From 85bd10253084f897b17fa4fa7f4b1fef7570636a Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Wed, 26 Feb 2025 16:39:05 +0000 Subject: [PATCH 1/7] [CF1] generic saml cert expiration --- .../identity/idp-integration/generic-saml.mdx | 58 ++++++++++--------- 1 file changed, 31 insertions(+), 27 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx index 8ae65f5117478b6..6afe49641667c6d 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx @@ -5,7 +5,7 @@ sidebar: order: 2 --- -import { Tabs, TabItem, Render } from '~/components'; +import { Tabs, TabItem, Render } from "~/components"; Cloudflare Zero Trust integrates with any identity provider that supports SAML 2.0. If your identity provider is not listed in the integration list of login methods in Zero Trust, it can be configured using SAML 2.0 (or OpenID if OIDC based). Generic SAML can also be used if you would like to pass additional SAML headers or claims for an IdP in the integration list. @@ -43,7 +43,6 @@ To download the SAML metadata file, copy-paste the metadata endpoint into a web ## 2. Add a SAML identity provider to Zero Trust - 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication** > **Login methods**. @@ -60,28 +59,36 @@ To download the SAML metadata file, copy-paste the metadata endpoint into a web The following example requires Cloudflare provider version `>=4.40.0`. ::: -1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): - - `Access: Organizations, Identity Providers, and Groups Write` - -2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: - - ```tf - resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" { - account_id = var.cloudflare_account_id - name = "Generic SAML example" - type = "saml" - config { - sso_target_url = "https://example.com/1234/sso/saml" - issuer_url = "https://example.com/1234" - idp_public_cert = "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----" - sign_request = false - email_attribute_name = "email" - attributes = ["employeeID", "groups"] - } - } - ``` +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): + +- `Access: Organizations, Identity Providers, and Groups Write` + +2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: + +```tf +resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" { + account_id = var.cloudflare_account_id + name = "Generic SAML example" + type = "saml" + config { + sso_target_url = "https://example.com/1234/sso/saml" + issuer_url = "https://example.com/1234" + idp_public_cert = "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----" + sign_request = false + email_attribute_name = "email" + attributes = ["employeeID", "groups"] + } +} +``` + +:::caution + +Set a reminder noting when the signing certificate obtained from your generic SAML identity provider will expire. After the certificate expires, you will need to generate a new signing certificate and re-add it to your Cloudflare configuration via the Cloudflare dashboard or Terraform. + +::: + ## 3. Test the connection You can now [test the IdP integration](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust). A success response should return the configured SAML attributes. @@ -96,10 +103,7 @@ Your identity provider must support SCIM version 2.0. ### 1. Enable SCIM in Zero Trust - + ### 2. Configure SCIM in the IdP @@ -114,7 +118,7 @@ If you would like to build policies based on IdP groups: ### 3. Verify SCIM provisioning - + ## Optional configurations From 3f8eff48f327783d9f1ef2f4c27bfe590fcc9ca7 Mon Sep 17 00:00:00 2001 From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> Date: Mon, 3 Mar 2025 09:33:20 +0000 Subject: [PATCH 2/7] Update src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx Co-authored-by: Jun Lee --- .../cloudflare-one/identity/idp-integration/generic-saml.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx index 6afe49641667c6d..48ad210dca16be4 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx @@ -85,7 +85,7 @@ resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" :::caution -Set a reminder noting when the signing certificate obtained from your generic SAML identity provider will expire. After the certificate expires, you will need to generate a new signing certificate and re-add it to your Cloudflare configuration via the Cloudflare dashboard or Terraform. +Set a reminder for the expiry date of the signing certificate obtained from your generic SAML identity provider. After the certificate expires, you will need to generate a new signing certificate and re-add it to your Cloudflare configuration via the Cloudflare dashboard or Terraform. ::: From 7aab75955344149da37522f54f697bbe5d716c27 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Mon, 3 Mar 2025 10:51:02 +0000 Subject: [PATCH 3/7] fix indent --- .../identity/idp-integration/generic-saml.mdx | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx index 48ad210dca16be4..566eb669d76fa08 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx @@ -61,25 +61,25 @@ The following example requires Cloudflare provider version `>=4.40.0`. 1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): -- `Access: Organizations, Identity Providers, and Groups Write` + - `Access: Organizations, Identity Providers, and Groups Write` 2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: -```tf -resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" { - account_id = var.cloudflare_account_id - name = "Generic SAML example" - type = "saml" - config { - sso_target_url = "https://example.com/1234/sso/saml" - issuer_url = "https://example.com/1234" - idp_public_cert = "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----" - sign_request = false - email_attribute_name = "email" - attributes = ["employeeID", "groups"] - } -} -``` + ```tf + resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" { + account_id = var.cloudflare_account_id + name = "Generic SAML example" + type = "saml" + config { + sso_target_url = "https://example.com/1234/sso/saml" + issuer_url = "https://example.com/1234" + idp_public_cert = "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----" + sign_request = false + email_attribute_name = "email" + attributes = ["employeeID", "groups"] + } + } + ``` From 8306da6852594ba8ad1797cb35b828bb7d30b0d9 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Mon, 3 Mar 2025 11:24:51 +0000 Subject: [PATCH 4/7] editing for indentation --- .../identity/idp-integration/generic-saml.mdx | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx index 566eb669d76fa08..6752652dfd7a3ff 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx @@ -65,21 +65,21 @@ The following example requires Cloudflare provider version `>=4.40.0`. 2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: - ```tf - resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" { - account_id = var.cloudflare_account_id - name = "Generic SAML example" - type = "saml" - config { - sso_target_url = "https://example.com/1234/sso/saml" - issuer_url = "https://example.com/1234" - idp_public_cert = "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----" - sign_request = false - email_attribute_name = "email" - attributes = ["employeeID", "groups"] - } - } - ``` + ```tf + resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" { + account_id = var.cloudflare_account_id + name = "Generic SAML example" + type = "saml" + config { + sso_target_url = "https://example.com/1234/sso/saml" + issuer_url = "https://example.com/1234" + idp_public_cert = "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----" + sign_request = false + email_attribute_name = "email" + attributes = ["employeeID", "groups"] + } + } + ``` From ab452f426372b4800c37000cb99eca4951eeee6c Mon Sep 17 00:00:00 2001 From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> Date: Mon, 3 Mar 2025 11:29:37 +0000 Subject: [PATCH 5/7] Update src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx --- .../identity/idp-integration/generic-saml.mdx | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx index 6752652dfd7a3ff..54778e8e4be0290 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx @@ -61,25 +61,25 @@ The following example requires Cloudflare provider version `>=4.40.0`. 1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): - - `Access: Organizations, Identity Providers, and Groups Write` + - `Access: Organizations, Identity Providers, and Groups Write` 2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: - ```tf - resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" { - account_id = var.cloudflare_account_id - name = "Generic SAML example" - type = "saml" - config { - sso_target_url = "https://example.com/1234/sso/saml" - issuer_url = "https://example.com/1234" - idp_public_cert = "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----" - sign_request = false - email_attribute_name = "email" - attributes = ["employeeID", "groups"] - } - } - ``` + ```tf + resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" { + account_id = var.cloudflare_account_id + name = "Generic SAML example" + type = "saml" + config { + sso_target_url = "https://example.com/1234/sso/saml" + issuer_url = "https://example.com/1234" + idp_public_cert = "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----" + sign_request = false + email_attribute_name = "email" + attributes = ["employeeID", "groups"] + } + } + ``` From e292daadf58c5cadb75567db299e1486cc7bf7ce Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Mon, 3 Mar 2025 11:34:37 +0000 Subject: [PATCH 6/7] indentation --- .../identity/idp-integration/generic-saml.mdx | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx index 54778e8e4be0290..6752652dfd7a3ff 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx @@ -61,25 +61,25 @@ The following example requires Cloudflare provider version `>=4.40.0`. 1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): - - `Access: Organizations, Identity Providers, and Groups Write` + - `Access: Organizations, Identity Providers, and Groups Write` 2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: - ```tf - resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" { - account_id = var.cloudflare_account_id - name = "Generic SAML example" - type = "saml" - config { - sso_target_url = "https://example.com/1234/sso/saml" - issuer_url = "https://example.com/1234" - idp_public_cert = "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----" - sign_request = false - email_attribute_name = "email" - attributes = ["employeeID", "groups"] - } - } - ``` + ```tf + resource "cloudflare_zero_trust_access_identity_provider" "generic_saml_example" { + account_id = var.cloudflare_account_id + name = "Generic SAML example" + type = "saml" + config { + sso_target_url = "https://example.com/1234/sso/saml" + issuer_url = "https://example.com/1234" + idp_public_cert = "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----" + sign_request = false + email_attribute_name = "email" + attributes = ["employeeID", "groups"] + } + } + ``` From ef6759461b0a98b5c253354bfc090da44e7ea148 Mon Sep 17 00:00:00 2001 From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> Date: Mon, 3 Mar 2025 11:35:08 +0000 Subject: [PATCH 7/7] Update src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx --- .../cloudflare-one/identity/idp-integration/generic-saml.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx index 6752652dfd7a3ff..0ae1ec07b29c739 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx @@ -61,7 +61,7 @@ The following example requires Cloudflare provider version `>=4.40.0`. 1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): - - `Access: Organizations, Identity Providers, and Groups Write` + - `Access: Organizations, Identity Providers, and Groups Write` 2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: