From 2275c7bc39d155a112281c2a0db96f23a2b0f98e Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 14 Nov 2024 12:58:26 -0500 Subject: [PATCH 01/12] update supported idps --- src/content/docs/cloudflare-one/identity/users/scim.mdx | 6 +++--- .../cloudflare-one/policies/gateway/identity-selectors.mdx | 6 +----- .../partials/cloudflare-one/access/scim-supported-idps.mdx | 6 ------ 3 files changed, 4 insertions(+), 14 deletions(-) delete mode 100644 src/content/partials/cloudflare-one/access/scim-supported-idps.mdx diff --git a/src/content/docs/cloudflare-one/identity/users/scim.mdx b/src/content/docs/cloudflare-one/identity/users/scim.mdx index e12b1d20d6f261..81b3898dbd6187 100644 --- a/src/content/docs/cloudflare-one/identity/users/scim.mdx +++ b/src/content/docs/cloudflare-one/identity/users/scim.mdx @@ -12,14 +12,14 @@ System for Cross-domain Identity Management (SCIM) is an open standard protocol ## Supported identity providers -Cloudflare Access currently supports SCIM provisioning using the following identity providers: - - +Cloudflare Access supports SCIM provisioning for all SAML and OIDC identity providers that use SCIM version 2.0. ## Sync users and groups in Zero Trust policies Cloudflare Access can automatically deprovision users from Zero Trust after they are deactivated in the identity provider and display synchronized group names in the Access and Gateway policy builders. Cloudflare does not provision new users in Zero Trust when they are added to the identity provider -- users must first register a device with the WARP client or authenticate to an Access application. +To set up SCIM for Zero Trust, refer to our [SSO integration](/cloudflare-one/identity/idp-integration/) guides. + ## SCIM for Cloudflare dashboard SSO To provision access to your Cloudflare account, you will need to set up a distinct [dashboard SSO SCIM integration](/fundamentals/setup/account/account-security/scim-setup/) in your IdP. You can assign users and groups to this new SCIM application to define who can access the Cloudflare dashboard. diff --git a/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx b/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx index 9e501287b988eb..22057af7c6c3e6 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx @@ -24,11 +24,7 @@ To view the identity that Gateway will use when evaluating policies, check the [ ### Automatic SCIM IdP updates -Gateway will automatically detect changes in user name, title, and group membership for IdPs configured with System for Cross-domain Identity Management (SCIM) provisioning. IdPs that support SCIM include: - - - -For more information, refer to [SCIM provisioning](/cloudflare-one/identity/users/scim/). +Gateway will automatically detect changes in user name, title, and group membership for IdPs configured with System for Cross-domain Identity Management (SCIM) provisioning. For more information, refer to [SCIM provisioning](/cloudflare-one/identity/users/scim/). ### Extended email addresses diff --git a/src/content/partials/cloudflare-one/access/scim-supported-idps.mdx b/src/content/partials/cloudflare-one/access/scim-supported-idps.mdx deleted file mode 100644 index b01254af5649c3..00000000000000 --- a/src/content/partials/cloudflare-one/access/scim-supported-idps.mdx +++ /dev/null @@ -1,6 +0,0 @@ ---- -{} ---- - -- [Microsoft Entra ID](/cloudflare-one/identity/idp-integration/entra-id/) (formerly known as Azure AD) -- [Okta](/cloudflare-one/identity/idp-integration/okta/) From f2c34e37e5e6243f03b9d16d5cca479e79920692 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 14 Nov 2024 13:01:20 -0500 Subject: [PATCH 02/12] update partial params --- .../identity/idp-integration/entra-id.mdx | 2 +- .../identity/idp-integration/okta.mdx | 2 +- .../access/enable-scim-on-dashboard.mdx | 20 ++++++++++--------- 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx index 8761edba2dbb70..e3f7f8be99892d 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx @@ -120,7 +120,7 @@ The Microsoft Entra ID integration allows you to synchronize IdP groups and auto ### 2. Configure SCIM in Entra ID diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx index 7a51e43b968af1..069461f7e4e25f 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx @@ -92,7 +92,7 @@ The Okta integration allows you to synchronize IdP groups and automatically depr ### 2. Configure SCIM in Okta diff --git a/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx b/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx index 771146cf4a69f4..b245df00bafb85 100644 --- a/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx +++ b/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx @@ -1,24 +1,26 @@ --- -inputParameters: param1 - +params: + - idp + - and + - supportgroups --- import { Markdown } from "~/components" 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. -2. Locate the IdP you want to synchronize and select **Edit**. +2. Find the {props.idp} integration and select **Edit**. -3. Select {props.one}. +3. Turn on **Enable SCIM**{props.and}**{props.supportgroups}**. -4. (Optional) Enable the following settings: +4. (Optional) Turn on the following settings: -* **Enable user deprovisioning**: [Revoke a user's active session](/cloudflare-one/identity/users/session-management/#per-user) when they are removed from the SCIM application in the IdP. This will invalidate all active Access sessions and prompt for reauthentication for any Gateway WARP session policies. -* **Remove user seat on deprovision**: [Remove a user's seat](/cloudflare-one/identity/users/seat-management/) from your Zero Trust account when they are removed from the SCIM application in the IdP. -* **Enable group membership change reauthentication**: [Revoke a user's active session](/cloudflare-one/identity/users/session-management/#per-user) when their group membership changes in the IdP. This will invalidate all active Access sessions and prompt for reauthentication for any Gateway WARP session policies. Access will read the user's updated group membership when they reauthenticate. +* **Enable user deprovisioning**: [Revoke a user's active session](/cloudflare-one/identity/users/session-management/#per-user) when they are removed from the SCIM application in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any Gateway WARP session policies. +* **Remove user seat on deprovision**: [Remove a user's seat](/cloudflare-one/identity/users/seat-management/) from your Zero Trust account when they are removed from the SCIM application in {props.idp}. +* **Enable group membership change reauthentication**: [Revoke a user's active session](/cloudflare-one/identity/users/session-management/#per-user) when their group membership changes in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any Gateway WARP session policies. Access will read the user's updated group membership when they reauthenticate. 5. Select **Save**. -6. Copy the **SCIM Endpoint** and **SCIM Secret**. You will need to enter these values into the IdP. +6. Copy the **SCIM Endpoint** and **SCIM Secret**. You will need to enter these values into {props.idp}. The SCIM secret never expires, but you can manually regenerate the secret at any time. From c99db0716a18a1477a10eb6cf0ec9fd8936243a7 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 14 Nov 2024 18:27:56 -0500 Subject: [PATCH 03/12] check user registry --- .../cloudflare-one/identity/idp-integration/entra-id.mdx | 2 ++ .../cloudflare-one/identity/idp-integration/okta.mdx | 4 +++- .../cloudflare-one/access/verify-scim-provisioning.mdx | 9 +++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 src/content/partials/cloudflare-one/access/verify-scim-provisioning.mdx diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx index e3f7f8be99892d..5ca91654cee397 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx @@ -159,6 +159,8 @@ SCIM requires a separate enterprise application from the one created during [ini To check which users and groups were synchronized, select **View provisioning logs**. + + ### Provisioning attributes Provisioning attributes define the user properties that Entra ID will synchronize with Cloudflare Access. To modify your provisioning attributes, go to the **Provisioning** page in Entra ID and select **Edit attribute mappings**. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx index 069461f7e4e25f..9441835d121499 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx @@ -139,7 +139,9 @@ The Okta integration allows you to synchronize IdP groups and automatically depr 15. In the **Push Groups** tab, add the Okta groups you want to synchronize with Cloudflare Access. These groups will display in the Access policy builder. -Provisioning will begin immediately. To verify the integration, select **View Logs** in the Okta SCIM application. +To verify the integration, select **View Logs** in the Okta SCIM application. + + ## Example API Configuration diff --git a/src/content/partials/cloudflare-one/access/verify-scim-provisioning.mdx b/src/content/partials/cloudflare-one/access/verify-scim-provisioning.mdx new file mode 100644 index 00000000000000..7eea399f61b64d --- /dev/null +++ b/src/content/partials/cloudflare-one/access/verify-scim-provisioning.mdx @@ -0,0 +1,9 @@ +--- +{} +--- + +To check if a user's identity was updated in Zero Trust, view their [User Registry identity](/cloudflare-one/insights/logs/users/). + +:::note +New users must first register the WARP client or authenticate to an Access application before SCIM provisioning can begin. +::: \ No newline at end of file From b2540b230f65f03fa9448c8fd818a7dacae5385e Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 14 Nov 2024 18:28:04 -0500 Subject: [PATCH 04/12] jumpcloud scim --- .../idp-integration/jumpcloud-saml.mdx | 51 ++++++++++++++++++- 1 file changed, 49 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx index c37921fa18d7d1..413f734173798f 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx @@ -3,8 +3,12 @@ pcx_content_type: how-to title: JumpCloud (SAML) --- +import { Render } from "~/components"; + [JumpCloud](https://jumpcloud.com/#platform) provides SSO identity management. Cloudflare Access integrates with JumpCloud as a SAML identity provider. +The following steps are specific to setting up JumpCloud with Cloudflare Access. For more information on configuring JumpCloud SSO application, refer to the [JumpCloud documentation](https://jumpcloud.com/support/integrate-with-cloudflare). + ## Set up Jumpcloud as a SAML provider 1. In the [JumpCloud Admin Portal](https://console.jumpcloud.com/#/home), go to **SSO Applications**. @@ -34,7 +38,9 @@ title: JumpCloud (SAML) ```txt https://.cloudflareaccess.com/cdn-cgi/access/callback ``` - 3. Scroll up to **JumpCloud Metadata** and select **Export Metadata**. Save this XML file for use in a later step. + 3. (Optional) Configure SAML attributes that you want to send to Cloudflare Access. + + 4. Scroll up to **JumpCloud Metadata** and select **Export Metadata**. Save this XML file for use in a later step. 9. In the **User Groups** tab, [assign user groups](https://jumpcloud.com/support/get-started-applications-saml-sso#managing-employee-access-to-applications) to this application. @@ -48,10 +54,51 @@ title: JumpCloud (SAML) 14. Upload your JumpCloud XML metadata file. -15. Select **Save**. +15. (Optional) Configure [additional SAML options](/cloudflare-one/identity/idp-integration/generic-saml/#optional-configurations). + +16. Select **Save**. You can now [test your connection](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) and create [Access policies](/cloudflare-one/policies/access/) based on the configured login method and SAML attributes. +## Synchronize users and groups + +The JumpCloud integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/). + +### 1. Enable SCIM in Zero Trust + + + +### 2. Configure SCIM in JumpCloud + +1. In the [JumpCloud Admin Portal](https://console.jumpcloud.com/#/home), go to **SSO Applications**. +2. Select the Cloudflare application that was created when you [Set up JumpCloud as a SAML provider](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#set-up-jumpcloud-as-a-saml-provider). +3. Select the **Identity Management** tab. +4. Make sure that **Enable management of User Groups and Group Membership in this application** is turned on. +5. Select **Configure**. +6. In the **Base URL** field, enter the **SCIM Endpoint** obtained from Zero Trust. +7. In the **Token Key** field, enter the **SCIM Secret** obtained from Zero Trust. +8. Select **Activate**. You will receive a confirmation that the Identity Management integration has been successfully verified. +9. Select **Save**. + + + +### Provisioning attributes + +Provisioning attributes define the user and group properties that JumpCloud will synchronize with Cloudflare Access. By default, JumpCloud will send the following attributes during a SCIM update event: + +| JumpCloud user attribute| Cloudflare Access attribute | +| ------------------ | ----------------------- | +| `email` | `email` | +| `firstname` | `givenName` | +| `lastname` | `surname` | + +| JumpCloud group attribute | Cloudflare Access attribute | +| ------------------ | ----------------------- | +| `name` | `groups` | + ## Example API configuration ```json From 4e4d8e1565faf472d6a1ea22c8ca3eb513464be6 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 14 Nov 2024 19:07:18 -0500 Subject: [PATCH 05/12] break up jumpcloud steps --- .../idp-integration/jumpcloud-saml.mdx | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx index 413f734173798f..1f466d0d0ded8c 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx @@ -11,6 +11,8 @@ The following steps are specific to setting up JumpCloud with Cloudflare Access. ## Set up Jumpcloud as a SAML provider +### 1. Create an SSO application in JumpCloud + 1. In the [JumpCloud Admin Portal](https://console.jumpcloud.com/#/home), go to **SSO Applications**. 2. Select **Add New Application**. @@ -40,23 +42,27 @@ The following steps are specific to setting up JumpCloud with Cloudflare Access. ``` 3. (Optional) Configure SAML attributes that you want to send to Cloudflare Access. - 4. Scroll up to **JumpCloud Metadata** and select **Export Metadata**. Save this XML file for use in a later step. + 4. Scroll up to **JumpCloud Metadata** and select **Export Metadata**. Save this XML file for use in a [later step](#2-add-jumpcloud-to-zero-trust). 9. In the **User Groups** tab, [assign user groups](https://jumpcloud.com/support/get-started-applications-saml-sso#managing-employee-access-to-applications) to this application. 10. Select **Save**. -11. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. +### 2. Add JumpCloud to Zero Trust + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. + +2. Under **Login methods**, select **Add new**. -12. Under **Login methods**, select **Add new**. +3. Select **SAML**. -13. Select **SAML**. +4. Upload your JumpCloud XML metadata file. -14. Upload your JumpCloud XML metadata file. +5. (Optional) To enable SCIM, refer to [Synchronize users and groups](#synchronize-users-and-groups). -15. (Optional) Configure [additional SAML options](/cloudflare-one/identity/idp-integration/generic-saml/#optional-configurations). +6. (Optional) Under **Optional configurations**, configure [additional SAML options](#optional-configurations). -16. Select **Save**. +7. Select **Save**. You can now [test your connection](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) and create [Access policies](/cloudflare-one/policies/access/) based on the configured login method and SAML attributes. From b5b5d8b621b534c2a50fbc7e613dc184a20704f7 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 14 Nov 2024 19:07:26 -0500 Subject: [PATCH 06/12] add generic instructions --- .../identity/idp-integration/generic-oidc.mdx | 32 +++++++++++++++++-- .../identity/idp-integration/generic-saml.mdx | 30 +++++++++++++++-- 2 files changed, 58 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx index 59d255676a9a3d..0d419b2512791b 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx @@ -5,6 +5,8 @@ sidebar: order: 1 --- +import { Render } from "~/components"; + Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you integrate IdPs not already set in Access. ## Set up a generic OIDC @@ -39,12 +41,38 @@ Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you inte 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. -9. (Optional) Under **Optional configurations**, enter [custom OIDC claims](#oidc-claims) that you wish to add to users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). +9. (Optional) To enable SCIM, refer to [Synchronize users and groups](#synchronize-users-and-groups). + +10. (Optional) Under **Optional configurations**, enter [custom OIDC claims](#oidc-claims) that you wish to add to users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). -10. Select **Save**. +11. Select **Save**. To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test. On success, a confirmation screen displays. +## Synchronize users and groups + +The generic OIDC integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/). + +### Prerequisites + +Your identity provider must support SCIM version 2.0. + +### 1. Enable SCIM in Zero Trust + + + +### 2. Configure SCIM in the IdP + +Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the original [SSO application](#1-create-an-application-in-your-identity-provider) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [Jumpcloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides. + +### 3. Verify SCIM provisioning + + + + ## Optional configurations ### OIDC claims diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx index 9df8e7db1a6f65..7f69121dde4a50 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx @@ -5,6 +5,8 @@ sidebar: order: 2 --- +import { Render } from "~/components"; + Cloudflare Zero Trust integrates with any identity provider that supports SAML 2.0. If your identity provider is not listed in the integration list of login methods in Zero Trust, it can be configured using SAML 2.0 (or OpenID if OIDC based). Generic SAML can also be used if you would like to pass additional SAML headers or claims for an IdP in the integration list. ## Prerequisites @@ -45,13 +47,37 @@ To download the SAML metadata file, copy-paste the metadata endpoint into a web 2. Select **Add new** and select **SAML**. 3. Choose a descriptive name for your identity provider. 4. Enter the **Single Sign on URL**, **IdP Entity ID or Issuer URL**, and **Signing certificate** obtained from your identity provider. -5. (Optional) Enter [optional configurations](#optional-configurations). -6. Select **Save**. +5. (Optional) To enable SCIM, refer to [Synchronize users and groups](#synchronize-users-and-groups). +6. (Optional) Under **Optional configurations**, configure [additional SAML options](#optional-configurations). +7. Select **Save**. ## 3. Test the connection You can now [test the IdP integration](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust). A success response should return the configured SAML attributes. +## Synchronize users and groups + +The generic SAML integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/). + +### Prerequisites + +Your identity provider must support SCIM version 2.0. + +### 1. Enable SCIM in Zero Trust + + + +### 2. Configure SCIM in the IdP + +Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the original [SSO application](#1-create-an-application-in-your-identity-provider) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [JumpCloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides. + +### 3. Verify SCIM provisioning + + + ## Optional configurations SAML integrations allow you to pass additional headers or claims to applications. From 959e4fbe8fffa190ac021c526d8de9c1cd7b6dea Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 14 Nov 2024 19:08:15 -0500 Subject: [PATCH 07/12] remove extra line --- .../cloudflare-one/identity/idp-integration/generic-oidc.mdx | 1 - 1 file changed, 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx index 0d419b2512791b..49a5f8df10480e 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx @@ -72,7 +72,6 @@ Setup instructions vary depending on the identity provider. In your identity pro - ## Optional configurations ### OIDC claims From 11b8c9df813b8a055b8ac86a565b96f317a5e319 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 15 Nov 2024 15:19:08 -0500 Subject: [PATCH 08/12] add link to google workspace --- .../identity/idp-integration/gsuite.mdx | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx index ddfcb56bb22f87..77bc43cf7f9a76 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx @@ -16,6 +16,8 @@ You do not need to be a Google Cloud Platform user to integrate Google Workspace ## Set up Google Workspace as an identity provider +### 1. Configure Google Workspace + 1. Log in to the Google Cloud Platform [console](https://console.cloud.google.com/). This is separate from your Google Workspace console. 2. A Google Cloud project is required to enable Google Workspace APIs. If you do not already have a Google Cloud project, go to **IAM & Admin** > **Create Project**. Name the project and select **Create**. @@ -66,21 +68,23 @@ You do not need to be a Google Cloud Platform user to integrate Google Workspace 15. Enable the **Trust internal, domain-owned apps** option. This setting is disabled by default and must be enabled for Cloudflare Access to work correctly. -16. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. +### 2. Add Google Workspace to Zero Trust + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. -17. Under **Login methods**, select **Add new** and choose **Google Workspace**. +2. Under **Login methods**, select **Add new** and choose **Google Workspace**. -18. Input the Client ID and Client Secret fields generated previously. Additionally, input the domain of your Google Workspace account. +3. Input the Client ID and Client Secret fields generated previously. Additionally, input the domain of your Google Workspace account. -19. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts. +4. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts. -20. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/). +5. (Optional) To enable SCIM, refer to the [OIDC connector documentation](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups). -21. Select **Save**. To complete setup, you must visit the generated link. If you are not the Google Workspace administrator, share the link with the administrator. +6. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/). -22. The generated link will prompt you to log in to your Google admin account and to authorize Cloudflare Access to view group information. After allowing permissions, you will see a success page from Cloudflare Access. +7. Select **Save**. To complete setup, you must visit the generated link. If you are not the Google Workspace administrator, share the link with the administrator. -## Test your connection +8. The generated link will prompt you to log in to your Google admin account and to authorize Cloudflare Access to view group information. After allowing permissions, you will see a success page from Cloudflare Access. To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to Google Workspace. Your user identity and group membership should return. From 780676bb70dc0279f2f3cde671add0ff35e34f3f Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 15 Nov 2024 15:32:47 -0500 Subject: [PATCH 09/12] add scim link to oidc idps --- .../identity/idp-integration/centrify.mdx | 18 +++++++++++------ .../idp-integration/onelogin-oidc.mdx | 18 +++++++++++------ .../identity/idp-integration/pingone-oidc.mdx | 20 ++++++++++++------- 3 files changed, 37 insertions(+), 19 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx index dcd6b705decc82..574c4059a2e5b6 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx @@ -7,6 +7,8 @@ Centrify secures access to infrastructure, DevOps, cloud, and other modern enter ## Set up Centrify as an OIDC provider +### 1. Create an application in Centrify + 1. Log in to the Centrify administrator panel. 2. Select **Apps**. @@ -54,19 +56,23 @@ Centrify secures access to infrastructure, DevOps, cloud, and other modern enter 16. Select the roles to grant access to your application. -17. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. +### 2. Add Centrify to Zero Trust + +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. + +2. Under **Login methods**, select **Add new**. -18. Under **Login methods**, select **Add new**. +3. Paste in the **Client ID**, **Client Secret**, **Centrify account URL** and **Application ID**. -19. Paste in the **Client ID**, **Client Secret**, **Centrify account URL** and **Application ID**. +4. (Optional) To enable SCIM, refer to the [OIDC connector documentation](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups). -20. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). +5. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). -21. Select **Save**. +6. Select **Save**. To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test. -## **Example API Config** +## Example API Config ```json { diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx index aea84e3a662ce1..0c6b61abb6fd28 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx @@ -7,6 +7,8 @@ OneLogin provides SSO identity management. Cloudflare Access supports OneLogin a ## Set up OneLogin as an OIDC provider +### 1. Create an application in OneLogin + 1. Log in to your OneLogin admin portal. 2. Go to **Applications** > **Applications** and select **Add App**. @@ -31,22 +33,26 @@ OneLogin provides SSO identity management. Cloudflare Access supports OneLogin a 9. Copy the **Client ID** and **Client Secret**. -10. In [Zero Trust](https://one.dash.cloudflare.com),, go to **Settings** > **Authentication**. +### 2. Add OneLogin to Zero Trust + +1. In [Zero Trust](https://one.dash.cloudflare.com),, go to **Settings** > **Authentication**. -11. Under **Login methods**, select **Add new**. +2. Under **Login methods**, select **Add new**. -12. Select **OneLogin**. +3. Select **OneLogin**. -13. Fill in the following information: +4. Fill in the following information: - **Name**: Name your identity provider. - **App ID**: Enter your OneLogin client ID. - **Client secret**: Enter your OneLogin client secret. - **OneLogin account URL**: Enter your OneLogin domain, for example `https://.onelogin.com`. -14. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/). +5. (Optional) To enable SCIM, refer to the [OIDC connector documentation](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups). + +6. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/). -15. Select **Save**. +7. Select **Save**. To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to OneLogin. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx index e05afcf45079d4..7eea07c4cd0b09 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx @@ -7,6 +7,8 @@ The PingOne cloud platform from PingIdentity provides SSO identity management. C ## Set up PingOne as an OIDC provider +### 1. Create an application in PingOne + 1. In your PingIdentity environment, go to **Connections** > **Applications**. 2. Select **Add Application**. 3. Enter an **Application Name**. @@ -24,13 +26,17 @@ The PingOne cloud platform from PingIdentity provides SSO identity management. C You can find your team name in Zero Trust under **Settings** > **Custom Pages**. 10. Select **Save**. -11. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. -12. Under **Login methods**, select **Add new**. -13. Select **PingOne**. -14. Input the **Client ID**, **Client Secret**, and **Environment ID** generated previously. -15. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts. -16. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). -17. Select **Save**. + +### 2. Add PingOne to Zero Trust + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. +2. Under **Login methods**, select **Add new**. +3. Select **PingOne**. +4. Input the **Client ID**, **Client Secret**, and **Environment ID** generated previously. +5. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts. +6. (Optional) To enable SCIM, refer to the [OIDC connector documentation](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups). +7. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). +8. Select **Save**. You can now [test your connection](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) and create [Access policies](/cloudflare-one/policies/access/) based on the configured login method. From 9b41ec17db12f4fd68eb25ea2dc07a5ab859ad1b Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 15 Nov 2024 15:56:10 -0500 Subject: [PATCH 10/12] add scim link to named IdPs --- .../idp-integration/centrify-saml.mdx | 22 ++++++++++++------- .../identity/idp-integration/centrify.mdx | 2 +- .../identity/idp-integration/gsuite.mdx | 2 +- .../idp-integration/onelogin-oidc.mdx | 2 +- .../idp-integration/onelogin-saml.mdx | 20 ++++++++++------- .../identity/idp-integration/pingone-oidc.mdx | 2 +- .../identity/idp-integration/pingone-saml.mdx | 18 ++++++++++----- 7 files changed, 42 insertions(+), 26 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx index 1250f499a95a00..745b96a7fc2b18 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx @@ -3,11 +3,11 @@ pcx_content_type: how-to title: Centrify (SAML) --- -Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the #1 cause of breaches – privileged access abuse. +Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the number one cause of breaches: privileged access abuse. -## Set up Centrify (SAML) +## Set up Centrify as a SAML provider -To set up SAML with Centrify as your identity provider: +## 1. Create an application in Centrify 1. Log in to your **Centrify** admin portal and select **Apps**. @@ -59,15 +59,21 @@ To set up SAML with Centrify as your identity provider: 20. Select the **Manual Configuration** option. -21. In Zero Trust, go to **Settings** > **Authentication**. +### 2. Add Centrify to Zero Trust -22. Under **Login methods**, select **Add new**. +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. -23. Select SAML. +2. Under **Login methods**, select **Add new**. -24. Copy and paste the corresponding information from Centrify into the fields. +3. Select **SAML**. -25. Select **Save**. +4. Copy and paste the corresponding information from Centrify into the fields. + +5. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-saml/#synchronize-users-and-groups). + +6. (Optional) Under **Optional configurations**, configure [additional SAML options](/cloudflare-one/identity/idp-integration/generic-saml/#optional-configurations). + +7. Select **Save**. To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx index 574c4059a2e5b6..d8562d376cc31b 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx @@ -64,7 +64,7 @@ Centrify secures access to infrastructure, DevOps, cloud, and other modern enter 3. Paste in the **Client ID**, **Client Secret**, **Centrify account URL** and **Application ID**. -4. (Optional) To enable SCIM, refer to the [OIDC connector documentation](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups). +4. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups). 5. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx index 77bc43cf7f9a76..a686c30b97bc62 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx @@ -78,7 +78,7 @@ You do not need to be a Google Cloud Platform user to integrate Google Workspace 4. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts. -5. (Optional) To enable SCIM, refer to the [OIDC connector documentation](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups). +5. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups). 6. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/). diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx index 0c6b61abb6fd28..004b625eb48deb 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx @@ -48,7 +48,7 @@ OneLogin provides SSO identity management. Cloudflare Access supports OneLogin a - **Client secret**: Enter your OneLogin client secret. - **OneLogin account URL**: Enter your OneLogin domain, for example `https://.onelogin.com`. -5. (Optional) To enable SCIM, refer to the [OIDC connector documentation](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups). +5. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups). 6. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/). diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-saml.mdx index f49e025cdc3ab2..0fb8da65b69dd2 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-saml.mdx @@ -5,9 +5,9 @@ title: OneLogin (SAML) OneLogin provides SSO identity management. Cloudflare Access supports OneLogin as an SAML identity provider. -## Set up OneLogin (SAML) +## Set up OneLogin as a SAML provider -To set up OneLogin (SAML) as your identity provider: +## 1. Create an application in OneLogin 1. Log in to your OneLogin admin portal. @@ -47,17 +47,21 @@ To set up OneLogin (SAML) as your identity provider: ![OneLogin SAML Application SSO interface with SAML2.0 sign on method, Issuer URL, and X.509 Certificate](~/assets/images/cloudflare-one/identity/onelogin/onelogin-saml-7.png) -15. In Zero Trust, go to **Settings** > **Authentication**. +### 2. Add OneLogin to Zero Trust -16. Under **Login methods**, select **Add new**. +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. -17. Select SAML. +2. Under **Login methods**, select **Add new**. -18. Input the details from your OneLogin account in the fields. We suggest that you name the attributes the same in both OneLogin and Cloudflare. +3. Select **SAML**. - If other headers and SAML attribute names were added to OneLogin, be sure to add them to Cloudflare under **SAML attributes** and **SAML header attributes** in the **Optional configurations** menu. +4. Input the details from your OneLogin account in the fields. -19. Select **Save**. +5. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-saml/#synchronize-users-and-groups). + +6. (Optional) Under **Optional configurations**, configure [additional SAML options](/cloudflare-one/identity/idp-integration/generic-saml/#optional-configurations). If you added other SAML headers and attribute names to OneLogin, be sure to add them to Cloudflare. + +7. Select **Save**. To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx index 7eea07c4cd0b09..e3b4aa41d204fb 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx @@ -34,7 +34,7 @@ The PingOne cloud platform from PingIdentity provides SSO identity management. C 3. Select **PingOne**. 4. Input the **Client ID**, **Client Secret**, and **Environment ID** generated previously. 5. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts. -6. (Optional) To enable SCIM, refer to the [OIDC connector documentation](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups). +6. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups). 7. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). 8. Select **Save**. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-saml.mdx index bbd495bb02bb0c..323e4640d30af1 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-saml.mdx @@ -9,6 +9,8 @@ The PingOne cloud platform from PingIdentity provides SSO identity management. C ## Set up PingOne as a SAML provider +## 1. Create an application in PingOne + 1. In your PingIdentity environment, go to **Connections** > **Applications**. 2. Select **Add Application**. @@ -47,16 +49,20 @@ The PingOne cloud platform from PingIdentity provides SSO identity management. C 9. Set the application to **Active**. -10. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. +### 2. Add PingOne to Zero Trust + +1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. + +2. Under **Login methods**, select **Add new**. -11. Under **Login methods**, select **Add new**. +3. Select **SAML**. -12. Select **SAML**. +4. Upload your PingOne XML metadata file. -13. Upload your PingOne XML metadata file from Step 7. +5. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-saml/#synchronize-users-and-groups). -14. Enable [**Sign SAML authentication request**](/cloudflare-one/identity/idp-integration/generic-saml/#sign-saml-authentication-request). +6. (Optional) Under **Optional configurations**, configure [additional SAML options](/cloudflare-one/identity/idp-integration/generic-saml/#optional-configurations). -15. Select **Save**. +7. Select **Save**. You can now [test your connection](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) and create [Access policies](/cloudflare-one/policies/access/) based on the configured login method and SAML attributes. From 03c4c1b77be3b0a4f8259221e36b4148944dc8e0 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 15 Nov 2024 15:58:04 -0500 Subject: [PATCH 11/12] remove scim from google workspace --- .../cloudflare-one/identity/idp-integration/gsuite.mdx | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx index a686c30b97bc62..f265a3bfd456ff 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx @@ -78,13 +78,11 @@ You do not need to be a Google Cloud Platform user to integrate Google Workspace 4. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts. -5. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups). +5. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/). -6. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/). +6. Select **Save**. To complete setup, you must visit the generated link. If you are not the Google Workspace administrator, share the link with the administrator. -7. Select **Save**. To complete setup, you must visit the generated link. If you are not the Google Workspace administrator, share the link with the administrator. - -8. The generated link will prompt you to log in to your Google admin account and to authorize Cloudflare Access to view group information. After allowing permissions, you will see a success page from Cloudflare Access. +7. The generated link will prompt you to log in to your Google admin account and to authorize Cloudflare Access to view group information. After allowing permissions, you will see a success page from Cloudflare Access. To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to Google Workspace. Your user identity and group membership should return. From 2b634ce66a32d10b495f8ef5b097c91546db41d5 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 15 Nov 2024 17:02:12 -0500 Subject: [PATCH 12/12] group memberships must match --- .../identity/idp-integration/generic-oidc.mdx | 6 +++++- .../identity/idp-integration/generic-saml.mdx | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx index 49a5f8df10480e..a29eef8191df11 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx @@ -66,7 +66,11 @@ Your identity provider must support SCIM version 2.0. ### 2. Configure SCIM in the IdP -Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the original [SSO application](#1-create-an-application-in-your-identity-provider) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [Jumpcloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides. +Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [Jumpcloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides. + +:::note +If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation. +::: ### 3. Verify SCIM provisioning diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx index 7f69121dde4a50..fe1131322deb90 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx @@ -72,7 +72,11 @@ Your identity provider must support SCIM version 2.0. ### 2. Configure SCIM in the IdP -Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the original [SSO application](#1-create-an-application-in-your-identity-provider) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [JumpCloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides. +Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](#1-create-an-application-in-your-identity-provider) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [JumpCloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides. + +:::note +If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-saml/#1-create-an-application-in-your-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation. +::: ### 3. Verify SCIM provisioning