diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx index a29eef8191df11..dcbf698b94e632 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx @@ -68,9 +68,12 @@ Your identity provider must support SCIM version 2.0. Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [Jumpcloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides. -:::note -If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation. -::: +#### IdP groups + +If you would like to build policies based on IdP groups: + +- Ensure that your IdP sends a `groups` field. The naming must match exactly (case insensitive). All other values will be sent as a OIDC claim. +- If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation. ### 3. Verify SCIM provisioning diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx index 9090bfa40ec184..6d24ec1a5115a8 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx @@ -74,9 +74,12 @@ Your identity provider must support SCIM version 2.0. Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](#1-create-an-application-in-your-identity-provider) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [JumpCloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides. -:::note -If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-saml/#1-create-an-application-in-your-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation. -::: +#### IdP groups + +If you would like to build policies based on IdP groups: + +- Ensure that your IdP sends a `groups` field. The naming must match exactly (case insensitive). All other values will be sent as a SAML attribute. +- If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-saml/#1-create-an-application-in-your-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation. ### 3. Verify SCIM provisioning diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx index 1f466d0d0ded8c..9cd5c7c126e6d9 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx @@ -81,13 +81,15 @@ The JumpCloud integration allows you to synchronize user groups and automaticall 1. In the [JumpCloud Admin Portal](https://console.jumpcloud.com/#/home), go to **SSO Applications**. 2. Select the Cloudflare application that was created when you [Set up JumpCloud as a SAML provider](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#set-up-jumpcloud-as-a-saml-provider). -3. Select the **Identity Management** tab. -4. Make sure that **Enable management of User Groups and Group Membership in this application** is turned on. -5. Select **Configure**. -6. In the **Base URL** field, enter the **SCIM Endpoint** obtained from Zero Trust. -7. In the **Token Key** field, enter the **SCIM Secret** obtained from Zero Trust. -8. Select **Activate**. You will receive a confirmation that the Identity Management integration has been successfully verified. -9. Select **Save**. +3. Select the **SSO** tab. +3. To provision user groups, select **Include group attribute** and enter `groups`. The group attribute name has to exactly match `groups` or else it will be sent as a SAML attribute. +5. Select the **Identity Management** tab. +6. Make sure that **Enable management of User Groups and Group Membership in this application** is turned on. +7. Select **Configure**. +8. In the **Base URL** field, enter the **SCIM Endpoint** obtained from Zero Trust. +9. In the **Token Key** field, enter the **SCIM Secret** obtained from Zero Trust. +10. Select **Activate**. You will receive a confirmation that the Identity Management integration has been successfully verified. +11. Select **Save**.