API Reference

Zero Trust

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Identity Providers

List Access identity providers

client.ZeroTrust.IdentityProviders.List(ctx, params) (*V4PagePaginationArray[IdentityProviderListResponse], error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers

Get an Access identity provider

client.ZeroTrust.IdentityProviders.Get(ctx, identityProviderID, query) (*IdentityProvider, error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}

Add an Access identity provider

client.ZeroTrust.IdentityProviders.New(ctx, params) (*IdentityProvider, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers

Update an Access identity provider

client.ZeroTrust.IdentityProviders.Update(ctx, identityProviderID, params) (*IdentityProvider, error)

PUT/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}

Delete an Access identity provider

client.ZeroTrust.IdentityProviders.Delete(ctx, identityProviderID, body) (*IdentityProviderDeleteResponse, error)

DELETE/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}

ModelsExpand Collapse

type AzureAD struct{…}

Config AzureADConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

ConditionalAccessEnabled booloptional

Should Cloudflare try to load authentication contexts from your account

DirectoryID stringoptional

Your Azure directory uuid

EmailClaimName stringoptional

The claim name for email in the id_token response.

Prompt AzureADConfigPromptoptional

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

One of the following:

const AzureADConfigPromptLogin AzureADConfigPrompt = "login"

const AzureADConfigPromptSelectAccount AzureADConfigPrompt = "select_account"

const AzureADConfigPromptNone AzureADConfigPrompt = "none"

SupportGroups booloptional

Should Cloudflare try to load groups from your account

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type GenericOAuthConfig struct{…}

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

type IdentityProvider interface{…}

One of the following:

type AzureAD struct{…}

Config AzureADConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

ConditionalAccessEnabled booloptional

Should Cloudflare try to load authentication contexts from your account

DirectoryID stringoptional

Your Azure directory uuid

EmailClaimName stringoptional

The claim name for email in the id_token response.

Prompt AzureADConfigPromptoptional

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

One of the following:

const AzureADConfigPromptLogin AzureADConfigPrompt = "login"

const AzureADConfigPromptSelectAccount AzureADConfigPrompt = "select_account"

const AzureADConfigPromptNone AzureADConfigPrompt = "none"

SupportGroups booloptional

Should Cloudflare try to load groups from your account

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessCentrify struct{…}

Config IdentityProviderAccessCentrifyConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

CentrifyAccount stringoptional

Your centrify account url

CentrifyAppID stringoptional

Your centrify app id

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

EmailClaimName stringoptional

The claim name for email in the id_token response.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessFacebook struct{…}

Config GenericOAuthConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessGitHub struct{…}

Config GenericOAuthConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessGoogle struct{…}

Config IdentityProviderAccessGoogleConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

EmailClaimName stringoptional

The claim name for email in the id_token response.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessGoogleApps struct{…}

Config IdentityProviderAccessGoogleAppsConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

AppsDomain stringoptional

Your companies TLD

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

EmailClaimName stringoptional

The claim name for email in the id_token response.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessLinkedin struct{…}

Config GenericOAuthConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessOIDC struct{…}

Config IdentityProviderAccessOIDCConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

AuthURL stringoptional

The authorization_endpoint URL of your IdP

CERTsURL stringoptional

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

EmailClaimName stringoptional

The claim name for email in the id_token response.

PKCEEnabled booloptional

Enable Proof Key for Code Exchange (PKCE)

Scopes []stringoptional

OAuth scopes

TokenURL stringoptional

The token_endpoint URL of your IdP

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessOkta struct{…}

Config IdentityProviderAccessOktaConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

AuthorizationServerID stringoptional

Your okta authorization server id

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

EmailClaimName stringoptional

The claim name for email in the id_token response.

OktaAccount stringoptional

Your okta account url

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessOnelogin struct{…}

Config IdentityProviderAccessOneloginConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

EmailClaimName stringoptional

The claim name for email in the id_token response.

OneloginAccount stringoptional

Your OneLogin account url

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessPingone struct{…}

Config IdentityProviderAccessPingoneConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

EmailClaimName stringoptional

The claim name for email in the id_token response.

PingEnvID stringoptional

Your PingOne environment identifier

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessSAML struct{…}

Config IdentityProviderAccessSAMLConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Attributes []stringoptional

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

EmailAttributeName stringoptional

The attribute name for email in the SAML response.

HeaderAttributes []IdentityProviderAccessSAMLConfigHeaderAttributeoptional

Add a list of attribute names that will be returned in the response header from the Access callback.

AttributeName stringoptional

attribute name from the IDP

HeaderName stringoptional

header that will be added on the request to the origin

IdPPublicCERTs []stringoptional

X509 certificate to verify the signature in the SAML authentication response

IssuerURL stringoptional

IdP Entity ID or Issuer URL

SignRequest booloptional

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

SSOTargetURL stringoptional

URL to send the SAML authentication requests to

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessYandex struct{…}

Config GenericOAuthConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessOnetimepin struct{…}

Config IdentityProviderAccessOnetimepinConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

RedirectURL stringoptional

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderSCIMConfig struct{…}

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

Enabled booloptional

A flag to enable or disable SCIM for the identity provider.

IdentityUpdateBehavior IdentityProviderSCIMConfigIdentityUpdateBehavioroptional

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

const IdentityProviderSCIMConfigIdentityUpdateBehaviorAutomatic IdentityProviderSCIMConfigIdentityUpdateBehavior = "automatic"

const IdentityProviderSCIMConfigIdentityUpdateBehaviorReauth IdentityProviderSCIMConfigIdentityUpdateBehavior = "reauth"

const IdentityProviderSCIMConfigIdentityUpdateBehaviorNoAction IdentityProviderSCIMConfigIdentityUpdateBehavior = "no_action"

SCIMBaseURL stringoptional

The base URL of Cloudflare's SCIM V2.0 API endpoint.

SeatDeprovision booloptional

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

Secret stringoptional

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

UserDeprovision booloptional

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

type IdentityProviderType string

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

const IdentityProviderTypeOnetimepin IdentityProviderType = "onetimepin"

const IdentityProviderTypeAzureAD IdentityProviderType = "azureAD"

const IdentityProviderTypeSAML IdentityProviderType = "saml"

const IdentityProviderTypeCentrify IdentityProviderType = "centrify"

const IdentityProviderTypeFacebook IdentityProviderType = "facebook"

const IdentityProviderTypeGitHub IdentityProviderType = "github"

const IdentityProviderTypeGoogleApps IdentityProviderType = "google-apps"

const IdentityProviderTypeGoogle IdentityProviderType = "google"

const IdentityProviderTypeLinkedin IdentityProviderType = "linkedin"

const IdentityProviderTypeOIDC IdentityProviderType = "oidc"

const IdentityProviderTypeOkta IdentityProviderType = "okta"

const IdentityProviderTypeOnelogin IdentityProviderType = "onelogin"

const IdentityProviderTypePingone IdentityProviderType = "pingone"

const IdentityProviderTypeYandex IdentityProviderType = "yandex"

Identity ProvidersSCIM

Identity ProvidersSCIMGroups

List SCIM Group resources

client.ZeroTrust.IdentityProviders.SCIM.Groups.List(ctx, identityProviderID, params) (*V4PagePaginationArray[ZeroTrustGroup], error)

GET/accounts/{account_id}/access/identity_providers/{identity_provider_id}/scim/groups

Identity ProvidersSCIMUsers

List SCIM User resources

client.ZeroTrust.IdentityProviders.SCIM.Users.List(ctx, identityProviderID, params) (*V4PagePaginationArray[AccessUser], error)

GET/accounts/{account_id}/access/identity_providers/{identity_provider_id}/scim/users