Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ZT] SCIM support for all IdPs #18182

Merged
merged 12 commits into from
Nov 15, 2024
Merged

[ZT] SCIM support for all IdPs #18182

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
2275c7b
update supported idps
ranbel Nov 14, 2024
f2c34e3
update partial params
ranbel Nov 14, 2024
c99db07
check user registry
ranbel Nov 14, 2024
b2540b2
jumpcloud scim
ranbel Nov 14, 2024
4e4d8e1
break up jumpcloud steps
ranbel Nov 15, 2024
b5b5d8b
add generic instructions
ranbel Nov 15, 2024
959e4fb
remove extra line
ranbel Nov 15, 2024
11b8c9d
add link to google workspace
ranbel Nov 15, 2024
780676b
add scim link to oidc idps
ranbel Nov 15, 2024
9b41ec1
add scim link to named IdPs
ranbel Nov 15, 2024
03c4c1b
remove scim from google workspace
ranbel Nov 15, 2024
2b634ce
group memberships must match
ranbel Nov 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 14 additions & 8 deletions src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@ pcx_content_type: how-to
title: Centrify (SAML)
---

Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the #1 cause of breaches privileged access abuse.
Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the number one cause of breaches: privileged access abuse.

## Set up Centrify (SAML)
## Set up Centrify as a SAML provider

To set up SAML with Centrify as your identity provider:
## 1. Create an application in Centrify

1. Log in to your **Centrify** admin portal and select **Apps**.

Expand Down Expand Up @@ -59,15 +59,21 @@ To set up SAML with Centrify as your identity provider:

20. Select the **Manual Configuration** option.

21. In Zero Trust, go to **Settings** > **Authentication**.
### 2. Add Centrify to Zero Trust

22. Under **Login methods**, select **Add new**.
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.

23. Select SAML.
2. Under **Login methods**, select **Add new**.

24. Copy and paste the corresponding information from Centrify into the fields.
3. Select **SAML**.

25. Select **Save**.
4. Copy and paste the corresponding information from Centrify into the fields.

5. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-saml/#synchronize-users-and-groups).

6. (Optional) Under **Optional configurations**, configure [additional SAML options](/cloudflare-one/identity/idp-integration/generic-saml/#optional-configurations).

7. Select **Save**.

To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test.

Expand Down
18 changes: 12 additions & 6 deletions src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ Centrify secures access to infrastructure, DevOps, cloud, and other modern enter

## Set up Centrify as an OIDC provider

### 1. Create an application in Centrify

1. Log in to the Centrify administrator panel.

2. Select **Apps**.
Expand Down Expand Up @@ -54,19 +56,23 @@ Centrify secures access to infrastructure, DevOps, cloud, and other modern enter

16. Select the roles to grant access to your application.

17. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
### 2. Add Centrify to Zero Trust

1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.

2. Under **Login methods**, select **Add new**.

18. Under **Login methods**, select **Add new**.
3. Paste in the **Client ID**, **Client Secret**, **Centrify account URL** and **Application ID**.

19. Paste in the **Client ID**, **Client Secret**, **Centrify account URL** and **Application ID**.
4. (Optional) To enable SCIM, refer to [Synchronize users and groups](/cloudflare-one/identity/idp-integration/generic-oidc/#synchronize-users-and-groups).

20. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity).
5. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity).

21. Select **Save**.
6. Select **Save**.

To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test.

## **Example API Config**
## Example API Config

```json
{
Expand Down
4 changes: 3 additions & 1 deletion src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ The Microsoft Entra ID integration allows you to synchronize IdP groups and auto

<Render
file="access/enable-scim-on-dashboard"
params={{ one: "Enable SCIM and Support groups" }}
params={{ idp: "Entra ID", and: " and ", supportgroups: "Support groups"}}
/>

### 2. Configure SCIM in Entra ID
Expand Down Expand Up @@ -159,6 +159,8 @@ SCIM requires a separate enterprise application from the one created during [ini

To check which users and groups were synchronized, select **View provisioning logs**.

<Render file="access/verify-scim-provisioning"/>

### Provisioning attributes

Provisioning attributes define the user properties that Entra ID will synchronize with Cloudflare Access. To modify your provisioning attributes, go to the **Provisioning** page in Entra ID and select **Edit attribute mappings**.
Expand Down
35 changes: 33 additions & 2 deletions src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ sidebar:
order: 1
---

import { Render } from "~/components";

Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you integrate IdPs not already set in Access.

## Set up a generic OIDC
Expand Down Expand Up @@ -39,12 +41,41 @@ Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you inte

8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.

9. (Optional) Under **Optional configurations**, enter [custom OIDC claims](#oidc-claims) that you wish to add to users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity).
9. (Optional) To enable SCIM, refer to [Synchronize users and groups](#synchronize-users-and-groups).

10. (Optional) Under **Optional configurations**, enter [custom OIDC claims](#oidc-claims) that you wish to add to users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity).

10. Select **Save**.
11. Select **Save**.

To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to the login method you want to test. On success, a confirmation screen displays.

## Synchronize users and groups

The generic OIDC integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/).

### Prerequisites

Your identity provider must support SCIM version 2.0.

### 1. Enable SCIM in Zero Trust

<Render
file="access/enable-scim-on-dashboard"
params={{ idp: "IdP"}}
/>

### 2. Configure SCIM in the IdP

Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [Jumpcloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides.

:::note
If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
:::

### 3. Verify SCIM provisioning

<Render file="access/verify-scim-provisioning"/>

## Optional configurations

### OIDC claims
Expand Down
34 changes: 32 additions & 2 deletions src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ sidebar:
order: 2
---

import { Render } from "~/components";

Cloudflare Zero Trust integrates with any identity provider that supports SAML 2.0. If your identity provider is not listed in the integration list of login methods in Zero Trust, it can be configured using SAML 2.0 (or OpenID if OIDC based). Generic SAML can also be used if you would like to pass additional SAML headers or claims for an IdP in the integration list.

## Prerequisites
Expand Down Expand Up @@ -45,13 +47,41 @@ To download the SAML metadata file, copy-paste the metadata endpoint into a web
2. Select **Add new** and select **SAML**.
3. Choose a descriptive name for your identity provider.
4. Enter the **Single Sign on URL**, **IdP Entity ID or Issuer URL**, and **Signing certificate** obtained from your identity provider.
5. (Optional) Enter [optional configurations](#optional-configurations).
6. Select **Save**.
5. (Optional) To enable SCIM, refer to [Synchronize users and groups](#synchronize-users-and-groups).
6. (Optional) Under **Optional configurations**, configure [additional SAML options](#optional-configurations).
7. Select **Save**.

## 3. Test the connection

You can now [test the IdP integration](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust). A success response should return the configured SAML attributes.

## Synchronize users and groups

The generic SAML integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/).

### Prerequisites

Your identity provider must support SCIM version 2.0.

### 1. Enable SCIM in Zero Trust

<Render
file="access/enable-scim-on-dashboard"
params={{ idp: "IdP"}}
/>

### 2. Configure SCIM in the IdP

Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](#1-create-an-application-in-your-identity-provider) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [JumpCloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides.

:::note
If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-saml/#1-create-an-application-in-your-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
:::

### 3. Verify SCIM provisioning

<Render file="access/verify-scim-provisioning"/>

## Optional configurations

SAML integrations allow you to pass additional headers or claims to applications.
Expand Down
18 changes: 10 additions & 8 deletions src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ You do not need to be a Google Cloud Platform user to integrate Google Workspace

## Set up Google Workspace as an identity provider

### 1. Configure Google Workspace

1. Log in to the Google Cloud Platform [console](https://console.cloud.google.com/). This is separate from your Google Workspace console.

2. A Google Cloud project is required to enable Google Workspace APIs. If you do not already have a Google Cloud project, go to **IAM & Admin** > **Create Project**. Name the project and select **Create**.
Expand Down Expand Up @@ -66,21 +68,21 @@ You do not need to be a Google Cloud Platform user to integrate Google Workspace

15. Enable the **Trust internal, domain-owned apps** option. This setting is disabled by default and must be enabled for Cloudflare Access to work correctly.

16. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.
### 2. Add Google Workspace to Zero Trust

17. Under **Login methods**, select **Add new** and choose **Google Workspace**.
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.

18. Input the Client ID and Client Secret fields generated previously. Additionally, input the domain of your Google Workspace account.
2. Under **Login methods**, select **Add new** and choose **Google Workspace**.

19. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts.
3. Input the Client ID and Client Secret fields generated previously. Additionally, input the domain of your Google Workspace account.

20. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/).
4. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts.

21. Select **Save**. To complete setup, you must visit the generated link. If you are not the Google Workspace administrator, share the link with the administrator.
5. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/).

22. The generated link will prompt you to log in to your Google admin account and to authorize Cloudflare Access to view group information. After allowing permissions, you will see a success page from Cloudflare Access.
6. Select **Save**. To complete setup, you must visit the generated link. If you are not the Google Workspace administrator, share the link with the administrator.

## Test your connection
7. The generated link will prompt you to log in to your Google admin account and to authorize Cloudflare Access to view group information. After allowing permissions, you will see a success page from Cloudflare Access.

To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to Google Workspace. Your user identity and group membership should return.

Expand Down
65 changes: 59 additions & 6 deletions src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,16 @@ pcx_content_type: how-to
title: JumpCloud (SAML)
---

import { Render } from "~/components";

[JumpCloud](https://jumpcloud.com/#platform) provides SSO identity management. Cloudflare Access integrates with JumpCloud as a SAML identity provider.

The following steps are specific to setting up JumpCloud with Cloudflare Access. For more information on configuring JumpCloud SSO application, refer to the [JumpCloud documentation](https://jumpcloud.com/support/integrate-with-cloudflare).

## Set up Jumpcloud as a SAML provider

### 1. Create an SSO application in JumpCloud

1. In the [JumpCloud Admin Portal](https://console.jumpcloud.com/#/home), go to **SSO Applications**.

2. Select **Add New Application**.
Expand Down Expand Up @@ -34,24 +40,71 @@ title: JumpCloud (SAML)
```txt
https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback
```
3. Scroll up to **JumpCloud Metadata** and select **Export Metadata**. Save this XML file for use in a later step.
3. (Optional) Configure SAML attributes that you want to send to Cloudflare Access.

4. Scroll up to **JumpCloud Metadata** and select **Export Metadata**. Save this XML file for use in a [later step](#2-add-jumpcloud-to-zero-trust).

9. In the **User Groups** tab, [assign user groups](https://jumpcloud.com/support/get-started-applications-saml-sso#managing-employee-access-to-applications) to this application.

10. Select **Save**.

11. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.
### 2. Add JumpCloud to Zero Trust

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.

2. Under **Login methods**, select **Add new**.

3. Select **SAML**.

12. Under **Login methods**, select **Add new**.
4. Upload your JumpCloud XML metadata file.

13. Select **SAML**.
5. (Optional) To enable SCIM, refer to [Synchronize users and groups](#synchronize-users-and-groups).

14. Upload your JumpCloud XML metadata file.
6. (Optional) Under **Optional configurations**, configure [additional SAML options](#optional-configurations).

15. Select **Save**.
7. Select **Save**.

You can now [test your connection](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) and create [Access policies](/cloudflare-one/policies/access/) based on the configured login method and SAML attributes.

## Synchronize users and groups

The JumpCloud integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/).

### 1. Enable SCIM in Zero Trust

<Render
file="access/enable-scim-on-dashboard"
params={{ idp: "JumpCloud"}}
/>

### 2. Configure SCIM in JumpCloud

1. In the [JumpCloud Admin Portal](https://console.jumpcloud.com/#/home), go to **SSO Applications**.
2. Select the Cloudflare application that was created when you [Set up JumpCloud as a SAML provider](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#set-up-jumpcloud-as-a-saml-provider).
3. Select the **Identity Management** tab.
4. Make sure that **Enable management of User Groups and Group Membership in this application** is turned on.
5. Select **Configure**.
6. In the **Base URL** field, enter the **SCIM Endpoint** obtained from Zero Trust.
7. In the **Token Key** field, enter the **SCIM Secret** obtained from Zero Trust.
8. Select **Activate**. You will receive a confirmation that the Identity Management integration has been successfully verified.
9. Select **Save**.

<Render file="access/verify-scim-provisioning"/>

### Provisioning attributes

Provisioning attributes define the user and group properties that JumpCloud will synchronize with Cloudflare Access. By default, JumpCloud will send the following attributes during a SCIM update event:

| JumpCloud user attribute| Cloudflare Access attribute |
| ------------------ | ----------------------- |
| `email` | `email` |
| `firstname` | `givenName` |
| `lastname` | `surname` |

| JumpCloud group attribute | Cloudflare Access attribute |
| ------------------ | ----------------------- |
| `name` | `groups` |

## Example API configuration

```json
Expand Down
6 changes: 4 additions & 2 deletions src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ The Okta integration allows you to synchronize IdP groups and automatically depr

<Render
file="access/enable-scim-on-dashboard"
params={{ one: "Enable SCIM " }}
params={{ idp: "Okta"}}
/>

### 2. Configure SCIM in Okta
Expand Down Expand Up @@ -139,7 +139,9 @@ The Okta integration allows you to synchronize IdP groups and automatically depr

15. In the **Push Groups** tab, add the Okta groups you want to synchronize with Cloudflare Access. These groups will display in the Access policy builder.

Provisioning will begin immediately. To verify the integration, select **View Logs** in the Okta SCIM application.
To verify the integration, select **View Logs** in the Okta SCIM application.

<Render file="access/verify-scim-provisioning"/>

## Example API Configuration

Expand Down
Loading
Loading