From 98ba7c7ddbb0e6a7ac1c72c99996df6fbd757aff Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Thu, 17 Apr 2025 17:00:05 +0100 Subject: [PATCH 1/3] [CF1] microsoft entra ID IdP guide revision --- .../identity/idp-integration/entra-id.mdx | 77 ++++++++++--------- .../access/enable-scim-on-dashboard.mdx | 4 +- 2 files changed, 43 insertions(+), 38 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx index 9900db58b6d041..2c5bb64f02d112 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx @@ -19,33 +19,31 @@ The following Entra ID values are required to set up the integration: To retrieve those values: -1. Log in to the [Azure dashboard](https://portal.azure.com/). +1. Log in to the [Microsoft Entra admin center](https://entra.microsoft.com/). -2. Go to **All services** > **Microsoft Entra ID**. +2. Go to **Applications** > **Enterprise applications**. -3. In the sidebar, go to **Manage** > **Enterprise applications**. +3. Select **New application**, then select **Create your own application**. -4. Select **New application**, then select **Create your own application**. +4. Name your application. -5. Name your application. +5. Select **Register an application to integrate with Microsoft Entra ID (App you're developing)**. If offered, do not select any of the gallery applications. Select **Create**. -6. Select **Register an application to integrate with Microsoft Entra ID (App you're developing)** and then select **Create**. - -7. Under **Redirect URI**, select the _Web_ platform and enter the following URL: +7. Under **Redirect URI**, select the _Web_ platform and enter the following URL. ```txt https://.cloudflareaccess.com/cdn-cgi/access/callback ``` - You can find your team name in Zero Trust under **Settings** > **Custom Pages**. + In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Custom Pages** to find your team name. ![Registering an application in Azure](~/assets/images/cloudflare-one/identity/azure/name-app.png) 8. Select **Register**. -9. Next, return to Microsoft Entra ID and go to go to **Manage** > **App registrations**. +9. Next, return to Microsoft Entra ID and go to **Applications** > **App registrations**. -10. Select the app you just created. Copy the **Application (client) ID** and **Directory (tenant) ID**. +10. Select **All applications** and select the app you just created. Copy the **Application (client) ID** and **Directory (tenant) ID**. You will need these values when [adding Entra ID as an identity provider in step 3](/cloudflare-one/identity/idp-integration/entra-id/#3-add-entra-id-as-an-identity-provider). ![Viewing the Application ID and Directory ID in Azure](~/assets/images/cloudflare-one/identity/azure/azure-values.png) @@ -57,7 +55,7 @@ To retrieve those values: When the client secret expires, users will be unable to log in through Access. Take note of your expiry date to prevent login errors and renew your client secret when necessary. ::: -13. After the client secret is created, copy its **Value** field. Store the client secret in a safe place, as it can only be viewed immediately after creation. +13. After the client secret is created, copy its **Value** field. Store the client secret in a safe place, as it can only be viewed immediately after creation. You will need this client secret value when [adding Entra ID as an identity provider in step 3](/cloudflare-one/identity/idp-integration/entra-id/#3-add-entra-id-as-an-identity-provider). ![Location of client secret in Azure](~/assets/images/cloudflare-one/identity/azure/client-cert-value.png) @@ -97,11 +95,15 @@ More narrow permissions may be used, however this is the set of permissions that 2. Under **Login methods**, select **Add new**. -3. Select **Azure AD**. +3. Select **Entra ID**. 4. Enter the **Application (client) ID**, **Client secret**, and **Directory (tenant) ID** obtained from Microsoft Entra ID. -5. (Optional) Configure the following settings: +5. Select **Save**. + +6. To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) that your connection is working, select **Test**. + +7. (Optional) Configure the following settings: - **Proof Key for Code Exchange**: Perform [PKCE](https://www.oauth.com/oauth2-servers/pkce/) on all login attempts. - **Support Groups**: Allow Cloudflare to read a user's Entra ID group membership. @@ -110,10 +112,6 @@ More narrow permissions may be used, however this is the set of permissions that - **Email claim**: Enter the Entra ID claim that you wish to use for user identification (for example, `preferred_username`). - **OIDC Claims**: Enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). -6. Select **Save**. - -To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) that your connection is working, select **Test**. - 1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions: @@ -139,8 +137,11 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha }' ``` - + +:::note[Provider versions] +The following example requires Cloudflare provider version `>=4.40.0`. +::: 1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): @@ -148,7 +149,7 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha 2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource: - + @@ -197,37 +198,41 @@ SCIM requires a separate enterprise application from the one created during [ini 3. Name your application (for example, `Cloudflare Access SCIM`). -4. Select **Integrate any other application you don't find in the gallery (Non-gallery)**. +4. Select **Integrate any other application you don't find in the gallery (Non-gallery)**. If offered, do not select any of the gallery applications. Select **Create**. -5. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/entra/identity/enterprise-apps/assign-user-or-group-access-portal). +5. After you have created the application, go to **Provisioning** > select **New Configuration**. - :::note - Groups in this SCIM application should match the groups in your other [Cloudflare Access enterprise application](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation. - ::: +6. In the **Tenant URL** field, enter the **SCIM Endpoint** obtained from your Entra ID integration in Zero Trust [in the previous step](/cloudflare-one/identity/idp-integration/entra-id/#1-enable-scim-in-zero-trust). -6. Go to **Provisioning** and select **Get started**. +7. In the **Secret token** field, enter the **SCIM Secret** obtained from your Entra ID integration in Zero Trust [in the previous step](/cloudflare-one/identity/idp-integration/entra-id/#1-enable-scim-in-zero-trust). -7. For **Provisioning Mode**, choose _Automatic_. +8. Select **Test Connection** to ensure that the credentials were entered correctly. If the test fails, go to your Entra ID integration in Zero Trust, select **Regenerate Secret**, select **Save**, and enter your new **SCIM Secret** in the **Secret token** field. -8. In the **Tenant URL** field, enter the **SCIM Endpoint** obtained from Zero Trust. +9. Select **Create**. -9. In the **Secret Token** field, enter the **SCIM Secret** obtained from Zero Trust. +10. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/entra/identity/enterprise-apps/assign-user-or-group-access-portal). -10. Select **Test Connection** to ensure that the credentials were entered correctly. + :::note + Groups in this SCIM application should match the groups in your other [Cloudflare Access enterprise application](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation. + ::: + +11. Go to **Provisioning** and select **Start provisioning**. -11. Select **Save**. +12. For **Provisioning Mode**, the default mode should be set by Microsoft to _Automatic_. -12. On the **Provisioning** page, select **Start provisioning**. You will see the synchronization status in Entra ID. +13. On the **Overview** page in Entra ID, you will see the synchronization status. -To check which users and groups were synchronized, select **View provisioning logs** in Entra ID. +To check which users and groups were synchronized, select **Provisioning logs**. +To monitor the exchange of identity details between Cloudflare Access and Microsoft Entra ID, go [Zero Trust](https://one.dash.cloudflare.com) > **Logs** > **SCIM provisioning** and view the [SCIM activity logs](/cloudflare-one/insights/logs/scim-logs/). + ### Provisioning attributes -Provisioning attributes define the user properties that Entra ID will synchronize with Cloudflare Access. To modify your provisioning attributes, go to the **Provisioning** page in Entra ID and select **Edit attribute mappings**. +Provisioning attributes define the user properties that Entra ID will synchronize with Cloudflare Access. To modify your provisioning attributes, go to the **Attribute mapping** and select **Provision Microsoft Entra ID Users**. -We recommend enabling the following user attribute mappings: +If not already configured, Cloudflare recommends enabling the following user attribute mappings: | customappsso Attribute | Entra ID Attribute | Recommendation | | ------------------------------ | ------------------ | -------------- | @@ -252,7 +257,7 @@ You can create Access and Gateway policies for groups that are not synchronized 1. Make sure you enable **Support groups** as you set up Microsoft Entra ID in Zero Trust. -2. On your Azure dashboard, note the `Object Id` for the Entra group. In the example below, the group named Admins has an ID of `61503835-b6fe-4630-af88-de551dd59a2`. +2. In your Microsoft Entra dashboard, note the `Object Id` for the Entra group. In the example below, the group named Admins has an ID of `61503835-b6fe-4630-af88-de551dd59a2`. ![Viewing the Azure group ID on the Azure dashboard](~/assets/images/cloudflare-one/identity/azure/object-id.png) diff --git a/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx b/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx index 7f3b39f7617294..593e43291dab89 100644 --- a/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx +++ b/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx @@ -21,8 +21,8 @@ import { Markdown } from "~/components" - _Group membership change reauthentication_: [Revoke a user's active session](/cloudflare-one/identity/users/session-management/#per-user) when their group membership changes in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any [WARP session policies](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). Access will read the user's updated group membership when they reauthenticate. - _No action_: Update the user's identity the next time they reauthenticate to Access or WARP. -5. Select **Save**. +5. Select **Regenerate Secret**. Copy the **SCIM Endpoint** and **SCIM Secret**. You will need to enter these values into {props.idp}. -6. Copy the **SCIM Endpoint** and **SCIM Secret**. You will need to enter these values into {props.idp}. +6. Select **Save**. The SCIM secret never expires, but you can manually regenerate the secret at any time. From 7d034a4f524844c40eeca2ec657c05ccc0d90612 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Thu, 17 Apr 2025 17:29:10 +0100 Subject: [PATCH 2/3] final edits --- .../identity/idp-integration/entra-id.mdx | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx index 2c5bb64f02d112..7115e00abd8065 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx @@ -29,7 +29,7 @@ To retrieve those values: 5. Select **Register an application to integrate with Microsoft Entra ID (App you're developing)**. If offered, do not select any of the gallery applications. Select **Create**. -7. Under **Redirect URI**, select the _Web_ platform and enter the following URL. +6. Under **Redirect URI**, select the _Web_ platform and enter the following URL. ```txt https://.cloudflareaccess.com/cdn-cgi/access/callback @@ -39,23 +39,23 @@ To retrieve those values: ![Registering an application in Azure](~/assets/images/cloudflare-one/identity/azure/name-app.png) -8. Select **Register**. +7. Select **Register**. -9. Next, return to Microsoft Entra ID and go to **Applications** > **App registrations**. +8. Next, return to Microsoft Entra ID and go to **Applications** > **App registrations**. -10. Select **All applications** and select the app you just created. Copy the **Application (client) ID** and **Directory (tenant) ID**. You will need these values when [adding Entra ID as an identity provider in step 3](/cloudflare-one/identity/idp-integration/entra-id/#3-add-entra-id-as-an-identity-provider). +9. Select **All applications** and select the app you just created. Copy the **Application (client) ID** and **Directory (tenant) ID**. You will need these values when [adding Entra ID as an identity provider in step 3](/cloudflare-one/identity/idp-integration/entra-id/#3-add-entra-id-as-an-identity-provider). ![Viewing the Application ID and Directory ID in Azure](~/assets/images/cloudflare-one/identity/azure/azure-values.png) -11. Under **Client credentials**, go to **Add a certificate or secret**. Select **New client secret**. +10. Under **Client credentials**, go to **Add a certificate or secret**. Select **New client secret**. -12. Name the client secret and choose an expiration period. +11. Name the client secret and choose an expiration period. :::note When the client secret expires, users will be unable to log in through Access. Take note of your expiry date to prevent login errors and renew your client secret when necessary. ::: -13. After the client secret is created, copy its **Value** field. Store the client secret in a safe place, as it can only be viewed immediately after creation. You will need this client secret value when [adding Entra ID as an identity provider in step 3](/cloudflare-one/identity/idp-integration/entra-id/#3-add-entra-id-as-an-identity-provider). +12. After the client secret is created, copy its **Value** field. Store the client secret in a safe place, as it can only be viewed immediately after creation. You will need this client secret value when [adding Entra ID as an identity provider in step 3](/cloudflare-one/identity/idp-integration/entra-id/#3-add-entra-id-as-an-identity-provider). ![Location of client secret in Azure](~/assets/images/cloudflare-one/identity/azure/client-cert-value.png) @@ -140,7 +140,7 @@ More narrow permissions may be used, however this is the set of permissions that :::note[Provider versions] -The following example requires Cloudflare provider version `>=4.40.0`. +The following example requires Cloudflare provider version `4.40.0` or greater. ::: 1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token): @@ -226,7 +226,7 @@ To check which users and groups were synchronized, select **Provisioning logs**. -To monitor the exchange of identity details between Cloudflare Access and Microsoft Entra ID, go [Zero Trust](https://one.dash.cloudflare.com) > **Logs** > **SCIM provisioning** and view the [SCIM activity logs](/cloudflare-one/insights/logs/scim-logs/). +To monitor the exchange of identity details between Cloudflare Access and Microsoft Entra ID, go to [Zero Trust](https://one.dash.cloudflare.com) > **Logs** > **SCIM provisioning** and view the [SCIM activity logs](/cloudflare-one/insights/logs/scim-logs/). ### Provisioning attributes From 24bcc9e20a84e293e4d06c0e483dbfbed1f69499 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Thu, 17 Apr 2025 17:30:56 +0100 Subject: [PATCH 3/3] final --- .../docs/cloudflare-one/identity/idp-integration/entra-id.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx index 7115e00abd8065..8521c9ef5b8679 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx @@ -95,7 +95,7 @@ More narrow permissions may be used, however this is the set of permissions that 2. Under **Login methods**, select **Add new**. -3. Select **Entra ID**. +3. Select **Azure AD**. 4. Enter the **Application (client) ID**, **Client secret**, and **Directory (tenant) ID** obtained from Microsoft Entra ID.