</cloudflare-one/identity/idp-integration/okta/#:~:text=(Optional)%20Create%20an%20Okta%20API%20token%20and%20enter%20it%20in%20Zero%20Trust%20(the%20token%20can%20be%20read%2Donly).%20This%20will%20prevent%20your%20Okta%20groups%20from%20failing%20if%20you%20have%20more%20than%20100%20groups>) have required permissions stated in their integration guides.
 
 You can also examine logs in your identity provider to identify any denied requests related to API access.

src/assets/images/changelog/access/saml-attribute-statements.png

@@ -5,7 +5,7 @@ updated: 2024-12-04
 
 ---
 
-Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare and quickly onboard and manage users and their permissions. Cloudflare supports SCIM onboarding with Okta and Microsoft Entra. 
+Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare and quickly onboard and manage users and their permissions. Cloudflare supports SCIM onboarding with Okta and Microsoft Entra.
 
 :::note
 Cloudflare Zero Trust also supports SCIM for onboarding users to Cloudflare Access. [Learn more](/cloudflare-one/identity/users/scim/)
@@ -14,7 +14,7 @@ Cloudflare Zero Trust also supports SCIM for onboarding users to Cloudflare Acce
 ## Limitations
 
 - If a user is the only Super Administrator on an Enterprise account, they will not be deprovisioned.
-- Cloudflare currently only supports [Account-scoped Roles](/fundamentals/setup/manage-members/roles/#account-scoped-roles) and does not support Domain-scoped Roles provisioning via SCIM. 
+- Cloudflare currently only supports [Account-scoped Roles](/fundamentals/setup/manage-members/roles/#account-scoped-roles) and does not support Domain-scoped Roles provisioning via SCIM.
 - Cloudflare does not allow custom user groups.
 
 ## Prerequisites
@@ -31,7 +31,7 @@ Accounts provisioned with SCIM need to verify their email addresses.
 ---
 ## Gather the required data
 
-To start, you will need to collect a couple of pieces of data from Cloudflare and set these aside for later use. 
+To start, you will need to collect a couple of pieces of data from Cloudflare and set these aside for later use.
 
 ### Get your Account ID
 
@@ -91,26 +91,26 @@ To start, you will need to collect a couple of pieces of data from Cloudflare an
 1. In **Provisioning to App**, select **Edit**.
 2. Enable **Create Users** and **Deactivate Users**. Select **Save**.
 3. In the integration page, go to **Assignments** > **Assign** > **Assign to Groups**.
-4. Choose the group(s) that you want to provision to Cloudflare. 
+4. Choose the group(s) that you want to provision to Cloudflare.
 5. Select **Done**.
 
 This will provision all of the users in the group(s) affected to your Cloudflare account with "minimal account access."
 
-### Configure user permissions 
+### Configure user permissions
 
 There are two options for managing user permissions:
 
-* Manage your user permissions on a per-user basis in the Cloudflare dashboard, API, or using Terraform. 
-* Map your IdP groups to a Cloudflare built-in [Role](/fundamentals/setup/manage-members/roles/). Groups may only be linked to one role. 
+* Manage your user permissions on a per-user basis in the Cloudflare dashboard, API, or using Terraform.
+* Map your IdP groups to a Cloudflare built-in [Role](/fundamentals/setup/manage-members/roles/). Groups may only be linked to one role.
 
 1. Go to your SCIM application in the App Integration Catalog, then select **Provisioning**.
 2. Under **To App*, select **Edit**.
 3. Enable **Create Users** and **Deactivate Users**. Select **Save**.
 4. Go to **Push Groups**.
 5. Select **+ Push Groups**, then **Find groups by name**.
-6. Enter the name of the group(s) that you want to sync to Cloudflare. 
+6. Enter the name of the group(s) that you want to sync to Cloudflare.
 7. Choose **Link Group**.
-8. Cloudflare provisioned user groups are named in the pattern `CF-<accountID> - <Role Name>`. Choose the appropriate group that maps to your target role. 
+8. Cloudflare provisioned user groups are named in the pattern `CF-<accountID> - <Role Name>`. Choose the appropriate group that maps to your target role.
 9. Disable **Rename groups**. Select **Save**.
 10. Within the **Push Groups** tab, select **Push Groups**.
 11. Add the groups you created.
@@ -153,5 +153,17 @@ Refer to the list of [Roles](/fundamentals/setup/manage-members/roles/) for more
 7. Select **Start provisioning** to view the new users and groups populated on the Cloudflare dashboard.
 
 :::note
-To successfully provision with Microsoft Entra ID, the `user principal name` and `email` fields must match. These values are case-sensitive. 
+To successfully provision with Microsoft Entra ID, the `user principal name` and `email` fields must match. These values are case-sensitive.
 :::
+
+## Expected behaviors
+
+Expectations for user lifecycle management with SCIM:
+
+| Expected Cloudflare dash behavior              | Identity provider action                                                                                                                                        |
+| ---------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| User is added to account as member             | Assign the user to a SCIM application. They will be assigned the Minimal Account Access role so that their dash experience is not broken.                       |
+| User is removed from account as member         | Unassign the user from the SCIM application.                                                                                                                    |
+| Add role to user                               | Add the user to a group in the IdP which is pushed via SCIM. They must also be assigned to the SCIM application and exist as an account member.                 |
+| Remove role from user                          | Remove the user from the corresponding group in the IdP.                                                                                                        |
+| Retain user in account but with no permissions | Remove the user from all role groups but leave them assigned to the SCIM application. They will be an account member with only the role Minimal Account Access. |

src/assets/images/changelog/access/transformation-box.png

@@ -40,6 +40,8 @@ The **Responses** section allows you to add clarifying questions and comments.
 
 To view your RFI, select **Cloudforce One Requests** on the sidebar, locate your RFI, then select **View**. From here, you can also choose to edit your existing RFI by selecting **Edit**.
 
+To delete your RFI, the status must be `Open`. Go to the RFI you want to delete, and select **Delete**. On the pop-up, select **Delete** to confirm deletion. Once Cloudflare accepts and begins processing RFIs, you will not be able to delete RFIs.
+
 ### Upload and download attachment
 
 You can also choose to upload and download an attachment. 

src/content/changelog/access/2025-03-03-saml-oidc-fields-saml-transformations.mdx

@@ -0,0 +1,48 @@
+---
+title: "2025-03-03"
+type: table
+pcx_content_type: release-notes
+sidebar:
+  order: 800
+tableOfContents: false
+---
+
+import { RuleID } from "~/components";
+
+<table style="width: 100%">
+	<thead>
+		<tr>
+			<th>Ruleset</th>
+			<th>Rule ID</th>
+			<th>Legacy Rule ID</th>
+			<th>Description</th>
+			<th>Previous Action</th>
+			<th>New Action</th>
+			<th>Comments</th>
+		</tr>
+	</thead>
+	<tbody>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="90356ececae3444b9accb3d393e63099" />
+			</td>
+			<td>100721</td>
+			<td>Ivanti - Remote Code Execution - CVE:CVE-2024-13159, CVE:CVE-2024-13160, CVE:CVE-2024-13161</td>
+			<td>Log</td>
+			<td>Block</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td>
+				<RuleID id="6cf09ce2fa73482abb7f677ecac42ce2" />
+			</td>
+			<td>100596</td>
+			<td>Citrix Content Collaboration ShareFile - Remote Code Execution - CVE:CVE-2023-24489</td>
+			<td>N/A</td>
+			<td>Block</td>
+			<td></td>
+		</tr>
+	</tbody>
+</table>