diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx index 1250f499a95a00..745b96a7fc2b18 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx @@ -3,11 +3,11 @@ pcx_content_type: how-to title: Centrify (SAML) --- -Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the #1 cause of breaches – privileged access abuse. +Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the number one cause of breaches: privileged access abuse. -## Set up Centrify (SAML) +## Set up Centrify as a SAML provider -To set up SAML with Centrify as your identity provider: +## 1. Create an application in Centrify 1. Log in to your **Centrify** admin portal and select **Apps**. @@ -59,15 +59,21 @@ To set up SAML with Centrify as your identity provider: 20. Select the **Manual Configuration** option. -21. In Zero Trust, go to **Settings** > **Authentication**. +### 2. Add Centrify to Zero Trust -22. Under **Login methods**, select **Add new**. +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. -23. Select SAML. +2. Under **Login methods**, select **Add new**. -24. Copy and paste the corresponding information from Centrify into the fields. +3. Select **SAML**. -25. Select **Save**. +4. Copy and paste the corresponding information from Centrify into the fields. + +5. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-saml/#synchronize-users-and-groups). + +6. (Optional) Under **Optional configurations**, configure [additional SAML options](/cloudflare-one/identity/idp-integration/generic-saml/#optional-configurations). + +7. Select **Save**. To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx index dcd6b705decc82..d8562d376cc31b 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx @@ -7,6 +7,8 @@ Centrify secures access to infrastructure, DevOps, cloud, and other modern enter ## Set up Centrify as an OIDC provider +### 1. Create an application in Centrify + 1. Log in to the Centrify administrator panel. 2. Select **Apps**. @@ -54,19 +56,23 @@ Centrify secures access to infrastructure, DevOps, cloud, and other modern enter 16. Select the roles to grant access to your application. -17. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. +### 2. Add Centrify to Zero Trust + +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. + +2. Under **Login methods**, select **Add new**. -18. Under **Login methods**, select **Add new**. +3. Paste in the **Client ID**, **Client Secret**, **Centrify account URL** and **Application ID**. -19. Paste in the **Client ID**, **Client Secret**, **Centrify account URL** and **Application ID**. +4. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups). -20. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). +5. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). -21. Select **Save**. +6. Select **Save**. To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test. -## **Example API Config** +## Example API Config ```json { diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx index 8761edba2dbb70..5ca91654cee397 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx @@ -120,7 +120,7 @@ The Microsoft Entra ID integration allows you to synchronize IdP groups and auto ### 2. Configure SCIM in Entra ID @@ -159,6 +159,8 @@ SCIM requires a separate enterprise application from the one created during [ini To check which users and groups were synchronized, select **View provisioning logs**. + + ### Provisioning attributes Provisioning attributes define the user properties that Entra ID will synchronize with Cloudflare Access. To modify your provisioning attributes, go to the **Provisioning** page in Entra ID and select **Edit attribute mappings**. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx index 59d255676a9a3d..a29eef8191df11 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx @@ -5,6 +5,8 @@ sidebar: order: 1 --- +import { Render } from "~/components"; + Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you integrate IdPs not already set in Access. ## Set up a generic OIDC @@ -39,12 +41,41 @@ Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you inte 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. -9. (Optional) Under **Optional configurations**, enter [custom OIDC claims](#oidc-claims) that you wish to add to users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). +9. (Optional) To enable SCIM, refer to [Synchronize users and groups](#synchronize-users-and-groups). + +10. (Optional) Under **Optional configurations**, enter [custom OIDC claims](#oidc-claims) that you wish to add to users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). -10. Select **Save**. +11. Select **Save**. To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test. On success, a confirmation screen displays. +## Synchronize users and groups + +The generic OIDC integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/). + +### Prerequisites + +Your identity provider must support SCIM version 2.0. + +### 1. Enable SCIM in Zero Trust + + + +### 2. Configure SCIM in the IdP + +Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [Jumpcloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides. + +:::note +If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation. +::: + +### 3. Verify SCIM provisioning + + + ## Optional configurations ### OIDC claims diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx index 9df8e7db1a6f65..fe1131322deb90 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx @@ -5,6 +5,8 @@ sidebar: order: 2 --- +import { Render } from "~/components"; + Cloudflare Zero Trust integrates with any identity provider that supports SAML 2.0. If your identity provider is not listed in the integration list of login methods in Zero Trust, it can be configured using SAML 2.0 (or OpenID if OIDC based). Generic SAML can also be used if you would like to pass additional SAML headers or claims for an IdP in the integration list. ## Prerequisites @@ -45,13 +47,41 @@ To download the SAML metadata file, copy-paste the metadata endpoint into a web 2. Select **Add new** and select **SAML**. 3. Choose a descriptive name for your identity provider. 4. Enter the **Single Sign on URL**, **IdP Entity ID or Issuer URL**, and **Signing certificate** obtained from your identity provider. -5. (Optional) Enter [optional configurations](#optional-configurations). -6. Select **Save**. +5. (Optional) To enable SCIM, refer to [Synchronize users and groups](#synchronize-users-and-groups). +6. (Optional) Under **Optional configurations**, configure [additional SAML options](#optional-configurations). +7. Select **Save**. ## 3. Test the connection You can now [test the IdP integration](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust). A success response should return the configured SAML attributes. +## Synchronize users and groups + +The generic SAML integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/). + +### Prerequisites + +Your identity provider must support SCIM version 2.0. + +### 1. Enable SCIM in Zero Trust + + + +### 2. Configure SCIM in the IdP + +Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](#1-create-an-application-in-your-identity-provider) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [JumpCloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides. + +:::note +If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-saml/#1-create-an-application-in-your-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation. +::: + +### 3. Verify SCIM provisioning + + + ## Optional configurations SAML integrations allow you to pass additional headers or claims to applications. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx index ddfcb56bb22f87..f265a3bfd456ff 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx @@ -16,6 +16,8 @@ You do not need to be a Google Cloud Platform user to integrate Google Workspace ## Set up Google Workspace as an identity provider +### 1. Configure Google Workspace + 1. Log in to the Google Cloud Platform [console](https://console.cloud.google.com/). This is separate from your Google Workspace console. 2. A Google Cloud project is required to enable Google Workspace APIs. If you do not already have a Google Cloud project, go to **IAM & Admin** > **Create Project**. Name the project and select **Create**. @@ -66,21 +68,21 @@ You do not need to be a Google Cloud Platform user to integrate Google Workspace 15. Enable the **Trust internal, domain-owned apps** option. This setting is disabled by default and must be enabled for Cloudflare Access to work correctly. -16. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. +### 2. Add Google Workspace to Zero Trust -17. Under **Login methods**, select **Add new** and choose **Google Workspace**. +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. -18. Input the Client ID and Client Secret fields generated previously. Additionally, input the domain of your Google Workspace account. +2. Under **Login methods**, select **Add new** and choose **Google Workspace**. -19. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts. +3. Input the Client ID and Client Secret fields generated previously. Additionally, input the domain of your Google Workspace account. -20. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/). +4. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts. -21. Select **Save**. To complete setup, you must visit the generated link. If you are not the Google Workspace administrator, share the link with the administrator. +5. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/). -22. The generated link will prompt you to log in to your Google admin account and to authorize Cloudflare Access to view group information. After allowing permissions, you will see a success page from Cloudflare Access. +6. Select **Save**. To complete setup, you must visit the generated link. If you are not the Google Workspace administrator, share the link with the administrator. -## Test your connection +7. The generated link will prompt you to log in to your Google admin account and to authorize Cloudflare Access to view group information. After allowing permissions, you will see a success page from Cloudflare Access. To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to Google Workspace. Your user identity and group membership should return. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx index c37921fa18d7d1..1f466d0d0ded8c 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx @@ -3,10 +3,16 @@ pcx_content_type: how-to title: JumpCloud (SAML) --- +import { Render } from "~/components"; + [JumpCloud](https://jumpcloud.com/#platform) provides SSO identity management. Cloudflare Access integrates with JumpCloud as a SAML identity provider. +The following steps are specific to setting up JumpCloud with Cloudflare Access. For more information on configuring JumpCloud SSO application, refer to the [JumpCloud documentation](https://jumpcloud.com/support/integrate-with-cloudflare). + ## Set up Jumpcloud as a SAML provider +### 1. Create an SSO application in JumpCloud + 1. In the [JumpCloud Admin Portal](https://console.jumpcloud.com/#/home), go to **SSO Applications**. 2. Select **Add New Application**. @@ -34,24 +40,71 @@ title: JumpCloud (SAML) ```txt https://.cloudflareaccess.com/cdn-cgi/access/callback ``` - 3. Scroll up to **JumpCloud Metadata** and select **Export Metadata**. Save this XML file for use in a later step. + 3. (Optional) Configure SAML attributes that you want to send to Cloudflare Access. + + 4. Scroll up to **JumpCloud Metadata** and select **Export Metadata**. Save this XML file for use in a [later step](#2-add-jumpcloud-to-zero-trust). 9. In the **User Groups** tab, [assign user groups](https://jumpcloud.com/support/get-started-applications-saml-sso#managing-employee-access-to-applications) to this application. 10. Select **Save**. -11. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. +### 2. Add JumpCloud to Zero Trust + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. + +2. Under **Login methods**, select **Add new**. + +3. Select **SAML**. -12. Under **Login methods**, select **Add new**. +4. Upload your JumpCloud XML metadata file. -13. Select **SAML**. +5. (Optional) To enable SCIM, refer to [Synchronize users and groups](#synchronize-users-and-groups). -14. Upload your JumpCloud XML metadata file. +6. (Optional) Under **Optional configurations**, configure [additional SAML options](#optional-configurations). -15. Select **Save**. +7. Select **Save**. You can now [test your connection](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) and create [Access policies](/cloudflare-one/policies/access/) based on the configured login method and SAML attributes. +## Synchronize users and groups + +The JumpCloud integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/). + +### 1. Enable SCIM in Zero Trust + + + +### 2. Configure SCIM in JumpCloud + +1. In the [JumpCloud Admin Portal](https://console.jumpcloud.com/#/home), go to **SSO Applications**. +2. Select the Cloudflare application that was created when you [Set up JumpCloud as a SAML provider](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#set-up-jumpcloud-as-a-saml-provider). +3. Select the **Identity Management** tab. +4. Make sure that **Enable management of User Groups and Group Membership in this application** is turned on. +5. Select **Configure**. +6. In the **Base URL** field, enter the **SCIM Endpoint** obtained from Zero Trust. +7. In the **Token Key** field, enter the **SCIM Secret** obtained from Zero Trust. +8. Select **Activate**. You will receive a confirmation that the Identity Management integration has been successfully verified. +9. Select **Save**. + + + +### Provisioning attributes + +Provisioning attributes define the user and group properties that JumpCloud will synchronize with Cloudflare Access. By default, JumpCloud will send the following attributes during a SCIM update event: + +| JumpCloud user attribute| Cloudflare Access attribute | +| ------------------ | ----------------------- | +| `email` | `email` | +| `firstname` | `givenName` | +| `lastname` | `surname` | + +| JumpCloud group attribute | Cloudflare Access attribute | +| ------------------ | ----------------------- | +| `name` | `groups` | + ## Example API configuration ```json diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx index 7a51e43b968af1..9441835d121499 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx @@ -92,7 +92,7 @@ The Okta integration allows you to synchronize IdP groups and automatically depr ### 2. Configure SCIM in Okta @@ -139,7 +139,9 @@ The Okta integration allows you to synchronize IdP groups and automatically depr 15. In the **Push Groups** tab, add the Okta groups you want to synchronize with Cloudflare Access. These groups will display in the Access policy builder. -Provisioning will begin immediately. To verify the integration, select **View Logs** in the Okta SCIM application. +To verify the integration, select **View Logs** in the Okta SCIM application. + + ## Example API Configuration diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx index aea84e3a662ce1..004b625eb48deb 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx @@ -7,6 +7,8 @@ OneLogin provides SSO identity management. Cloudflare Access supports OneLogin a ## Set up OneLogin as an OIDC provider +### 1. Create an application in OneLogin + 1. Log in to your OneLogin admin portal. 2. Go to **Applications** > **Applications** and select **Add App**. @@ -31,22 +33,26 @@ OneLogin provides SSO identity management. Cloudflare Access supports OneLogin a 9. Copy the **Client ID** and **Client Secret**. -10. In [Zero Trust](https://one.dash.cloudflare.com),, go to **Settings** > **Authentication**. +### 2. Add OneLogin to Zero Trust + +1. In [Zero Trust](https://one.dash.cloudflare.com),, go to **Settings** > **Authentication**. -11. Under **Login methods**, select **Add new**. +2. Under **Login methods**, select **Add new**. -12. Select **OneLogin**. +3. Select **OneLogin**. -13. Fill in the following information: +4. Fill in the following information: - **Name**: Name your identity provider. - **App ID**: Enter your OneLogin client ID. - **Client secret**: Enter your OneLogin client secret. - **OneLogin account URL**: Enter your OneLogin domain, for example `https://.onelogin.com`. -14. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/). +5. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups). + +6. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/). -15. Select **Save**. +7. Select **Save**. To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to OneLogin. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-saml.mdx index f49e025cdc3ab2..0fb8da65b69dd2 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-saml.mdx @@ -5,9 +5,9 @@ title: OneLogin (SAML) OneLogin provides SSO identity management. Cloudflare Access supports OneLogin as an SAML identity provider. -## Set up OneLogin (SAML) +## Set up OneLogin as a SAML provider -To set up OneLogin (SAML) as your identity provider: +## 1. Create an application in OneLogin 1. Log in to your OneLogin admin portal. @@ -47,17 +47,21 @@ To set up OneLogin (SAML) as your identity provider: ![OneLogin SAML Application SSO interface with SAML2.0 sign on method, Issuer URL, and X.509 Certificate](~/assets/images/cloudflare-one/identity/onelogin/onelogin-saml-7.png) -15. In Zero Trust, go to **Settings** > **Authentication**. +### 2. Add OneLogin to Zero Trust -16. Under **Login methods**, select **Add new**. +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. -17. Select SAML. +2. Under **Login methods**, select **Add new**. -18. Input the details from your OneLogin account in the fields. We suggest that you name the attributes the same in both OneLogin and Cloudflare. +3. Select **SAML**. - If other headers and SAML attribute names were added to OneLogin, be sure to add them to Cloudflare under **SAML attributes** and **SAML header attributes** in the **Optional configurations** menu. +4. Input the details from your OneLogin account in the fields. -19. Select **Save**. +5. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-saml/#synchronize-users-and-groups). + +6. (Optional) Under **Optional configurations**, configure [additional SAML options](/cloudflare-one/identity/idp-integration/generic-saml/#optional-configurations). If you added other SAML headers and attribute names to OneLogin, be sure to add them to Cloudflare. + +7. Select **Save**. To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx index e05afcf45079d4..e3b4aa41d204fb 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx @@ -7,6 +7,8 @@ The PingOne cloud platform from PingIdentity provides SSO identity management. C ## Set up PingOne as an OIDC provider +### 1. Create an application in PingOne + 1. In your PingIdentity environment, go to **Connections** > **Applications**. 2. Select **Add Application**. 3. Enter an **Application Name**. @@ -24,13 +26,17 @@ The PingOne cloud platform from PingIdentity provides SSO identity management. C You can find your team name in Zero Trust under **Settings** > **Custom Pages**. 10. Select **Save**. -11. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. -12. Under **Login methods**, select **Add new**. -13. Select **PingOne**. -14. Input the **Client ID**, **Client Secret**, and **Environment ID** generated previously. -15. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts. -16. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). -17. Select **Save**. + +### 2. Add PingOne to Zero Trust + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. +2. Under **Login methods**, select **Add new**. +3. Select **PingOne**. +4. Input the **Client ID**, **Client Secret**, and **Environment ID** generated previously. +5. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts. +6. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups). +7. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). +8. Select **Save**. You can now [test your connection](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) and create [Access policies](/cloudflare-one/policies/access/) based on the configured login method. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-saml.mdx index bbd495bb02bb0c..323e4640d30af1 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-saml.mdx @@ -9,6 +9,8 @@ The PingOne cloud platform from PingIdentity provides SSO identity management. C ## Set up PingOne as a SAML provider +## 1. Create an application in PingOne + 1. In your PingIdentity environment, go to **Connections** > **Applications**. 2. Select **Add Application**. @@ -47,16 +49,20 @@ The PingOne cloud platform from PingIdentity provides SSO identity management. C 9. Set the application to **Active**. -10. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. +### 2. Add PingOne to Zero Trust + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. + +2. Under **Login methods**, select **Add new**. -11. Under **Login methods**, select **Add new**. +3. Select **SAML**. -12. Select **SAML**. +4. Upload your PingOne XML metadata file. -13. Upload your PingOne XML metadata file from Step 7. +5. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-saml/#synchronize-users-and-groups). -14. Enable [**Sign SAML authentication request**](/cloudflare-one/identity/idp-integration/generic-saml/#sign-saml-authentication-request). +6. (Optional) Under **Optional configurations**, configure [additional SAML options](/cloudflare-one/identity/idp-integration/generic-saml/#optional-configurations). -15. Select **Save**. +7. Select **Save**. You can now [test your connection](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) and create [Access policies](/cloudflare-one/policies/access/) based on the configured login method and SAML attributes. diff --git a/src/content/docs/cloudflare-one/identity/users/scim.mdx b/src/content/docs/cloudflare-one/identity/users/scim.mdx index e12b1d20d6f261..81b3898dbd6187 100644 --- a/src/content/docs/cloudflare-one/identity/users/scim.mdx +++ b/src/content/docs/cloudflare-one/identity/users/scim.mdx @@ -12,14 +12,14 @@ System for Cross-domain Identity Management (SCIM) is an open standard protocol ## Supported identity providers -Cloudflare Access currently supports SCIM provisioning using the following identity providers: - - +Cloudflare Access supports SCIM provisioning for all SAML and OIDC identity providers that use SCIM version 2.0. ## Sync users and groups in Zero Trust policies Cloudflare Access can automatically deprovision users from Zero Trust after they are deactivated in the identity provider and display synchronized group names in the Access and Gateway policy builders. Cloudflare does not provision new users in Zero Trust when they are added to the identity provider -- users must first register a device with the WARP client or authenticate to an Access application. +To set up SCIM for Zero Trust, refer to our [SSO integration](/cloudflare-one/identity/idp-integration/) guides. + ## SCIM for Cloudflare dashboard SSO To provision access to your Cloudflare account, you will need to set up a distinct [dashboard SSO SCIM integration](/fundamentals/setup/account/account-security/scim-setup/) in your IdP. You can assign users and groups to this new SCIM application to define who can access the Cloudflare dashboard. diff --git a/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx b/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx index 9e501287b988eb..22057af7c6c3e6 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx @@ -24,11 +24,7 @@ To view the identity that Gateway will use when evaluating policies, check the [ ### Automatic SCIM IdP updates -Gateway will automatically detect changes in user name, title, and group membership for IdPs configured with System for Cross-domain Identity Management (SCIM) provisioning. IdPs that support SCIM include: - - - -For more information, refer to [SCIM provisioning](/cloudflare-one/identity/users/scim/). +Gateway will automatically detect changes in user name, title, and group membership for IdPs configured with System for Cross-domain Identity Management (SCIM) provisioning. For more information, refer to [SCIM provisioning](/cloudflare-one/identity/users/scim/). ### Extended email addresses diff --git a/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx b/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx index 771146cf4a69f4..b245df00bafb85 100644 --- a/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx +++ b/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx @@ -1,24 +1,26 @@ --- -inputParameters: param1 - +params: + - idp + - and + - supportgroups --- import { Markdown } from "~/components" 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. -2. Locate the IdP you want to synchronize and select **Edit**. +2. Find the {props.idp} integration and select **Edit**. -3. Select {props.one}. +3. Turn on **Enable SCIM**{props.and}**{props.supportgroups}**. -4. (Optional) Enable the following settings: +4. (Optional) Turn on the following settings: -* **Enable user deprovisioning**: [Revoke a user's active session](/cloudflare-one/identity/users/session-management/#per-user) when they are removed from the SCIM application in the IdP. This will invalidate all active Access sessions and prompt for reauthentication for any Gateway WARP session policies. -* **Remove user seat on deprovision**: [Remove a user's seat](/cloudflare-one/identity/users/seat-management/) from your Zero Trust account when they are removed from the SCIM application in the IdP. -* **Enable group membership change reauthentication**: [Revoke a user's active session](/cloudflare-one/identity/users/session-management/#per-user) when their group membership changes in the IdP. This will invalidate all active Access sessions and prompt for reauthentication for any Gateway WARP session policies. Access will read the user's updated group membership when they reauthenticate. +* **Enable user deprovisioning**: [Revoke a user's active session](/cloudflare-one/identity/users/session-management/#per-user) when they are removed from the SCIM application in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any Gateway WARP session policies. +* **Remove user seat on deprovision**: [Remove a user's seat](/cloudflare-one/identity/users/seat-management/) from your Zero Trust account when they are removed from the SCIM application in {props.idp}. +* **Enable group membership change reauthentication**: [Revoke a user's active session](/cloudflare-one/identity/users/session-management/#per-user) when their group membership changes in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any Gateway WARP session policies. Access will read the user's updated group membership when they reauthenticate. 5. Select **Save**. -6. Copy the **SCIM Endpoint** and **SCIM Secret**. You will need to enter these values into the IdP. +6. Copy the **SCIM Endpoint** and **SCIM Secret**. You will need to enter these values into {props.idp}. The SCIM secret never expires, but you can manually regenerate the secret at any time. diff --git a/src/content/partials/cloudflare-one/access/scim-supported-idps.mdx b/src/content/partials/cloudflare-one/access/scim-supported-idps.mdx deleted file mode 100644 index b01254af5649c3..00000000000000 --- a/src/content/partials/cloudflare-one/access/scim-supported-idps.mdx +++ /dev/null @@ -1,6 +0,0 @@ ---- -{} ---- - -- [Microsoft Entra ID](/cloudflare-one/identity/idp-integration/entra-id/) (formerly known as Azure AD) -- [Okta](/cloudflare-one/identity/idp-integration/okta/) diff --git a/src/content/partials/cloudflare-one/access/verify-scim-provisioning.mdx b/src/content/partials/cloudflare-one/access/verify-scim-provisioning.mdx new file mode 100644 index 00000000000000..7eea399f61b64d --- /dev/null +++ b/src/content/partials/cloudflare-one/access/verify-scim-provisioning.mdx @@ -0,0 +1,9 @@ +--- +{} +--- + +To check if a user's identity was updated in Zero Trust, view their [User Registry identity](/cloudflare-one/insights/logs/users/). + +:::note +New users must first register the WARP client or authenticate to an Access application before SCIM provisioning can begin. +::: \ No newline at end of file