Skip to content
Cloudflare API
Start here
API Reference
Zero Trust

Identity Providers

List Access identity providers
client.ZeroTrust.IdentityProviders.List(ctx, params) (*V4PagePaginationArray[IdentityProviderListResponse], error)
GET/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers
Get an Access identity provider
client.ZeroTrust.IdentityProviders.Get(ctx, identityProviderID, query) (*IdentityProvider, error)
GET/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}
Add an Access identity provider
client.ZeroTrust.IdentityProviders.New(ctx, params) (*IdentityProvider, error)
POST/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers
Update an Access identity provider
client.ZeroTrust.IdentityProviders.Update(ctx, identityProviderID, params) (*IdentityProvider, error)
PUT/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}
Delete an Access identity provider
client.ZeroTrust.IdentityProviders.Delete(ctx, identityProviderID, body) (*IdentityProviderDeleteResponse, error)
DELETE/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}
ModelsExpand Collapse
type AzureAD struct{…}
Config AzureADConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Claims []stringOptional

Custom claims

ClientID stringOptional

Your OAuth Client ID

ClientSecret stringOptional

Your OAuth Client Secret

ConditionalAccessEnabled boolOptional

Should Cloudflare try to load authentication contexts from your account

DirectoryID stringOptional

Your Azure directory uuid

EmailClaimName stringOptional

The claim name for email in the id_token response.

Prompt AzureADConfigPromptOptional

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn’t presented with any interactive prompt. If the request can’t be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

One of the following:
const AzureADConfigPromptLogin AzureADConfigPrompt = "login"
const AzureADConfigPromptSelectAccount AzureADConfigPrompt = "select_account"
const AzureADConfigPromptNone AzureADConfigPrompt = "none"
SupportGroups boolOptional

Should Cloudflare try to load groups from your account

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringOptional

UUID.

maxLength36
SAMLCertificateSet AzureADSAMLCertificateSetOptional

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate AzureADSAMLCertificateSetCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateSetID stringOptional

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid
SCIMConfig IdentityProviderSCIMConfigOptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type GenericOAuthConfig struct{…}
ClientID stringOptional

Your OAuth Client ID

ClientSecret stringOptional

Your OAuth Client Secret

type IdentityProvider interface{…}
One of the following:
type AzureAD struct{…}
Config AzureADConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Claims []stringOptional

Custom claims

ClientID stringOptional

Your OAuth Client ID

ClientSecret stringOptional

Your OAuth Client Secret

ConditionalAccessEnabled boolOptional

Should Cloudflare try to load authentication contexts from your account

DirectoryID stringOptional

Your Azure directory uuid

EmailClaimName stringOptional

The claim name for email in the id_token response.

Prompt AzureADConfigPromptOptional

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn’t presented with any interactive prompt. If the request can’t be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

One of the following:
const AzureADConfigPromptLogin AzureADConfigPrompt = "login"
const AzureADConfigPromptSelectAccount AzureADConfigPrompt = "select_account"
const AzureADConfigPromptNone AzureADConfigPrompt = "none"
SupportGroups boolOptional

Should Cloudflare try to load groups from your account

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringOptional

UUID.

maxLength36
SAMLCertificateSet AzureADSAMLCertificateSetOptional

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate AzureADSAMLCertificateSetCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateSetID stringOptional

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid
SCIMConfig IdentityProviderSCIMConfigOptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessCentrify struct{…}
Config IdentityProviderAccessCentrifyConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

CentrifyAccount stringOptional

Your centrify account url

CentrifyAppID stringOptional

Your centrify app id

Claims []stringOptional

Custom claims

ClientID stringOptional

Your OAuth Client ID

ClientSecret stringOptional

Your OAuth Client Secret

EmailClaimName stringOptional

The claim name for email in the id_token response.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringOptional

UUID.

maxLength36
SAMLCertificateSet IdentityProviderAccessCentrifySAMLCertificateSetOptional

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate IdentityProviderAccessCentrifySAMLCertificateSetCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateSetID stringOptional

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid
SCIMConfig IdentityProviderSCIMConfigOptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessFacebook struct{…}
Config GenericOAuthConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringOptional

UUID.

maxLength36
SAMLCertificateSet IdentityProviderAccessFacebookSAMLCertificateSetOptional

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate IdentityProviderAccessFacebookSAMLCertificateSetCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateSetID stringOptional

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid
SCIMConfig IdentityProviderSCIMConfigOptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessGitHub struct{…}
Config GenericOAuthConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringOptional

UUID.

maxLength36
SAMLCertificateSet IdentityProviderAccessGitHubSAMLCertificateSetOptional

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate IdentityProviderAccessGitHubSAMLCertificateSetCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateSetID stringOptional

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid
SCIMConfig IdentityProviderSCIMConfigOptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessGoogle struct{…}
Config IdentityProviderAccessGoogleConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Claims []stringOptional

Custom claims

ClientID stringOptional

Your OAuth Client ID

ClientSecret stringOptional

Your OAuth Client Secret

EmailClaimName stringOptional

The claim name for email in the id_token response.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringOptional

UUID.

maxLength36
SAMLCertificateSet IdentityProviderAccessGoogleSAMLCertificateSetOptional

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate IdentityProviderAccessGoogleSAMLCertificateSetCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateSetID stringOptional

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid
SCIMConfig IdentityProviderSCIMConfigOptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessGoogleApps struct{…}
Config IdentityProviderAccessGoogleAppsConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

AppsDomain stringOptional

Your companies TLD

Claims []stringOptional

Custom claims

ClientID stringOptional

Your OAuth Client ID

ClientSecret stringOptional

Your OAuth Client Secret

EmailClaimName stringOptional

The claim name for email in the id_token response.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringOptional

UUID.

maxLength36
SAMLCertificateSet IdentityProviderAccessGoogleAppsSAMLCertificateSetOptional

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate IdentityProviderAccessGoogleAppsSAMLCertificateSetCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateSetID stringOptional

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid
SCIMConfig IdentityProviderSCIMConfigOptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessLinkedin struct{…}
Config GenericOAuthConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringOptional

UUID.

maxLength36
SAMLCertificateSet IdentityProviderAccessLinkedinSAMLCertificateSetOptional

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate IdentityProviderAccessLinkedinSAMLCertificateSetCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateSetID stringOptional

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid
SCIMConfig IdentityProviderSCIMConfigOptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessOIDC struct{…}
Config IdentityProviderAccessOIDCConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

AuthURL stringOptional

The authorization_endpoint URL of your IdP

CERTsURL stringOptional

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

Claims []stringOptional

Custom claims

ClientID stringOptional

Your OAuth Client ID

ClientSecret stringOptional

Your OAuth Client Secret

EmailClaimName stringOptional

The claim name for email in the id_token response.

PKCEEnabled boolOptional

Enable Proof Key for Code Exchange (PKCE)

Scopes []stringOptional

OAuth scopes

TokenURL stringOptional

The token_endpoint URL of your IdP

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringOptional

UUID.

maxLength36
SAMLCertificateSet IdentityProviderAccessOIDCSAMLCertificateSetOptional

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate IdentityProviderAccessOIDCSAMLCertificateSetCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateSetID stringOptional

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid
SCIMConfig IdentityProviderSCIMConfigOptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessOkta struct{…}
Config IdentityProviderAccessOktaConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

AuthorizationServerID stringOptional

Your okta authorization server id

Claims []stringOptional

Custom claims

ClientID stringOptional

Your OAuth Client ID

ClientSecret stringOptional

Your OAuth Client Secret

EmailClaimName stringOptional

The claim name for email in the id_token response.

OktaAccount stringOptional

Your okta account url

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringOptional

UUID.

maxLength36
SAMLCertificateSet IdentityProviderAccessOktaSAMLCertificateSetOptional

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate IdentityProviderAccessOktaSAMLCertificateSetCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateSetID stringOptional

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid
SCIMConfig IdentityProviderSCIMConfigOptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessOnelogin struct{…}
Config IdentityProviderAccessOneloginConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Claims []stringOptional

Custom claims

ClientID stringOptional

Your OAuth Client ID

ClientSecret stringOptional

Your OAuth Client Secret

EmailClaimName stringOptional

The claim name for email in the id_token response.

OneloginAccount stringOptional

Your OneLogin account url

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringOptional

UUID.

maxLength36
SAMLCertificateSet IdentityProviderAccessOneloginSAMLCertificateSetOptional

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate IdentityProviderAccessOneloginSAMLCertificateSetCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateSetID stringOptional

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid
SCIMConfig IdentityProviderSCIMConfigOptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessPingone struct{…}
Config IdentityProviderAccessPingoneConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Claims []stringOptional

Custom claims

ClientID stringOptional

Your OAuth Client ID

ClientSecret stringOptional

Your OAuth Client Secret

EmailClaimName stringOptional

The claim name for email in the id_token response.

PingEnvID stringOptional

Your PingOne environment identifier

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringOptional

UUID.

maxLength36
SAMLCertificateSet IdentityProviderAccessPingoneSAMLCertificateSetOptional

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate IdentityProviderAccessPingoneSAMLCertificateSetCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateSetID stringOptional

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid
SCIMConfig IdentityProviderSCIMConfigOptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessSAML struct{…}
Config IdentityProviderAccessSAMLConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Attributes []stringOptional

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

EmailAttributeName stringOptional

The attribute name for email in the SAML response.

EnableEncryption boolOptional

Enable SAML assertion encryption. When enabled, the Identity Provider will encrypt SAML assertions using the certificate from the assigned certificate set.

To enable encryption:

  1. Create a certificate set via POST to /identity_providers/{id}/saml_certificate
  2. Set this field to true and include saml_certificate_set_id in the PUT request
  3. Configure the public certificate in your external Identity Provider

Note: Requires saml_certificate_set_id to be set when true.

HeaderAttributes []IdentityProviderAccessSAMLConfigHeaderAttributeOptional

Add a list of attribute names that will be returned in the response header from the Access callback.

AttributeName stringOptional

attribute name from the IDP

HeaderName stringOptional

header that will be added on the request to the origin

IdPPublicCERTs []stringOptional

X509 certificate to verify the signature in the SAML authentication response

IssuerURL stringOptional

IdP Entity ID or Issuer URL

SignRequest boolOptional

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

SSOTargetURL stringOptional

URL to send the SAML authentication requests to

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringOptional

UUID.

maxLength36
SAMLCertificateSet IdentityProviderAccessSAMLSAMLCertificateSetOptional

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate IdentityProviderAccessSAMLSAMLCertificateSetCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateSetID stringOptional

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid
SCIMConfig IdentityProviderSCIMConfigOptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessYandex struct{…}
Config GenericOAuthConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringOptional

UUID.

maxLength36
SAMLCertificateSet IdentityProviderAccessYandexSAMLCertificateSetOptional

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate IdentityProviderAccessYandexSAMLCertificateSetCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateSetID stringOptional

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid
SCIMConfig IdentityProviderSCIMConfigOptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessOnetimepin struct{…}
Config IdentityProviderAccessOnetimepinConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

RedirectURL stringOptional
Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringOptional

UUID.

maxLength36
SAMLCertificateSet IdentityProviderAccessOnetimepinSAMLCertificateSetOptional

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate IdentityProviderAccessOnetimepinSAMLCertificateSetCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateSetID stringOptional

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid
SCIMConfig IdentityProviderSCIMConfigOptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessCloudflare struct{…}
Config IdentityProviderAccessCloudflareConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

RedirectURL stringOptional
RestrictToAccountMembers boolOptional

When enabled, only users who are members of your Cloudflare account can authenticate through this identity provider. When disabled, any user with a Cloudflare account can authenticate, subject to your Access policies.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringOptional

UUID.

maxLength36
SAMLCertificateSet IdentityProviderAccessCloudflareSAMLCertificateSetOptional

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate IdentityProviderAccessCloudflareSAMLCertificateSetCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateSetID stringOptional

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid
SCIMConfig IdentityProviderSCIMConfigOptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderSCIMConfig struct{…}

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

Enabled boolOptional

A flag to enable or disable SCIM for the identity provider.

IdentityUpdateBehavior IdentityProviderSCIMConfigIdentityUpdateBehaviorOptional

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
const IdentityProviderSCIMConfigIdentityUpdateBehaviorAutomatic IdentityProviderSCIMConfigIdentityUpdateBehavior = "automatic"
const IdentityProviderSCIMConfigIdentityUpdateBehaviorReauth IdentityProviderSCIMConfigIdentityUpdateBehavior = "reauth"
const IdentityProviderSCIMConfigIdentityUpdateBehaviorNoAction IdentityProviderSCIMConfigIdentityUpdateBehavior = "no_action"
SCIMBaseURL stringOptional

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

SeatDeprovision boolOptional

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

Secret stringOptional

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

UserDeprovision boolOptional

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

type IdentityProviderType string

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
const IdentityProviderTypeOnetimepin IdentityProviderType = "onetimepin"
const IdentityProviderTypeAzureAD IdentityProviderType = "azureAD"
const IdentityProviderTypeSAML IdentityProviderType = "saml"
const IdentityProviderTypeCentrify IdentityProviderType = "centrify"
const IdentityProviderTypeFacebook IdentityProviderType = "facebook"
const IdentityProviderTypeGitHub IdentityProviderType = "github"
const IdentityProviderTypeGoogleApps IdentityProviderType = "google-apps"
const IdentityProviderTypeGoogle IdentityProviderType = "google"
const IdentityProviderTypeLinkedin IdentityProviderType = "linkedin"
const IdentityProviderTypeOIDC IdentityProviderType = "oidc"
const IdentityProviderTypeOkta IdentityProviderType = "okta"
const IdentityProviderTypeOnelogin IdentityProviderType = "onelogin"
const IdentityProviderTypePingone IdentityProviderType = "pingone"
const IdentityProviderTypeYandex IdentityProviderType = "yandex"
const IdentityProviderTypeCloudflare IdentityProviderType = "cloudflare"

Identity ProvidersSCIM

Identity ProvidersSCIMGroups

List SCIM Group resources
client.ZeroTrust.IdentityProviders.SCIM.Groups.List(ctx, identityProviderID, params) (*V4PagePaginationArray[ZeroTrustGroup], error)
GET/accounts/{account_id}/access/identity_providers/{identity_provider_id}/scim/groups

Identity ProvidersSCIMUsers

List SCIM User resources
client.ZeroTrust.IdentityProviders.SCIM.Users.List(ctx, identityProviderID, params) (*V4PagePaginationArray[AccessUser], error)
GET/accounts/{account_id}/access/identity_providers/{identity_provider_id}/scim/users

Identity ProvidersSAML Certificate

Create SAML encryption certificate for Identity Provider
client.ZeroTrust.IdentityProviders.SAMLCertificate.New(ctx, identityProviderID, body) (*IdentityProviderSAMLCertificateNewResponse, error)
POST/accounts/{account_id}/access/identity_providers/{identity_provider_id}/saml_certificate