-
Notifications
You must be signed in to change notification settings - Fork 10.3k
[CF1] upn edit #19814
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
[CF1] upn edit #19814
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -108,6 +108,24 @@ More narrow permissions may be used, however this is the set of permissions that | |
|
|
||
| To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) that your connection is working, select **Test**. | ||
|
|
||
| #### UPN and email | ||
|
|
||
| If your organization's UPNs do not match users' email addresses, you must add a custom claim for email. For example, if your organization's email format is `[email protected]` but the UPN is `[email protected]`, you must create an email claim if you are configuring email-based policies. | ||
|
|
||
| By default, Cloudflare will look for an `email` claim in the JSON response. If an `email` claim does not exist, it will look for the unique claim name you created to represent email (for example, `email_identifier`). Last, if neither option exists, Cloudflare will then look for the UPN claim sent in the JSON response. | ||
|
|
||
| To receive an email claim in a JSON response from Microsoft Entra, you must: | ||
deadlypants1973 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| 1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), go to **Application** > **App registration** > select the relevant application > **Manage** > **Token configuration**. | ||
| 2. Add a claim for email. | ||
|
|
||
|  | ||
|
|
||
| The example above includes both a UPN claim and an email claim. Because an email claim was created in the Microsoft Entra configuration, Cloudflare will look for the `email` key-value pair in the JSON response. | ||
|
|
||
| 3. If you gave your email claim another name than `email`, in [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication** > **Azure AD** > **Edit**. | ||
deadlypants1973 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| 4. Under **Optional configurations** > **Email claim**, enter the name of the claim representing your organization's email addresses. | ||
|
|
||
| ## Synchronize users and groups | ||
|
|
||
| The Microsoft Entra ID integration allows you to synchronize IdP groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/). | ||
|
|
@@ -120,7 +138,7 @@ The Microsoft Entra ID integration allows you to synchronize IdP groups and auto | |
|
|
||
| <Render | ||
| file="access/enable-scim-on-dashboard" | ||
| params={{ idp: "Entra ID", and: " and ", supportgroups: "Support groups"}} | ||
| params={{ idp: "Entra ID", and: " and ", supportgroups: "Support groups" }} | ||
| /> | ||
|
|
||
| ### 2. Configure SCIM in Entra ID | ||
|
|
@@ -139,9 +157,9 @@ SCIM requires a separate enterprise application from the one created during [ini | |
|
|
||
| 5. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/entra/identity/enterprise-apps/assign-user-or-group-access-portal). | ||
|
|
||
| :::note | ||
| Groups in this SCIM application should match the groups in your other [Cloudflare Access enterprise application](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation. | ||
| ::: | ||
| :::note | ||
| Groups in this SCIM application should match the groups in your other [Cloudflare Access enterprise application](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation. | ||
| ::: | ||
|
|
||
| 6. Go to **Provisioning** and select **Get started**. | ||
|
|
||
|
|
@@ -159,7 +177,7 @@ SCIM requires a separate enterprise application from the one created during [ini | |
|
|
||
| To check which users and groups were synchronized, select **View provisioning logs**. | ||
|
|
||
| <Render file="access/verify-scim-provisioning"/> | ||
| <Render file="access/verify-scim-provisioning" /> | ||
|
|
||
| ### Provisioning attributes | ||
|
|
||
|
|
@@ -207,38 +225,39 @@ Access and Gateway policies for an Entra group will also apply to all [nested gr | |
| ## Force user interaction during WARP reauthentication | ||
|
|
||
| You can require users to re-enter their credentials into Entra ID whenever they [re-authenticate their WARP session](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). To configure this setting: | ||
|
|
||
| 1. Make a `GET` request to the [Identity Providers endpoint](/api/resources/zero_trust/subresources/identity_providers/) and copy the response for the Entra ID identity provider. | ||
| 2. [Update the Entra ID identity provider](/api/resources/zero_trust/subresources/identity_providers/methods/update/) using a `PUT` request. In the request body, include all existing configurations and set the `prompt` parameter to either `login` or `select_account`. For example, | ||
| ```sh {17} | ||
| curl --request PUT \ | ||
| https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers/{identity_provider_id} \ | ||
| --header "Authorization: Bearer <API_TOKEN>" \ | ||
| --header "Content-Type: application/json" \ | ||
| --data '{ | ||
| "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", | ||
| "type": "azureAD", | ||
| "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", | ||
| "name": "Entra ID", | ||
| "version": "31e74e9b4f033e16b604552091a72295", | ||
| "config": { | ||
| "azure_cloud": "default", | ||
| "client_id": "<CLIENT_ID>", | ||
| "conditional_access_enabled": false, | ||
| "directory_id": "<AZURE_DIRECTORY_ID>", | ||
| "redirect_url": "https://<TEAM_NAME>.cloudflareaccess.com/cdn-cgi/access/callback", | ||
| "prompt": "login", | ||
| "support_groups": true | ||
| }, | ||
| "scim_config": { | ||
| "enabled": true, | ||
| "user_deprovision": true, | ||
| "seat_deprovision": false, | ||
| "group_member_deprovision": false, | ||
| "identity_update_behavior": "automatic" | ||
| }, | ||
| "scim_base_url": "https://<TEAM_NAME>.cloudflareaccess.com/populations/f174e90a-fafe-4643-bbbc-4a0ed4fc8415/scim/v2" | ||
| }' | ||
| ``` | ||
| ```sh {17} | ||
| curl --request PUT \ | ||
| https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers/{identity_provider_id} \ | ||
| --header "Authorization: Bearer <API_TOKEN>" \ | ||
| --header "Content-Type: application/json" \ | ||
| --data '{ | ||
| "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", | ||
| "type": "azureAD", | ||
| "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", | ||
| "name": "Entra ID", | ||
| "version": "31e74e9b4f033e16b604552091a72295", | ||
| "config": { | ||
| "azure_cloud": "default", | ||
| "client_id": "<CLIENT_ID>", | ||
| "conditional_access_enabled": false, | ||
| "directory_id": "<AZURE_DIRECTORY_ID>", | ||
| "redirect_url": "https://<TEAM_NAME>.cloudflareaccess.com/cdn-cgi/access/callback", | ||
| "prompt": "login", | ||
| "support_groups": true | ||
| }, | ||
| "scim_config": { | ||
| "enabled": true, | ||
| "user_deprovision": true, | ||
| "seat_deprovision": false, | ||
| "group_member_deprovision": false, | ||
| "identity_update_behavior": "automatic" | ||
| }, | ||
| "scim_base_url": "https://<TEAM_NAME>.cloudflareaccess.com/populations/f174e90a-fafe-4643-bbbc-4a0ed4fc8415/scim/v2" | ||
| }' | ||
| ``` | ||
|
|
||
| ## Example API Configuration | ||
|
|
||
|
|
@@ -253,4 +272,4 @@ You can require users to re-enter their credentials into Entra ID whenever they | |
| "type": "azureAD", | ||
| "name": "my example idp" | ||
| } | ||
| ``` | ||
| ``` | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.