From 849f086ce48f4ee12b29d61e95045239aba1d73d Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Mon, 16 Dec 2024 14:34:23 -0800 Subject: [PATCH 1/4] Update SCIM docs for Okta --- .../account/account-security/scim-setup.mdx | 57 ++++++++++++------- 1 file changed, 35 insertions(+), 22 deletions(-) diff --git a/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx b/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx index 8818d52c3e4282f..2fcb84cf5bf1816 100644 --- a/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx +++ b/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx @@ -5,21 +5,24 @@ updated: 2024-12-04 --- -By connecting a System for Cross-domain Identity Management (SCIM) provider, you can provision access to the Cloudflare dashboard on a per-user basis, through your identity provider (IdP). +Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare and quickly onboard and manage users and their permissions. Cloudflare supports SCIM onboarding with Okta and Microsoft Entra. -Currently, we only support SCIM connections for Enterprise customers using Okta or Microsoft Entra. If you are an Enterprise customer using Okta or Microsoft Entra, and you are interested in setting up SCIM support, follow the steps below. +:::note + +Cloudflare Zero Trust also supports SCIM for onboarding users to Cloudflare Access. [Learn more](/cloudflare-one/identity/users/scim/) +::: ## Limitations - If a user is the only Super Administrator on an Enterprise account, they will not be deprovisioned. -- Cloudflare currently only supports [Account-scoped Roles](/fundamentals/setup/manage-members/roles/#account-scoped-roles) and does not support Domain-scoped Roles provisioning via SCIM. We are working on this limitation. -- Cloudflare does not currently allow custom group names to leave space for future development. +- Cloudflare currently only supports [Account-scoped Roles](/fundamentals/setup/manage-members/roles/#account-scoped-roles) and does not support Domain-scoped Roles provisioning via SCIM. +- Cloudflare does not allow custom user groups. ## Prerequisites - Cloudflare provisioning with SCIM is only available to Enterprise customers using Okta or Microsoft Entra. -- In Cloudflare, [Super Administrator](/fundamentals/setup/manage-members/roles/) access on the account. -- In your identity provider, the ability to create applications and groups. +- You must be a [Super Administrator](/fundamentals/setup/manage-members/roles/) on the account. +- In your identity provider, you must have the ability to create applications and groups. :::note @@ -27,8 +30,17 @@ Accounts provisioned with SCIM need to verify their email addresses. ::: --- +## Gather required data + +To start, you will need to collect a couple of pieces of data from Cloudflare and set these aside for later use. + +### Get your Account ID -## Create an API token +1. Navigate to the Account you want to configure for SCIM + +2. In your browser's navigation bar, copy the Account ID from the URL. The URL should be in the format `https://dash.cloudflare.com/` + +### Create an API token 1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: @@ -71,33 +83,34 @@ Accounts provisioned with SCIM need to verify their email addresses. 1. In your integration page, go to **Provisioning** > **Configure API Integration**. 2. Enable **Enable API Integration**. -3. In SCIM 2.0 Base URL, enter: `https://api.cloudflare.com/client/v4/accounts//scim/v2`. +3. In SCIM 2.0 Base URL, enter: `https://api.cloudflare.com/client/v4/accounts//scim/v2`. 4. In OAuth Bearer Token, enter your API token value. -5. Disable **Import Groups**. -6. Select **Save**. +5. Select **Save**. ### Set up your SCIM users. 1. In **Provisioning to App**, select **Edit**. 2. Enable **Create Users** and **Deactivate Users**. Select **Save**. 3. In the integration page, go to **Assignments** > **Assign** > **Assign to Groups**. -4. Assign users to your Cloudflare SCIM group. +4. Choose group(s) that you want to provision to Cloudflare. 5. Select **Done**. -This will provision all of the users affected to your Cloudflare account with "minimal account access." +This will provision all of the users in the group(s) affected to your Cloudflare account with "minimal account access." -### Configure user permissions on Okta +### Configure user permissions -1. Go to **Directory** > **Groups** > **Add group** and add groups with the following names: - `CF- - ` - :::note +There are two options for managing user permissions +* Manage your user permissions on a per-user basis in the Dashboard, API, or using Terraform. +* Map your IdP groups to a Cloudflare built-in [Role](/fundamentals/setup/manage-members/roles/). Groups may only be linked to one role. - Refer to the list of available [Roles](/fundamentals/setup/manage-members/roles/) for more details. - ::: -2. Go to your SCIM application in the App Integration Catalog, then select **Provisioning**. -3. Select **Edit**. -4. Enable **Create Users** and **Deactivate Users**. Select **Save**. -5. Go to **Push Groups** and make sure the appropriate group matches the existing group of the same name on Cloudflare. +1. Go to your SCIM application in the App Integration Catalog, then select **Provisioning**. +2. Under **To App*, select **Edit**. +3. Enable **Create Users** and **Deactivate Users**. Select **Save**. +4. Go to **Push Groups** +5. Click **+ Push Groups**, then **Find groups by name** +6. Type in the name of the group(s) you want to sync to Cloudflare. +7. Choose Link Group +8. Cloudflare provisioned user groups named in the pattern `CF- - `. Choose the appropriate group that maps to your target role. 6. Disable **Rename groups**. Select **Save**. 7. Within the **Push Groups** tab, select **Push Groups**. 8. Add the groups you created. From 15e1b43f0df294fba56163bb5c3bca463025cdc5 Mon Sep 17 00:00:00 2001 From: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> Date: Mon, 16 Dec 2024 15:52:50 -0800 Subject: [PATCH 2/4] Apply suggestions from code review --- .../account/account-security/scim-setup.mdx | 29 ++++++++++--------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx b/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx index 2fcb84cf5bf1816..f5d5b7df88b681f 100644 --- a/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx +++ b/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx @@ -30,15 +30,15 @@ Accounts provisioned with SCIM need to verify their email addresses. ::: --- -## Gather required data +## Gather the required data To start, you will need to collect a couple of pieces of data from Cloudflare and set these aside for later use. ### Get your Account ID -1. Navigate to the Account you want to configure for SCIM -2. In your browser's navigation bar, copy the Account ID from the URL. The URL should be in the format `https://dash.cloudflare.com/` +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to the Cloudflare account that you want to configure for SCIM provisioning. +2. Copy your account ID from the account home page. ### Create an API token @@ -92,28 +92,29 @@ To start, you will need to collect a couple of pieces of data from Cloudflare an 1. In **Provisioning to App**, select **Edit**. 2. Enable **Create Users** and **Deactivate Users**. Select **Save**. 3. In the integration page, go to **Assignments** > **Assign** > **Assign to Groups**. -4. Choose group(s) that you want to provision to Cloudflare. +4. Choose the group(s) that you want to provision to Cloudflare. 5. Select **Done**. This will provision all of the users in the group(s) affected to your Cloudflare account with "minimal account access." ### Configure user permissions -There are two options for managing user permissions -* Manage your user permissions on a per-user basis in the Dashboard, API, or using Terraform. +There are two options for managing user permissions: + +* Manage your user permissions on a per-user basis in the Cloudflare dashboard, API, or using Terraform. * Map your IdP groups to a Cloudflare built-in [Role](/fundamentals/setup/manage-members/roles/). Groups may only be linked to one role. 1. Go to your SCIM application in the App Integration Catalog, then select **Provisioning**. 2. Under **To App*, select **Edit**. 3. Enable **Create Users** and **Deactivate Users**. Select **Save**. -4. Go to **Push Groups** -5. Click **+ Push Groups**, then **Find groups by name** -6. Type in the name of the group(s) you want to sync to Cloudflare. -7. Choose Link Group -8. Cloudflare provisioned user groups named in the pattern `CF- - `. Choose the appropriate group that maps to your target role. -6. Disable **Rename groups**. Select **Save**. -7. Within the **Push Groups** tab, select **Push Groups**. -8. Add the groups you created. +4. Go to **Push Groups**. +5. Select **+ Push Groups**, then **Find groups by name**. +6. Enter the name of the group(s) that you want to sync to Cloudflare. +7. Choose **Link Group**. +8. Cloudflare provisioned user groups are named in the pattern `CF- - `. Choose the appropriate group that maps to your target role. +9. Disable **Rename groups**. Select **Save**. +10. Within the **Push Groups** tab, select **Push Groups**. +11. Add the groups you created. 9. Select **Save**. Adding any users to these groups will grant them the role. Removing the users from the identity provider will remove them from the associated role. From b6fbba1e440bc6ef7f998a28b8120fc930cd74b4 Mon Sep 17 00:00:00 2001 From: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> Date: Mon, 16 Dec 2024 15:53:24 -0800 Subject: [PATCH 3/4] Update src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx --- .../fundamentals/setup/account/account-security/scim-setup.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx b/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx index f5d5b7df88b681f..7fcc50db644b0c1 100644 --- a/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx +++ b/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx @@ -115,7 +115,7 @@ There are two options for managing user permissions: 9. Disable **Rename groups**. Select **Save**. 10. Within the **Push Groups** tab, select **Push Groups**. 11. Add the groups you created. -9. Select **Save**. +12. Select **Save**. Adding any users to these groups will grant them the role. Removing the users from the identity provider will remove them from the associated role. From 6613c57274d441eda924f09d40dae882606500b3 Mon Sep 17 00:00:00 2001 From: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> Date: Tue, 17 Dec 2024 11:41:25 -0800 Subject: [PATCH 4/4] Apply suggestions from code review --- .../fundamentals/setup/account/account-security/scim-setup.mdx | 1 - 1 file changed, 1 deletion(-) diff --git a/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx b/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx index 7fcc50db644b0c1..28220942f7d7235 100644 --- a/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx +++ b/src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx @@ -8,7 +8,6 @@ updated: 2024-12-04 Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare and quickly onboard and manage users and their permissions. Cloudflare supports SCIM onboarding with Okta and Microsoft Entra. :::note - Cloudflare Zero Trust also supports SCIM for onboarding users to Cloudflare Access. [Learn more](/cloudflare-one/identity/users/scim/) :::