[ZT] SCIM support for all IdPs (#18182)

* update supported idps

* update partial params

* check user registry

* jumpcloud scim

* break up jumpcloud steps

* add generic instructions

* remove extra line

* add link to google workspace

* add scim link to oidc idps

* add scim link to named IdPs

* remove scim from google workspace

* group memberships must match

Author: ranbel

src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx

@@ -3,11 +3,11 @@ pcx_content_type: how-to
 title: Centrify (SAML)
 ---
 
-Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the #1 cause of breaches – privileged access abuse.
+Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the number one cause of breaches: privileged access abuse.
 
-## Set up Centrify (SAML)
+## Set up Centrify as a SAML provider
 
-To set up SAML with Centrify as your identity provider:
+## 1. Create an application in Centrify
 
 1. Log in to your **Centrify** admin portal and select **Apps**.
 
@@ -59,15 +59,21 @@ To set up SAML with Centrify as your identity provider:
 
 20. Select the **Manual Configuration** option.
 
-21. In Zero Trust, go to **Settings** > **Authentication**.
+### 2. Add Centrify to Zero Trust
 
-22. Under **Login methods**, select **Add new**.
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.
 
-23. Select SAML.
+2. Under **Login methods**, select **Add new**.
 
-24. Copy and paste the corresponding information from Centrify into the fields.
+3. Select **SAML**.
 
-25. Select **Save**.
+4. Copy and paste the corresponding information from Centrify into the fields.
+
+5. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-saml/#synchronize-users-and-groups).
+
+6. (Optional) Under **Optional configurations**, configure [additional SAML options](/cloudflare-one/identity/idp-integration/generic-saml/#optional-configurations).
+
+7. Select **Save**.
 
 To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test.
 

src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx

@@ -7,6 +7,8 @@ Centrify secures access to infrastructure, DevOps, cloud, and other modern enter
 
 ## Set up Centrify as an OIDC provider
 
+### 1. Create an application in Centrify
+
 1. Log in to the Centrify administrator panel.
 
 2. Select **Apps**.
@@ -54,19 +56,23 @@ Centrify secures access to infrastructure, DevOps, cloud, and other modern enter
 
 16. Select the roles to grant access to your application.
 
-17. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
+### 2. Add Centrify to Zero Trust
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
+
+2. Under **Login methods**, select **Add new**.
 
-18. Under **Login methods**, select **Add new**.
+3. Paste in the **Client ID**, **Client Secret**, **Centrify account URL** and **Application ID**.
 
-19. Paste in the **Client ID**, **Client Secret**, **Centrify account URL** and **Application ID**.
+4. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups).
 
-20. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity).
+5. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity).
 
-21. Select **Save**.
+6. Select **Save**.
 
 To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test.
 
-## **Example API Config**
+## Example API Config
 
 ```json
 {

src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx

@@ -120,7 +120,7 @@ The Microsoft Entra ID integration allows you to synchronize IdP groups and auto
 
 <Render
 	file="access/enable-scim-on-dashboard"
-	params={{ one: "Enable SCIM and Support groups" }}
+	params={{ idp: "Entra ID", and: " and ", supportgroups: "Support groups"}}
 />
 
 ### 2. Configure SCIM in Entra ID
@@ -159,6 +159,8 @@ SCIM requires a separate enterprise application from the one created during [ini
 
 To check which users and groups were synchronized, select **View provisioning logs**.
 
+<Render file="access/verify-scim-provisioning"/>
+
 ### Provisioning attributes
 
 Provisioning attributes define the user properties that Entra ID will synchronize with Cloudflare Access. To modify your provisioning attributes, go to the **Provisioning** page in Entra ID and select **Edit attribute mappings**.

src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx

@@ -5,6 +5,8 @@ sidebar:
   order: 1
 ---
 
+import { Render } from "~/components";
+
 Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you integrate IdPs not already set in Access.
 
 ## Set up a generic OIDC
@@ -39,12 +41,41 @@ Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you inte
 
 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
 
-9. (Optional) Under **Optional configurations**, enter [custom OIDC claims](#oidc-claims) that you wish to add to users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity).
+9. (Optional) To enable SCIM, refer to [Synchronize users and groups](#synchronize-users-and-groups).
+
+10. (Optional) Under **Optional configurations**, enter [custom OIDC claims](#oidc-claims) that you wish to add to users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity).
 
-10. Select **Save**.
+11. Select **Save**.
 
 To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test. On success, a confirmation screen displays.
 
+## Synchronize users and groups
+
+The generic OIDC integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/).
+
+### Prerequisites
+
+Your identity provider must support SCIM version 2.0.
+
+### 1. Enable SCIM in Zero Trust
+
+<Render
+	file="access/enable-scim-on-dashboard"
+	params={{ idp: "IdP"}}
+/>
+
+### 2. Configure SCIM in the IdP
+
+Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [Jumpcloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides.
+
+:::note
+If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
+:::
+
+### 3. Verify SCIM provisioning
+
+<Render file="access/verify-scim-provisioning"/>
+
 ## Optional configurations
 
 ### OIDC claims

src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx

@@ -5,6 +5,8 @@ sidebar:
   order: 2
 ---
 
+import { Render } from "~/components";
+
 Cloudflare Zero Trust integrates with any identity provider that supports SAML 2.0. If your identity provider is not listed in the integration list of login methods in Zero Trust, it can be configured using SAML 2.0 (or OpenID if OIDC based). Generic SAML can also be used if you would like to pass additional SAML headers or claims for an IdP in the integration list.
 
 ## Prerequisites
@@ -45,13 +47,41 @@ To download the SAML metadata file, copy-paste the metadata endpoint into a web
 2. Select **Add new** and select **SAML**.
 3. Choose a descriptive name for your identity provider.
 4. Enter the **Single Sign on URL**, **IdP Entity ID or Issuer URL**, and **Signing certificate** obtained from your identity provider.
-5. (Optional) Enter [optional configurations](#optional-configurations).
-6. Select **Save**.
+5. (Optional) To enable SCIM, refer to [Synchronize users and groups](#synchronize-users-and-groups).
+6. (Optional) Under **Optional configurations**, configure [additional SAML options](#optional-configurations).
+7. Select **Save**.
 
 ## 3. Test the connection
 
 You can now [test the IdP integration](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust). A success response should return the configured SAML attributes.
 
+## Synchronize users and groups
+
+The generic SAML integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/).
+
+### Prerequisites
+
+Your identity provider must support SCIM version 2.0.
+
+### 1. Enable SCIM in Zero Trust
+
+<Render
+	file="access/enable-scim-on-dashboard"
+	params={{ idp: "IdP"}}
+/>
+
+### 2. Configure SCIM in the IdP
+
+Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](#1-create-an-application-in-your-identity-provider) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [JumpCloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides.
+
+:::note
+If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-saml/#1-create-an-application-in-your-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
+:::
+
+### 3. Verify SCIM provisioning
+
+<Render file="access/verify-scim-provisioning"/>
+
 ## Optional configurations
 
 SAML integrations allow you to pass additional headers or claims to applications.

src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx

@@ -16,6 +16,8 @@ You do not need to be a Google Cloud Platform user to integrate Google Workspace
 
 ## Set up Google Workspace as an identity provider
 
+### 1. Configure Google Workspace
+
 1. Log in to the Google Cloud Platform [console](https://console.cloud.google.com/). This is separate from your Google Workspace console.
 
 2. A Google Cloud project is required to enable Google Workspace APIs. If you do not already have a Google Cloud project, go to **IAM & Admin** > **Create Project**. Name the project and select **Create**.
@@ -66,21 +68,21 @@ You do not need to be a Google Cloud Platform user to integrate Google Workspace
 
 15. Enable the **Trust internal, domain-owned apps** option. This setting is disabled by default and must be enabled for Cloudflare Access to work correctly.
 
-16. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.
+### 2. Add Google Workspace to Zero Trust
 
-17. Under **Login methods**, select **Add new** and choose **Google Workspace**.
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.
 
-18. Input the Client ID and Client Secret fields generated previously. Additionally, input the domain of your Google Workspace account.
+2. Under **Login methods**, select **Add new** and choose **Google Workspace**.
 
-19. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts.
+3. Input the Client ID and Client Secret fields generated previously. Additionally, input the domain of your Google Workspace account.
 
-20. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/).
+4. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts.
 
-21. Select **Save**. To complete setup, you must visit the generated link. If you are not the Google Workspace administrator, share the link with the administrator.
+5. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/).
 
-22. The generated link will prompt you to log in to your Google admin account and to authorize Cloudflare Access to view group information. After allowing permissions, you will see a success page from Cloudflare Access.
+6. Select **Save**. To complete setup, you must visit the generated link. If you are not the Google Workspace administrator, share the link with the administrator.
 
-## Test your connection
+7. The generated link will prompt you to log in to your Google admin account and to authorize Cloudflare Access to view group information. After allowing permissions, you will see a success page from Cloudflare Access.
 
 To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to Google Workspace. Your user identity and group membership should return.
 

src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx

@@ -3,10 +3,16 @@ pcx_content_type: how-to
 title: JumpCloud (SAML)
 ---
 
+import { Render } from "~/components";
+
 [JumpCloud](https://jumpcloud.com/#platform) provides SSO identity management. Cloudflare Access integrates with JumpCloud as a SAML identity provider.
 
+The following steps are specific to setting up JumpCloud with Cloudflare Access. For more information on configuring JumpCloud SSO application, refer to the [JumpCloud documentation](https://jumpcloud.com/support/integrate-with-cloudflare).
+
 ## Set up Jumpcloud as a SAML provider
 
+### 1. Create an SSO application in JumpCloud
+
 1. In the [JumpCloud Admin Portal](https://console.jumpcloud.com/#/home), go to **SSO Applications**.
 
 2. Select **Add New Application**.
@@ -34,24 +40,71 @@ title: JumpCloud (SAML)
 		```txt
 		https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback
 		```
-	3. Scroll up to **JumpCloud Metadata** and select **Export Metadata**. Save this XML file for use in a later step.
+	3. (Optional) Configure SAML attributes that you want to send to Cloudflare Access.
+
+	4. Scroll up to **JumpCloud Metadata** and select **Export Metadata**. Save this XML file for use in a [later step](#2-add-jumpcloud-to-zero-trust).
 
 9. In the **User Groups** tab, [assign user groups](https://jumpcloud.com/support/get-started-applications-saml-sso#managing-employee-access-to-applications) to this application.
 
 10. Select **Save**.
 
-11. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.
+### 2. Add JumpCloud to Zero Trust
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.
+
+2. Under **Login methods**, select **Add new**.
+
+3. Select **SAML**.
 
-12. Under **Login methods**, select **Add new**.
+4. Upload your JumpCloud XML metadata file.
 
-13. Select **SAML**.
+5. (Optional) To enable SCIM, refer to [Synchronize users and groups](#synchronize-users-and-groups).
 
-14. Upload your JumpCloud XML metadata file.
+6. (Optional) Under **Optional configurations**, configure [additional SAML options](#optional-configurations).
 
-15. Select **Save**.
+7. Select **Save**.
 
 You can now [test your connection](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) and create [Access policies](/cloudflare-one/policies/access/) based on the configured login method and SAML attributes.
 
+## Synchronize users and groups
+
+The JumpCloud integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/).
+
+### 1. Enable SCIM in Zero Trust
+
+<Render
+	file="access/enable-scim-on-dashboard"
+	params={{ idp: "JumpCloud"}}
+/>
+
+### 2. Configure SCIM in JumpCloud
+
+1. In the [JumpCloud Admin Portal](https://console.jumpcloud.com/#/home), go to **SSO Applications**.
+2. Select the Cloudflare application that was created when you [Set up JumpCloud as a SAML provider](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#set-up-jumpcloud-as-a-saml-provider).
+3. Select the **Identity Management** tab.
+4. Make sure that **Enable management of User Groups and Group Membership in this application** is turned on.
+5. Select **Configure**.
+6. In the **Base URL** field, enter the **SCIM Endpoint** obtained from Zero Trust.
+7. In the **Token Key** field, enter the **SCIM Secret** obtained from Zero Trust.
+8. Select **Activate**. You will receive a confirmation that the Identity Management integration has been successfully verified.
+9. Select **Save**.
+
+<Render file="access/verify-scim-provisioning"/>
+
+### Provisioning attributes
+
+Provisioning attributes define the user and group properties that JumpCloud will synchronize with Cloudflare Access. By default, JumpCloud will send the following attributes during a SCIM update event:
+
+| JumpCloud user attribute| Cloudflare Access attribute |
+| ------------------ | ----------------------- |
+| `email` 					 | `email`            |
+| `firstname`        | `givenName`        |
+| `lastname`         | `surname`          |
+
+| JumpCloud group attribute | Cloudflare Access attribute |
+| ------------------ | ----------------------- |
+| `name` 					   | `groups`            |
+
 ## Example API configuration
 
 ```json

src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx

@@ -92,7 +92,7 @@ The Okta integration allows you to synchronize IdP groups and automatically depr
 
 <Render
 	file="access/enable-scim-on-dashboard"
-	params={{ one: "Enable SCIM " }}
+	params={{ idp: "Okta"}}
 />
 
 ### 2. Configure SCIM in Okta
@@ -139,7 +139,9 @@ The Okta integration allows you to synchronize IdP groups and automatically depr
 
 15. In the **Push Groups** tab, add the Okta groups you want to synchronize with Cloudflare Access. These groups will display in the Access policy builder.
 
-Provisioning will begin immediately. To verify the integration, select **View Logs** in the Okta SCIM application.
+To verify the integration, select **View Logs** in the Okta SCIM application.
+
+<Render file="access/verify-scim-provisioning"/>
 
 ## Example API Configuration