Skip to content
Cloudflare API
Start here
API Reference
Zero Trust
Identity Providers

Add an Access identity provider

client.zeroTrust.identityProviders.create(IdentityProviderCreateParamsparams, RequestOptionsoptions?): IdentityProvider
POST/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers

Adds a new identity provider to Access.

Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Accepted Permissions (at least one required)
Access: Organizations, Identity Providers, and Groups Write
ParametersExpand Collapse
IdentityProviderCreateParams = AzureAD | AccessCentrify | AccessFacebook | 11 more
IdentityProviderCreateParamsBase
AzureAD extends IdentityProviderCreateParamsBase
AccessCentrify extends IdentityProviderCreateParamsBase
AccessFacebook extends IdentityProviderCreateParamsBase
AccessGitHub extends IdentityProviderCreateParamsBase
AccessGoogle extends IdentityProviderCreateParamsBase
AccessGoogleApps extends IdentityProviderCreateParamsBase
AccessLinkedin extends IdentityProviderCreateParamsBase
AccessOIDC extends IdentityProviderCreateParamsBase
AccessOkta extends IdentityProviderCreateParamsBase
AccessOnelogin extends IdentityProviderCreateParamsBase
AccessPingone extends IdentityProviderCreateParamsBase
AccessSAML extends IdentityProviderCreateParamsBase
AccessYandex extends IdentityProviderCreateParamsBase
AccessOnetimepin extends IdentityProviderCreateParamsBase
ReturnsExpand Collapse
IdentityProvider = AzureAD { config, name, type, 2 more } | AccessCentrify { config, name, type, 2 more } | AccessFacebook { config, name, type, 2 more } | 11 more
One of the following:
AzureAD { config, name, type, 2 more }
config: Config { claims, client_id, client_secret, 5 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

conditional_access_enabled?: boolean

Should Cloudflare try to load authentication contexts from your account

directory_id?: string

Your Azure directory uuid

email_claim_name?: string

The claim name for email in the id_token response.

prompt?: "login" | "select_account" | "none"

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

One of the following:
"login"
"select_account"
"none"
support_groups?: boolean

Should Cloudflare try to load groups from your account

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessCentrify { config, name, type, 2 more }
config: Config { centrify_account, centrify_app_id, claims, 3 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

centrify_account?: string

Your centrify account url

centrify_app_id?: string

Your centrify app id

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessFacebook { config, name, type, 2 more }
config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessGitHub { config, name, type, 2 more }
config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessGoogle { config, name, type, 2 more }
config: Config { claims, client_id, client_secret, email_claim_name }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessGoogleApps { config, name, type, 2 more }
config: Config { apps_domain, claims, client_id, 2 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

apps_domain?: string

Your companies TLD

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessLinkedin { config, name, type, 2 more }
config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessOIDC { config, name, type, 2 more }
config: Config { auth_url, certs_url, claims, 6 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

auth_url?: string

The authorization_endpoint URL of your IdP

certs_url?: string

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

pkce_enabled?: boolean

Enable Proof Key for Code Exchange (PKCE)

scopes?: Array<string>

OAuth scopes

token_url?: string

The token_endpoint URL of your IdP

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessOkta { config, name, type, 2 more }
config: Config { authorization_server_id, claims, client_id, 3 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

authorization_server_id?: string

Your okta authorization server id

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

okta_account?: string

Your okta account url

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessOnelogin { config, name, type, 2 more }
config: Config { claims, client_id, client_secret, 2 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

onelogin_account?: string

Your OneLogin account url

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessPingone { config, name, type, 2 more }
config: Config { claims, client_id, client_secret, 2 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

ping_env_id?: string

Your PingOne environment identifier

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessSAML { config, name, type, 2 more }
config: Config { attributes, email_attribute_name, header_attributes, 4 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

attributes?: Array<string>

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

email_attribute_name?: string

The attribute name for email in the SAML response.

header_attributes?: Array<HeaderAttribute>

Add a list of attribute names that will be returned in the response header from the Access callback.

attribute_name?: string

attribute name from the IDP

header_name?: string

header that will be added on the request to the origin

idp_public_certs?: Array<string>

X509 certificate to verify the signature in the SAML authentication response

issuer_url?: string

IdP Entity ID or Issuer URL

sign_request?: boolean

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

sso_target_url?: string

URL to send the SAML authentication requests to

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessYandex { config, name, type, 2 more }
config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessOnetimepin { config, name, type, 2 more }
config: Config { redirect_url }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

redirect_url?: string
name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

Add an Access identity provider

import Cloudflare from 'cloudflare';

const client = new Cloudflare({
  apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted
});

const identityProvider = await client.zeroTrust.identityProviders.create({
  config: {},
  name: 'Widget Corps IDP',
  type: 'onetimepin',
  account_id: 'account_id',
});

console.log(identityProvider);
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "config": {
      "claims": [
        "email_verified",
        "preferred_username",
        "custom_claim_name"
      ],
      "client_id": "<your client id>",
      "client_secret": "<your client secret>",
      "conditional_access_enabled": true,
      "directory_id": "<your azure directory uuid>",
      "email_claim_name": "custom_claim_name",
      "prompt": "login",
      "support_groups": true
    },
    "name": "Widget Corps IDP",
    "type": "onetimepin",
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "scim_config": {
      "enabled": true,
      "identity_update_behavior": "automatic",
      "scim_base_url": "scim_base_url",
      "seat_deprovision": true,
      "secret": "secret",
      "user_deprovision": true
    }
  }
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "config": {
      "claims": [
        "email_verified",
        "preferred_username",
        "custom_claim_name"
      ],
      "client_id": "<your client id>",
      "client_secret": "<your client secret>",
      "conditional_access_enabled": true,
      "directory_id": "<your azure directory uuid>",
      "email_claim_name": "custom_claim_name",
      "prompt": "login",
      "support_groups": true
    },
    "name": "Widget Corps IDP",
    "type": "onetimepin",
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "scim_config": {
      "enabled": true,
      "identity_update_behavior": "automatic",
      "scim_base_url": "scim_base_url",
      "seat_deprovision": true,
      "secret": "secret",
      "user_deprovision": true
    }
  }
}