From 2c8269d98e05afb30e5c28d035d46360f0096956 Mon Sep 17 00:00:00 2001
From: kennyj42 <73258453+kennyj42@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:32:19 -0600
Subject: [PATCH 1/5] Update generic-saml.mdx

add call out for Groups match
---
 .../cloudflare-one/identity/idp-integration/generic-saml.mdx    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx
index fe1131322deb90..abcfdb0efed5ed 100644
--- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx
+++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx
@@ -74,6 +74,8 @@ Your identity provider must support SCIM version 2.0.
 
 Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](#1-create-an-application-in-your-identity-provider) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [JumpCloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides.
 
+If you would like to use groups based policies, ensure that your identity provider sends a "groups" field. The naming must match exactly (case insensitive). All other values will be sent as a SAML attribute.
+
 :::note
 If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-saml/#1-create-an-application-in-your-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
 :::

From f0f135d4b5a230114cfb095a67bde5ede2d70b25 Mon Sep 17 00:00:00 2001
From: kennyj42 <73258453+kennyj42@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:38:31 -0600
Subject: [PATCH 2/5] Update generic-oidc.mdx

---
 .../cloudflare-one/identity/idp-integration/generic-oidc.mdx    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx
index a29eef8191df11..94e82ad9e98a45 100644
--- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx
+++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx
@@ -68,6 +68,8 @@ Your identity provider must support SCIM version 2.0.
 
 Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [Jumpcloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides.
 
+If you would like to use groups based policies, ensure that your identity provider sends a "groups" field. The naming must match exactly (case insensitive). All other values will be sent as a OIDC claim.
+
 :::note
 If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
 :::

From 0c93e7adf52355708bb6b847bd0be046c8d8de4a Mon Sep 17 00:00:00 2001
From: kennyj42 <73258453+kennyj42@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:39:26 -0600
Subject: [PATCH 3/5] Update jumpcloud-saml.mdx

---
 .../cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx
index 1f466d0d0ded8c..8a5bf9f8ea1771 100644
--- a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx
+++ b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx
@@ -105,6 +105,8 @@ Provisioning attributes define the user and group properties that JumpCloud will
 | ------------------ | ----------------------- |
 | `name` 					   | `groups`            |
 
+The group attribute has to exactly match "groups" or else it will be sent as a SAML attribute.
+
 ## Example API configuration
 
 ```json

From 2e300575e581e9dc0f1ae1a9e9e2a589b75a897a Mon Sep 17 00:00:00 2001
From: Ranbel Sun <ranbel@cloudflare.com>
Date: Mon, 16 Dec 2024 17:33:37 -0500
Subject: [PATCH 4/5] groups SCIM attribute

---
 .../identity/idp-integration/generic-oidc.mdx |  9 +++++----
 .../identity/idp-integration/generic-saml.mdx |  9 +++++----
 .../idp-integration/jumpcloud-saml.mdx        | 20 +++++++++----------
 3 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx
index 94e82ad9e98a45..dcbf698b94e632 100644
--- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx
+++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx
@@ -68,11 +68,12 @@ Your identity provider must support SCIM version 2.0.
 
 Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [Jumpcloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides.
 
-If you would like to use groups based policies, ensure that your identity provider sends a "groups" field. The naming must match exactly (case insensitive). All other values will be sent as a OIDC claim.
+#### IdP groups
 
-:::note
-If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
-:::
+If you would like to build policies based on IdP groups:
+
+- Ensure that your IdP sends a `groups` field. The naming must match exactly (case insensitive). All other values will be sent as a OIDC claim.
+- If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
 
 ### 3. Verify SCIM provisioning
 
diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx
index abcfdb0efed5ed..02e6d05eb8d0ba 100644
--- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx
+++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx
@@ -74,11 +74,12 @@ Your identity provider must support SCIM version 2.0.
 
 Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](#1-create-an-application-in-your-identity-provider) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [JumpCloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides.
 
-If you would like to use groups based policies, ensure that your identity provider sends a "groups" field. The naming must match exactly (case insensitive). All other values will be sent as a SAML attribute.
+#### IdP groups
 
-:::note
-If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-saml/#1-create-an-application-in-your-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
-:::
+If you would like to build policies based on IdP groups:
+
+- Ensure that your IdP sends a `groups` field. The naming must match exactly (case insensitive). All other values will be sent as a SAML attribute.
+- If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-saml/#1-create-an-application-in-your-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
 
 ### 3. Verify SCIM provisioning
 
diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx
index 8a5bf9f8ea1771..6d1ba8013420eb 100644
--- a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx
+++ b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx
@@ -81,19 +81,21 @@ The JumpCloud integration allows you to synchronize user groups and automaticall
 
 1. In the [JumpCloud Admin Portal](https://console.jumpcloud.com/#/home), go to **SSO Applications**.
 2. Select the Cloudflare application that was created when you [Set up JumpCloud as a SAML provider](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#set-up-jumpcloud-as-a-saml-provider).
-3. Select the **Identity Management** tab.
-4. Make sure that **Enable management of User Groups and Group Membership in this application** is turned on.
-5. Select **Configure**.
-6. In the **Base URL** field, enter the **SCIM Endpoint** obtained from Zero Trust.
-7. In the **Token Key** field, enter the **SCIM Secret** obtained from Zero Trust.
-8. Select **Activate**. You will receive a confirmation that the Identity Management integration has been successfully verified.
-9. Select **Save**.
+3. Select the **SSO** tab.
+3. To provision user groups, select **Include group attribute** and enter `groups`. The group attribute name has to exactly match `groups` or else it will be sent as a SAML attribute.
+5. Select the **Identity Management** tab.
+6. Make sure that **Enable management of User Groups and Group Membership in this application** is turned on.
+7. Select **Configure**.
+8. In the **Base URL** field, enter the **SCIM Endpoint** obtained from Zero Trust.
+9. In the **Token Key** field, enter the **SCIM Secret** obtained from Zero Trust.
+10. Select **Activate**. You will receive a confirmation that the Identity Management integration has been successfully verified.
+11. Select **Save**.
 
 <Render file="access/verify-scim-provisioning"/>
 
 ### Provisioning attributes
 
-Provisioning attributes define the user and group properties that JumpCloud will synchronize with Cloudflare Access. By default, JumpCloud will send the following attributes during a SCIM update event:
+Provisioning attributes define the user properties that JumpCloud will synchronize with Cloudflare Access. By default, JumpCloud will send the following attributes during a SCIM update event:
 
 | JumpCloud user attribute| Cloudflare Access attribute |
 | ------------------ | ----------------------- |
@@ -105,8 +107,6 @@ Provisioning attributes define the user and group properties that JumpCloud will
 | ------------------ | ----------------------- |
 | `name` 					   | `groups`            |
 
-The group attribute has to exactly match "groups" or else it will be sent as a SAML attribute.
-
 ## Example API configuration
 
 ```json

From 0f789da8d455634f6b7831c9adca27accd8eaa7e Mon Sep 17 00:00:00 2001
From: ranbel <101146722+ranbel@users.noreply.github.com>
Date: Mon, 16 Dec 2024 17:34:42 -0500
Subject: [PATCH 5/5] Update
 src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx

---
 .../cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx
index 6d1ba8013420eb..9cd5c7c126e6d9 100644
--- a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx
+++ b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx
@@ -95,7 +95,7 @@ The JumpCloud integration allows you to synchronize user groups and automaticall
 
 ### Provisioning attributes
 
-Provisioning attributes define the user properties that JumpCloud will synchronize with Cloudflare Access. By default, JumpCloud will send the following attributes during a SCIM update event:
+Provisioning attributes define the user and group properties that JumpCloud will synchronize with Cloudflare Access. By default, JumpCloud will send the following attributes during a SCIM update event:
 
 | JumpCloud user attribute| Cloudflare Access attribute |
 | ------------------ | ----------------------- |