From c439f4b4b355cfcba96d3c6461f2e1ecf9e18ab6 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 24 Feb 2025 17:55:49 -0500 Subject: [PATCH 1/7] update OTP --- .../cloudflare-one/identity/one-time-pin.mdx | 34 ++++++++++++------- 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/one-time-pin.mdx b/src/content/docs/cloudflare-one/identity/one-time-pin.mdx index 1a8308a1336673f..79684e82588baaa 100644 --- a/src/content/docs/cloudflare-one/identity/one-time-pin.mdx +++ b/src/content/docs/cloudflare-one/identity/one-time-pin.mdx @@ -21,16 +21,35 @@ For example, if your team uses Okta but you are collaborating with someone outsi 2. Under **Login methods**, select **Add new**. 3. Select **One-time PIN**. - + + +1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: + | Type | Item | Permission | + | ------- | ---------------- | ---------- | + | Account | Access: Organizations, Identity Providers, and Groups | Edit | + +2. Make a `POST` request to the [Identity Providers](/api/resources/zero_trust/subresources/identity_providers/methods/create/) endpoint: + + ```sh + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ + --data '{ + "name": "One-time PIN login", + "type": "onetimepin", + "config": {} + }' + ``` + + :::note[Provider versions] The following example requires Cloudflare provider version `>=4.40.0`. ::: -1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token): +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): - `Access: Organizations, Identity Providers, and Groups Write` -2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_identity_provider) resource: +2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: ```tf resource "cloudflare_zero_trust_access_identity_provider" "onetimepin_login" { @@ -72,12 +91,3 @@ By design, blocked users will not receive an email. The login page will always s Access only logs an authentication attempt after the user enters a code. If the user enters their email but never submits a code, the event will not appear in your [audit logs](/cloudflare-one/insights/logs/audit-logs/#authentication-audit-logs). ::: -## Example API Config - -```json -{ - "config": {}, - "type": "onetimepin", - "name": "my example idp" -} -``` From 81e8dcaee683ae1fb880f06c8a111ee9824b0fda Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 24 Feb 2025 17:56:25 -0500 Subject: [PATCH 2/7] update generic oidc --- .../identity/idp-integration/generic-oidc.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx index 9f7c5cbb9d458f4..34abd6e287f9ace 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx @@ -80,16 +80,16 @@ Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you inte }' ``` - + :::note[Provider versions] The following example requires Cloudflare provider version `>=4.40.0`. ::: -1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token): +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): - `Access: Organizations, Identity Providers, and Groups Write` -2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_identity_provider) resource: +2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: ```tf resource "cloudflare_zero_trust_access_identity_provider" "generic_oidc_example" { From 87b906a1b8f01f58a1cdaaa5f44318e445e99242 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 24 Feb 2025 17:56:32 -0500 Subject: [PATCH 3/7] update generic saml --- .../identity/idp-integration/generic-saml.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx index 5c7214cb17e3bd3..8ae65f5117478b6 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx @@ -54,16 +54,16 @@ To download the SAML metadata file, copy-paste the metadata endpoint into a web 6. (Optional) Under **Optional configurations**, configure [additional SAML options](#optional-configurations). 7. Select **Save**. - + :::note[Provider versions] The following example requires Cloudflare provider version `>=4.40.0`. ::: -1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token): +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): - `Access: Organizations, Identity Providers, and Groups Write` -2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_identity_provider) resource: +2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: ```tf resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" { From dd24f615d9b650c1c0f83b917821bdcea5507867 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 24 Feb 2025 17:57:46 -0500 Subject: [PATCH 4/7] update entra ID --- .../identity/idp-integration/entra-id.mdx | 58 ++++++++++++++----- .../access/entra-id-terraform.mdx | 18 ++++++ 2 files changed, 60 insertions(+), 16 deletions(-) create mode 100644 src/content/partials/cloudflare-one/access/entra-id-terraform.mdx diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx index 567fa36456916f7..5631cf3814eee16 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx @@ -3,7 +3,7 @@ pcx_content_type: how-to title: Microsoft Entra ID --- -import { Render } from "~/components"; +import { Render, Tabs, TabItem } from "~/components"; You can integrate Microsoft Entra ID (formerly Azure Active Directory) with Cloudflare Zero Trust and build policies based on user identity and group membership. Users will authenticate to Zero Trust using their Entra ID credentials. @@ -93,6 +93,8 @@ More narrow permissions may be used, however this is the set of permissions that ### 3. Add Entra ID as an identity provider + + 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. 2. Under **Login methods**, select **Add new**. @@ -114,6 +116,45 @@ More narrow permissions may be used, however this is the set of permissions that To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) that your connection is working, select **Test**. + + +1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: + | Type | Item | Permission | + | ------- | ---------------- | ---------- | + | Account | Access: Organizations, Identity Providers, and Groups | Edit | + +2. Make a `POST` request to the [Identity Providers](/api/resources/zero_trust/subresources/identity_providers/methods/create/) endpoint: + + ```sh + curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers \ + --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ + --data '{ + "name": "Entra ID example", + "type": "azureAD", + "config": { + "client_id": "", + "client_secret": "", + "directory_id": "", + "support_groups": true + } + }' + ``` + + + +:::note[Provider versions] +The following example requires Cloudflare provider version `>=4.40.0`. +::: + +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): + - `Access: Organizations, Identity Providers, and Groups Write` + +2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: + + + + + #### UPN and email If your organization's UPNs do not match users' email addresses, you must add a custom claim for email. For example, if your organization's email format is `user@domain.com` but the UPN is `u908080@domain.com`, you must create an email claim if you are configuring email-based policies. @@ -264,18 +305,3 @@ You can require users to re-enter their credentials into Entra ID whenever they "scim_base_url": "https://.cloudflareaccess.com/populations/f174e90a-fafe-4643-bbbc-4a0ed4fc8415/scim/v2" }' ``` - -## Example API Configuration - -```json -{ - "config": { - "client_id": "", - "client_secret": "", - "directory_id": "", - "support_groups": true - }, - "type": "azureAD", - "name": "my example idp" -} -``` diff --git a/src/content/partials/cloudflare-one/access/entra-id-terraform.mdx b/src/content/partials/cloudflare-one/access/entra-id-terraform.mdx new file mode 100644 index 000000000000000..0ae925b2014fdad --- /dev/null +++ b/src/content/partials/cloudflare-one/access/entra-id-terraform.mdx @@ -0,0 +1,18 @@ +--- +{} +--- + + +```tf +resource "cloudflare_zero_trust_access_identity_provider" "microsoft_entra_id" { + account_id = var.cloudflare_account_id + name = "Entra ID example" + type = "azureAD" + config { + client_id = var.entra_id_client_id + client_secret = var.entra_id_client_secret + directory_id = var.entra_id_directory_id + support_groups = true + } +} +``` From 244e8dcffbe985e4f80c2a9b8ad41577467066a0 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 24 Feb 2025 18:02:49 -0500 Subject: [PATCH 5/7] add IdP TF tab to implementation guide --- .../access/idp-integration-note.mdx | 6 +++++ .../cloudflare-one/access/idp-integration.mdx | 24 +++++++++++++++++-- .../zero-trust/configure-idp.mdx | 4 ++-- 3 files changed, 30 insertions(+), 4 deletions(-) create mode 100644 src/content/partials/cloudflare-one/access/idp-integration-note.mdx diff --git a/src/content/partials/cloudflare-one/access/idp-integration-note.mdx b/src/content/partials/cloudflare-one/access/idp-integration-note.mdx new file mode 100644 index 000000000000000..25d2f72c98f9cb9 --- /dev/null +++ b/src/content/partials/cloudflare-one/access/idp-integration-note.mdx @@ -0,0 +1,6 @@ +--- +params: + - verb +--- + +If you do not see your identity provider listed, these providers can typically still be enabled. If they support OIDC or OAuth, {props.verb} the [generic OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/) option. If they support SAML, {props.verb} the [generic SAML](/cloudflare-one/identity/idp-integration/generic-saml/) option. Cloudflare supports all SAML and OIDC providers and can integrate with the majority of OAuth providers. If your provider supports both SAML and OIDC, we recommend OIDC for ease of configuration. diff --git a/src/content/partials/cloudflare-one/access/idp-integration.mdx b/src/content/partials/cloudflare-one/access/idp-integration.mdx index 83797bc7d10c9a6..8e3a0f42a90b16b 100644 --- a/src/content/partials/cloudflare-one/access/idp-integration.mdx +++ b/src/content/partials/cloudflare-one/access/idp-integration.mdx @@ -2,16 +2,36 @@ {} --- +import {Render, Tabs, TabItem} from "~/components" + + + 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. 2. In the **Login methods** card, select **Add new**. 3. Select the identity provider you want to add. - If you do not see your identity provider listed, these providers can typically still be enabled. If they support OIDC or OAuth, select the generic OIDC option. If they support SAML, select the generic SAML option. Cloudflare supports all SAML and OIDC providers and can integrate with the majority of OAuth providers. If your provider supports both SAML and OIDC, we recommend OIDC for ease of configuration. + 4. Fill in the necessary fields to set up your identity provider. - Each identity provider will have different required fields for you to fill in. Step-by-step instructions are shown in the dashboard side panel. + Each identity provider will have different required fields for you to fill in. Step-by-step instructions are shown in the dashboard side panel. Alternatively, refer to the [IdP-specific documentation](/cloudflare-one/identity/idp-integration/). 5. Once you have filled in the necessary fields, select **Save**. + + + +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): + - `Access: Organizations, Identity Providers, and Groups Write` + +2. Add an identity provider to Zero Trust using the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource. For example, to add a Microsoft Entra ID integration: + + + + + Each identity provider integration has different required attributes. You will need to obtain these attribute values from your identity provider. For more information, refer to the [IdP-specific documentation](/cloudflare-one/identity/idp-integration/). + + + + \ No newline at end of file diff --git a/src/content/partials/learning-paths/zero-trust/configure-idp.mdx b/src/content/partials/learning-paths/zero-trust/configure-idp.mdx index 9aaf4630115caa3..0141d8fd0b493d8 100644 --- a/src/content/partials/learning-paths/zero-trust/configure-idp.mdx +++ b/src/content/partials/learning-paths/zero-trust/configure-idp.mdx @@ -3,7 +3,7 @@ --- -import { GlossaryTooltip, Render } from "~/components" +import { GlossaryTooltip, Render} from "~/components" An identity provider (IdP) stores and manages users' digital identities. You can integrate your existing identity provider with Cloudflare Zero Trust in order to manage user access to your private network. This requires configuration both in Cloudflare and with the identity provider itself. @@ -16,4 +16,4 @@ To add an identity provider: -Users will now be able to select this IdP when they are prompted to authenticate. To learn more about IdP configuration, refer to [SSO integration](/cloudflare-one/identity/idp-integration/). +Users will now be able to select the IdP when they are prompted to authenticate. From 9fad5aab39b3dd6f9884bfff75722aafb01b1637 Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Mon, 24 Feb 2025 18:05:57 -0500 Subject: [PATCH 6/7] Update src/content/partials/learning-paths/zero-trust/configure-idp.mdx --- .../partials/learning-paths/zero-trust/configure-idp.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/learning-paths/zero-trust/configure-idp.mdx b/src/content/partials/learning-paths/zero-trust/configure-idp.mdx index 0141d8fd0b493d8..c515da532df99c2 100644 --- a/src/content/partials/learning-paths/zero-trust/configure-idp.mdx +++ b/src/content/partials/learning-paths/zero-trust/configure-idp.mdx @@ -16,4 +16,4 @@ To add an identity provider: -Users will now be able to select the IdP when they are prompted to authenticate. +Users will now be able to select this IdP when they are prompted to authenticate. From 41c222411da83fbb619811c884485f7cc3c6f815 Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Tue, 25 Feb 2025 10:46:26 -0500 Subject: [PATCH 7/7] Update src/content/partials/cloudflare-one/access/idp-integration.mdx Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> --- src/content/partials/cloudflare-one/access/idp-integration.mdx | 1 - 1 file changed, 1 deletion(-) diff --git a/src/content/partials/cloudflare-one/access/idp-integration.mdx b/src/content/partials/cloudflare-one/access/idp-integration.mdx index 8e3a0f42a90b16b..3de3f4179a24bd9 100644 --- a/src/content/partials/cloudflare-one/access/idp-integration.mdx +++ b/src/content/partials/cloudflare-one/access/idp-integration.mdx @@ -27,7 +27,6 @@ import {Render, Tabs, TabItem} from "~/components" 2. Add an identity provider to Zero Trust using the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource. For example, to add a Microsoft Entra ID integration: - Each identity provider integration has different required attributes. You will need to obtain these attribute values from your identity provider. For more information, refer to the [IdP-specific documentation](/cloudflare-one/identity/idp-integration/).