Skip to content
Cloudflare API
Start here
API Reference
Zero Trust
Identity Providers

List Access identity providers

client.zeroTrust.identityProviders.list(IdentityProviderListParams { account_id, zone_id, page, 2 more } params?, RequestOptionsoptions?): V4PagePaginationArray<IdentityProviderListResponse>
GET/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers

Lists all configured identity providers.

Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Accepted Permissions (at least one required)
Access: Organizations, Identity Providers, and Groups WriteAccess: Organizations, Identity Providers, and Groups Read
ParametersExpand Collapse
params: IdentityProviderListParams { account_id, zone_id, page, 2 more }
account_id?: string

Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: string

Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

page?: number

Query param: Page number of results.

per_page?: number

Query param: Number of results per page.

scim_enabled?: string

Query param: Indicates to Access to only retrieve identity providers that have the System for Cross-Domain Identity Management (SCIM) enabled.

ReturnsExpand Collapse
IdentityProviderListResponse = AzureAD { config, name, type, 2 more } | AccessCentrify { config, name, type, 2 more } | AccessFacebook { config, name, type, 2 more } | 10 more
One of the following:
AzureAD { config, name, type, 2 more }
config: Config { claims, client_id, client_secret, 5 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

conditional_access_enabled?: boolean

Should Cloudflare try to load authentication contexts from your account

directory_id?: string

Your Azure directory uuid

email_claim_name?: string

The claim name for email in the id_token response.

prompt?: "login" | "select_account" | "none"

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

One of the following:
"login"
"select_account"
"none"
support_groups?: boolean

Should Cloudflare try to load groups from your account

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessCentrify { config, name, type, 2 more }
config: Config { centrify_account, centrify_app_id, claims, 3 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

centrify_account?: string

Your centrify account url

centrify_app_id?: string

Your centrify app id

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessFacebook { config, name, type, 2 more }
config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessGitHub { config, name, type, 2 more }
config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessGoogle { config, name, type, 2 more }
config: Config { claims, client_id, client_secret, email_claim_name }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessGoogleApps { config, name, type, 2 more }
config: Config { apps_domain, claims, client_id, 2 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

apps_domain?: string

Your companies TLD

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessLinkedin { config, name, type, 2 more }
config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessOIDC { config, name, type, 2 more }
config: Config { auth_url, certs_url, claims, 6 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

auth_url?: string

The authorization_endpoint URL of your IdP

certs_url?: string

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

pkce_enabled?: boolean

Enable Proof Key for Code Exchange (PKCE)

scopes?: Array<string>

OAuth scopes

token_url?: string

The token_endpoint URL of your IdP

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessOkta { config, name, type, 2 more }
config: Config { authorization_server_id, claims, client_id, 3 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

authorization_server_id?: string

Your okta authorization server id

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

okta_account?: string

Your okta account url

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessOnelogin { config, name, type, 2 more }
config: Config { claims, client_id, client_secret, 2 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

onelogin_account?: string

Your OneLogin account url

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessPingone { config, name, type, 2 more }
config: Config { claims, client_id, client_secret, 2 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: Array<string>

Custom claims

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

email_claim_name?: string

The claim name for email in the id_token response.

ping_env_id?: string

Your PingOne environment identifier

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessSAML { config, name, type, 2 more }
config: Config { attributes, email_attribute_name, header_attributes, 4 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

attributes?: Array<string>

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

email_attribute_name?: string

The attribute name for email in the SAML response.

header_attributes?: Array<HeaderAttribute>

Add a list of attribute names that will be returned in the response header from the Access callback.

attribute_name?: string

attribute name from the IDP

header_name?: string

header that will be added on the request to the origin

idp_public_certs?: Array<string>

X509 certificate to verify the signature in the SAML authentication response

issuer_url?: string

IdP Entity ID or Issuer URL

sign_request?: boolean

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

sso_target_url?: string

URL to send the SAML authentication requests to

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

AccessYandex { config, name, type, 2 more }
config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

client_id?: string

Your OAuth Client ID

client_secret?: string

Your OAuth Client Secret

name: string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:
"onetimepin"
"azureAD"
"saml"
"centrify"
"facebook"
"github"
"google-apps"
"google"
"linkedin"
"oidc"
"okta"
"onelogin"
"pingone"
"yandex"
id?: string

UUID.

maxLength36
scim_config?: IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: "automatic" | "reauth" | "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:
"automatic"
"reauth"
"no_action"
scim_base_url?: string

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: boolean

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret?: string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: boolean

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

List Access identity providers

import Cloudflare from 'cloudflare';

const client = new Cloudflare({
  apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted
});

// Automatically fetches more pages as needed.
for await (const identityProviderListResponse of client.zeroTrust.identityProviders.list({
  account_id: 'account_id',
})) {
  console.log(identityProviderListResponse);
}
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": [
    {
      "config": {
        "claims": [
          "email_verified",
          "preferred_username",
          "custom_claim_name"
        ],
        "client_id": "<your client id>",
        "client_secret": "<your client secret>",
        "conditional_access_enabled": true,
        "directory_id": "<your azure directory uuid>",
        "email_claim_name": "custom_claim_name",
        "prompt": "login",
        "support_groups": true
      },
      "name": "Widget Corps IDP",
      "type": "onetimepin",
      "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
      "scim_config": {
        "enabled": true,
        "identity_update_behavior": "automatic",
        "scim_base_url": "scim_base_url",
        "seat_deprovision": true,
        "secret": "secret",
        "user_deprovision": true
      }
    }
  ],
  "result_info": {
    "count": 1,
    "page": 1,
    "per_page": 20,
    "total_count": 2000,
    "total_pages": 100
  }
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": [
    {
      "config": {
        "claims": [
          "email_verified",
          "preferred_username",
          "custom_claim_name"
        ],
        "client_id": "<your client id>",
        "client_secret": "<your client secret>",
        "conditional_access_enabled": true,
        "directory_id": "<your azure directory uuid>",
        "email_claim_name": "custom_claim_name",
        "prompt": "login",
        "support_groups": true
      },
      "name": "Widget Corps IDP",
      "type": "onetimepin",
      "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
      "scim_config": {
        "enabled": true,
        "identity_update_behavior": "automatic",
        "scim_base_url": "scim_base_url",
        "seat_deprovision": true,
        "secret": "secret",
        "user_deprovision": true
      }
    }
  ],
  "result_info": {
    "count": 1,
    "page": 1,
    "per_page": 20,
    "total_count": 2000,
    "total_pages": 100
  }
}