Skip to content
Cloudflare API
Start here
API Reference
Zero Trust
Identity Providers
SAML Certificate

Create SAML encryption certificate for Identity Provider

client.zeroTrust.identityProviders.samlCertificate.create(stringidentityProviderId, SAMLCertificateCreateParams { account_id } params, RequestOptionsoptions?): SAMLCertificateCreateResponse { created_at, uid, updated_at, 2 more }
POST/accounts/{account_id}/access/identity_providers/{identity_provider_id}/saml_certificate

Creates a new SAML encryption certificate set and assigns it to the specified SAML Identity Provider. This endpoint is idempotent - if the IdP already has a certificate set assigned, the existing certificate set is returned with a 200 status.

Workflow for enabling SAML encryption:

  1. Call this endpoint to create and assign a certificate set to the IdP
  2. Update the IdP configuration (PUT /identity_providers/{id}) with:
    • config.enable_encryption: true
    • saml_certificate_set_id: <uid from step 1>
  3. Configure the certificate’s public key in your external SAML Identity Provider
Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
ParametersExpand Collapse
identityProviderId: string

UUID.

maxLength36
params: SAMLCertificateCreateParams { account_id }
account_id: string

Identifier.

maxLength32
ReturnsExpand Collapse
SAMLCertificateCreateResponse { created_at, uid, updated_at, 2 more }

A SAML encryption certificate set containing current and optionally previous certificates for encryption key rotation.

created_at: string

Timestamp when the certificate set was created

formatdate-time
uid: string

Unique identifier for the certificate set

formatuuid
updated_at: string

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
current_certificate?: CurrentCertificate { is_current, not_after, public_certificate, uid }

The currently active certificate used for encrypting SAML assertions

is_current: boolean

Indicates whether this is the currently active certificate

not_after: string

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
public_certificate: string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: string

Unique identifier for the certificate

formatuuid
previous_certificate?: unknown

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

Create SAML encryption certificate for Identity Provider

import Cloudflare from 'cloudflare';

const client = new Cloudflare({
  apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted
});

const samlCertificate = await client.zeroTrust.identityProviders.samlCertificate.create(
  'f174e90a-fafe-4643-bbbc-4a0ed4fc8415',
  { account_id: '023e105f4ecef8ad9ca31a8372d0c353' },
);

console.log(samlCertificate.uid);
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "created_at": "2026-05-07T19:16:19.821162Z",
    "uid": "c409ef44-e72c-41c8-8c0b-278c8a6f4fd8",
    "updated_at": "2026-05-07T19:16:19.821162Z",
    "current_certificate": {
      "is_current": true,
      "not_after": "2027-05-07T19:11:00Z",
      "public_certificate": "-----BEGIN CERTIFICATE-----\nMIIEpzCCA4+gAwIBAgIUTh2VSDDJ0oB/gabio6j1L9QwWoUwDQYJKoZIhvcNAQEL\n...\n-----END CERTIFICATE-----\n",
      "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
    },
    "previous_certificate": {}
  }
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "created_at": "2026-05-07T19:16:19.821162Z",
    "uid": "c409ef44-e72c-41c8-8c0b-278c8a6f4fd8",
    "updated_at": "2026-05-07T19:16:19.821162Z",
    "current_certificate": {
      "is_current": true,
      "not_after": "2027-05-07T19:11:00Z",
      "public_certificate": "-----BEGIN CERTIFICATE-----\nMIIEpzCCA4+gAwIBAgIUTh2VSDDJ0oB/gabio6j1L9QwWoUwDQYJKoZIhvcNAQEL\n...\n-----END CERTIFICATE-----\n",
      "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
    },
    "previous_certificate": {}
  }
}