From 1d5a53b7298a6096525e5c4453522acd8ccc8ddb Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 28 Mar 2025 14:38:14 -0400 Subject: [PATCH 1/3] SCIM logs --- .../identity/idp-integration/entra-id.mdx | 2 +- .../insights/logs/scim-logs.mdx | 33 +++++++++++++++++++ .../access/scim-requires-login.mdx | 7 ++++ .../access/verify-scim-provisioning.mdx | 8 ++--- 4 files changed, 45 insertions(+), 5 deletions(-) create mode 100644 src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx create mode 100644 src/content/partials/cloudflare-one/access/scim-requires-login.mdx diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx index 0468ee5f1511fa4..d76103e1cd7297e 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx @@ -222,7 +222,7 @@ SCIM requires a separate enterprise application from the one created during [ini 12. On the **Provisioning** page, select **Start provisioning**. You will see the synchronization status in Entra ID. -To check which users and groups were synchronized, select **View provisioning logs**. +To check which users and groups were synchronized, select **View provisioning logs** in Entra ID. diff --git a/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx new file mode 100644 index 000000000000000..6e089e9b0e6e113 --- /dev/null +++ b/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx @@ -0,0 +1,33 @@ +--- +pcx_content_type: reference +title: SCIM activity logs +sidebar: + order: 3 + label: SCIM logs +--- + +import { Render } from "~/components"; + +SCIM activity logs allow administrators to audit how [SCIM provisioning](/cloudflare-one/identity/users/scim/) events in an identity provider (such as create, update, and delete) affect a user's identity and group membership in Zero Trust. You can compare your Zero Trust SCIM logs with your identity provider's SCIM logs to track how identity data is shared between the two services and pinpoint the source of any provisioning errors. + +## View SCIM logs + +For an overview of SCIM events across all users, log in to [Zero Trust](https://one.dash.cloudflare.com/) and go to **Logs** > **SCIM provisioning**. This page lists the inbound SCIM requests from all identity providers configured with SCIM. You can select an individual request to view more details about the SCIM operation. + +To investigate how SCIM events impacted a specific user, go to their [User Registry identity](/cloudflare-one/insights/logs/users/). + + + +## Log fields + +SCIM provisioning logs show the following information for each inbound SCIM request: + +- **IdP name**: UUID of the identity provider +- **Timestamp**: Date and time of the request +- **Action**: HTTP request method (`POST`, `PATCH`, `DELETE`) +- **User email**: User who received the SCIM identity update +- **Resource type**: Identity attribute that was modified (`GROUP` or ?) +- **CF resource ID**: +- **Outcome**: HTTP request response (`SUCCESS` or `ERROR`) +- **Request body**: HTTP request body containing the data that was added, modified, or removed +- **JSON log**: SCIM request log in JSON format diff --git a/src/content/partials/cloudflare-one/access/scim-requires-login.mdx b/src/content/partials/cloudflare-one/access/scim-requires-login.mdx new file mode 100644 index 000000000000000..a8ae848c3b6ea81 --- /dev/null +++ b/src/content/partials/cloudflare-one/access/scim-requires-login.mdx @@ -0,0 +1,7 @@ +--- +{} +--- + +:::note +New users must first [register the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) or authenticate to an Access application before SCIM provisioning can begin. +::: \ No newline at end of file diff --git a/src/content/partials/cloudflare-one/access/verify-scim-provisioning.mdx b/src/content/partials/cloudflare-one/access/verify-scim-provisioning.mdx index 7eea399f61b64d2..d4346aac2128f64 100644 --- a/src/content/partials/cloudflare-one/access/verify-scim-provisioning.mdx +++ b/src/content/partials/cloudflare-one/access/verify-scim-provisioning.mdx @@ -2,8 +2,8 @@ {} --- -To check if a user's identity was updated in Zero Trust, view their [User Registry identity](/cloudflare-one/insights/logs/users/). +import { Render } from "~/components"; -:::note -New users must first register the WARP client or authenticate to an Access application before SCIM provisioning can begin. -::: \ No newline at end of file +To check if user identities were updated in Zero Trust, view your [SCIM provisioning logs](/cloudflare-one/insights/logs/scim-logs/). + + \ No newline at end of file From ad50e02b9567991ab9ddb34f1b9e6aaa273813cd Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 31 Mar 2025 13:02:41 -0400 Subject: [PATCH 2/3] update log fields --- .../docs/cloudflare-one/insights/logs/scim-logs.mdx | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx index 6e089e9b0e6e113..7ec077b68580b4a 100644 --- a/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx @@ -22,12 +22,14 @@ To investigate how SCIM events impacted a specific user, go to their [User Regis SCIM provisioning logs show the following information for each inbound SCIM request: -- **IdP name**: UUID of the identity provider +- **IdP name**: Name of the identity provider - **Timestamp**: Date and time of the request -- **Action**: HTTP request method (`POST`, `PATCH`, `DELETE`) +- **Action**: HTTP request method (`POST`, `PUT`, `PATCH`, `DELETE`) - **User email**: User who received the SCIM identity update -- **Resource type**: Identity attribute that was modified (`GROUP` or ?) -- **CF resource ID**: -- **Outcome**: HTTP request response (`SUCCESS` or `ERROR`) +- **Group name**: Group that received the SCIM identity update +- **Resource type**: SCIM resource that was modified (`GROUP` or `USER`) +- **CF resource ID**: Consistent identifier for the user or group created by Cloudflare SCIM +- **IDP resource ID**: Identifier for the user or group provided by the identity provider +- **Outcome**: Whether the SCIM request was applied successfully (`SUCCESS` or `ERROR`) - **Request body**: HTTP request body containing the data that was added, modified, or removed - **JSON log**: SCIM request log in JSON format From 5fed4fa29ec7f8a9dec39a80ef1c7cd9beec8c54 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 31 Mar 2025 14:15:12 -0400 Subject: [PATCH 3/3] update ID description --- src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx index 7ec077b68580b4a..865043605d0cd69 100644 --- a/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx @@ -28,7 +28,7 @@ SCIM provisioning logs show the following information for each inbound SCIM requ - **User email**: User who received the SCIM identity update - **Group name**: Group that received the SCIM identity update - **Resource type**: SCIM resource that was modified (`GROUP` or `USER`) -- **CF resource ID**: Consistent identifier for the user or group created by Cloudflare SCIM +- **CF resource ID**: Persistent identifier for the user or group created by Cloudflare SCIM - **IDP resource ID**: Identifier for the user or group provided by the identity provider - **Outcome**: Whether the SCIM request was applied successfully (`SUCCESS` or `ERROR`) - **Request body**: HTTP request body containing the data that was added, modified, or removed