API Reference

Zero Trust

Identity Providers

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Update an Access identity provider

zero_trust.identity_providers.update(stridentity_provider_id, IdentityProviderUpdateParams**kwargs) -> IdentityProvider

PUT/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}

Updates a configured identity provider.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

Access: Organizations, Identity Providers, and Groups Write

ParametersExpand Collapse

identity_provider_id: str

UUID.

maxLength36

config: AzureADConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: Optional[Sequence[str]]

Custom claims

client_id: Optional[str]

Your OAuth Client ID

client_secret: Optional[str]

Your OAuth Client Secret

conditional_access_enabled: Optional[bool]

Should Cloudflare try to load authentication contexts from your account

directory_id: Optional[str]

Your Azure directory uuid

email_claim_name: Optional[str]

The claim name for email in the id_token response.

prompt: Optional[Literal["login", "select_account", "none"]]

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn’t presented with any interactive prompt. If the request can’t be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

One of the following:

"login"

"select_account"

"none"

support_groups: Optional[bool]

Should Cloudflare try to load groups from your account

name: str

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

account_id: Optional[str]

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id: Optional[str]

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

saml_certificate_set_id: Optional[str]

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config: Optional[IdentityProviderSCIMConfigParam]

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Optional[bool]

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: Optional[str]

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Optional[bool]

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: Optional[str]

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Optional[bool]

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

ReturnsExpand Collapse

IdentityProvider

One of the following:

class AzureAD: …

config: Config

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: Optional[List[str]]

Custom claims

client_id: Optional[str]

Your OAuth Client ID

client_secret: Optional[str]

Your OAuth Client Secret

conditional_access_enabled: Optional[bool]

Should Cloudflare try to load authentication contexts from your account

directory_id: Optional[str]

Your Azure directory uuid

email_claim_name: Optional[str]

The claim name for email in the id_token response.

prompt: Optional[Literal["login", "select_account", "none"]]

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn’t presented with any interactive prompt. If the request can’t be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

One of the following:

"login"

"select_account"

"none"

support_groups: Optional[bool]

Should Cloudflare try to load groups from your account

name: str

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

id: Optional[str]

UUID.

maxLength36

saml_certificate_set: Optional[SAMLCertificateSet]

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: datetime

Timestamp when the certificate set was created

formatdate-time

uid: str

Unique identifier for the certificate set

formatuuid

updated_at: datetime

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate: Optional[SAMLCertificateSetCurrentCertificate]

The currently active certificate used for encrypting SAML assertions

is_current: bool

Indicates whether this is the currently active certificate

not_after: datetime

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: str

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: str

Unique identifier for the certificate

formatuuid

previous_certificate: Optional[object]

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id: Optional[str]

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config: Optional[IdentityProviderSCIMConfig]

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Optional[bool]

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: Optional[str]

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Optional[bool]

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: Optional[str]

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Optional[bool]

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

class AccessCentrify: …

config: AccessCentrifyConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

centrify_account: Optional[str]

Your centrify account url

centrify_app_id: Optional[str]

Your centrify app id

claims: Optional[List[str]]

Custom claims

client_id: Optional[str]

Your OAuth Client ID

client_secret: Optional[str]

Your OAuth Client Secret

email_claim_name: Optional[str]

The claim name for email in the id_token response.

name: str

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

id: Optional[str]

UUID.

maxLength36

saml_certificate_set: Optional[AccessCentrifySAMLCertificateSet]

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: datetime

Timestamp when the certificate set was created

formatdate-time

uid: str

Unique identifier for the certificate set

formatuuid

updated_at: datetime

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate: Optional[AccessCentrifySAMLCertificateSetCurrentCertificate]

The currently active certificate used for encrypting SAML assertions

is_current: bool

Indicates whether this is the currently active certificate

not_after: datetime

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: str

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: str

Unique identifier for the certificate

formatuuid

previous_certificate: Optional[object]

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id: Optional[str]

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config: Optional[IdentityProviderSCIMConfig]

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Optional[bool]

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: Optional[str]

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Optional[bool]

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: Optional[str]

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Optional[bool]

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

class AccessFacebook: …

config: GenericOAuthConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

client_id: Optional[str]

Your OAuth Client ID

client_secret: Optional[str]

Your OAuth Client Secret

name: str

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

id: Optional[str]

UUID.

maxLength36

saml_certificate_set: Optional[AccessFacebookSAMLCertificateSet]

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: datetime

Timestamp when the certificate set was created

formatdate-time

uid: str

Unique identifier for the certificate set

formatuuid

updated_at: datetime

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate: Optional[AccessFacebookSAMLCertificateSetCurrentCertificate]

The currently active certificate used for encrypting SAML assertions

is_current: bool

Indicates whether this is the currently active certificate

not_after: datetime

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: str

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: str

Unique identifier for the certificate

formatuuid

previous_certificate: Optional[object]

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id: Optional[str]

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config: Optional[IdentityProviderSCIMConfig]

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Optional[bool]

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: Optional[str]

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Optional[bool]

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: Optional[str]

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Optional[bool]

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

class AccessGitHub: …

config: GenericOAuthConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

client_id: Optional[str]

Your OAuth Client ID

client_secret: Optional[str]

Your OAuth Client Secret

name: str

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

id: Optional[str]

UUID.

maxLength36

saml_certificate_set: Optional[AccessGitHubSAMLCertificateSet]

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: datetime

Timestamp when the certificate set was created

formatdate-time

uid: str

Unique identifier for the certificate set

formatuuid

updated_at: datetime

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate: Optional[AccessGitHubSAMLCertificateSetCurrentCertificate]

The currently active certificate used for encrypting SAML assertions

is_current: bool

Indicates whether this is the currently active certificate

not_after: datetime

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: str

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: str

Unique identifier for the certificate

formatuuid

previous_certificate: Optional[object]

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id: Optional[str]

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config: Optional[IdentityProviderSCIMConfig]

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Optional[bool]

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: Optional[str]

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Optional[bool]

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: Optional[str]

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Optional[bool]

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

class AccessGoogle: …

config: AccessGoogleConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: Optional[List[str]]

Custom claims

client_id: Optional[str]

Your OAuth Client ID

client_secret: Optional[str]

Your OAuth Client Secret

email_claim_name: Optional[str]

The claim name for email in the id_token response.

name: str

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

id: Optional[str]

UUID.

maxLength36

saml_certificate_set: Optional[AccessGoogleSAMLCertificateSet]

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: datetime

Timestamp when the certificate set was created

formatdate-time

uid: str

Unique identifier for the certificate set

formatuuid

updated_at: datetime

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate: Optional[AccessGoogleSAMLCertificateSetCurrentCertificate]

The currently active certificate used for encrypting SAML assertions

is_current: bool

Indicates whether this is the currently active certificate

not_after: datetime

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: str

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: str

Unique identifier for the certificate

formatuuid

previous_certificate: Optional[object]

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id: Optional[str]

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config: Optional[IdentityProviderSCIMConfig]

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Optional[bool]

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: Optional[str]

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Optional[bool]

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: Optional[str]

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Optional[bool]

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

class AccessGoogleApps: …

config: AccessGoogleAppsConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

apps_domain: Optional[str]

Your companies TLD

claims: Optional[List[str]]

Custom claims

client_id: Optional[str]

Your OAuth Client ID

client_secret: Optional[str]

Your OAuth Client Secret

email_claim_name: Optional[str]

The claim name for email in the id_token response.

name: str

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

id: Optional[str]

UUID.

maxLength36

saml_certificate_set: Optional[AccessGoogleAppsSAMLCertificateSet]

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: datetime

Timestamp when the certificate set was created

formatdate-time

uid: str

Unique identifier for the certificate set

formatuuid

updated_at: datetime

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate: Optional[AccessGoogleAppsSAMLCertificateSetCurrentCertificate]

The currently active certificate used for encrypting SAML assertions

is_current: bool

Indicates whether this is the currently active certificate

not_after: datetime

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: str

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: str

Unique identifier for the certificate

formatuuid

previous_certificate: Optional[object]

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id: Optional[str]

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config: Optional[IdentityProviderSCIMConfig]

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Optional[bool]

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: Optional[str]

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Optional[bool]

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: Optional[str]

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Optional[bool]

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

class AccessLinkedin: …

config: GenericOAuthConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

client_id: Optional[str]

Your OAuth Client ID

client_secret: Optional[str]

Your OAuth Client Secret

name: str

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

id: Optional[str]

UUID.

maxLength36

saml_certificate_set: Optional[AccessLinkedinSAMLCertificateSet]

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: datetime

Timestamp when the certificate set was created

formatdate-time

uid: str

Unique identifier for the certificate set

formatuuid

updated_at: datetime

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate: Optional[AccessLinkedinSAMLCertificateSetCurrentCertificate]

The currently active certificate used for encrypting SAML assertions

is_current: bool

Indicates whether this is the currently active certificate

not_after: datetime

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: str

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: str

Unique identifier for the certificate

formatuuid

previous_certificate: Optional[object]

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id: Optional[str]

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config: Optional[IdentityProviderSCIMConfig]

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Optional[bool]

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: Optional[str]

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Optional[bool]

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: Optional[str]

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Optional[bool]

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

class AccessOIDC: …

config: AccessOIDCConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

auth_url: Optional[str]

The authorization_endpoint URL of your IdP

certs_url: Optional[str]

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

claims: Optional[List[str]]

Custom claims

client_id: Optional[str]

Your OAuth Client ID

client_secret: Optional[str]

Your OAuth Client Secret

email_claim_name: Optional[str]

The claim name for email in the id_token response.

pkce_enabled: Optional[bool]

Enable Proof Key for Code Exchange (PKCE)

scopes: Optional[List[str]]

OAuth scopes

token_url: Optional[str]

The token_endpoint URL of your IdP

name: str

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

id: Optional[str]

UUID.

maxLength36

saml_certificate_set: Optional[AccessOIDCSAMLCertificateSet]

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: datetime

Timestamp when the certificate set was created

formatdate-time

uid: str

Unique identifier for the certificate set

formatuuid

updated_at: datetime

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate: Optional[AccessOIDCSAMLCertificateSetCurrentCertificate]

The currently active certificate used for encrypting SAML assertions

is_current: bool

Indicates whether this is the currently active certificate

not_after: datetime

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: str

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: str

Unique identifier for the certificate

formatuuid

previous_certificate: Optional[object]

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id: Optional[str]

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config: Optional[IdentityProviderSCIMConfig]

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Optional[bool]

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: Optional[str]

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Optional[bool]

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: Optional[str]

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Optional[bool]

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

class AccessOkta: …

config: AccessOktaConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

authorization_server_id: Optional[str]

Your okta authorization server id

claims: Optional[List[str]]

Custom claims

client_id: Optional[str]

Your OAuth Client ID

client_secret: Optional[str]

Your OAuth Client Secret

email_claim_name: Optional[str]

The claim name for email in the id_token response.

okta_account: Optional[str]

Your okta account url

name: str

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

id: Optional[str]

UUID.

maxLength36

saml_certificate_set: Optional[AccessOktaSAMLCertificateSet]

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: datetime

Timestamp when the certificate set was created

formatdate-time

uid: str

Unique identifier for the certificate set

formatuuid

updated_at: datetime

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate: Optional[AccessOktaSAMLCertificateSetCurrentCertificate]

The currently active certificate used for encrypting SAML assertions

is_current: bool

Indicates whether this is the currently active certificate

not_after: datetime

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: str

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: str

Unique identifier for the certificate

formatuuid

previous_certificate: Optional[object]

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id: Optional[str]

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config: Optional[IdentityProviderSCIMConfig]

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Optional[bool]

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: Optional[str]

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Optional[bool]

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: Optional[str]

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Optional[bool]

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

class AccessOnelogin: …

config: AccessOneloginConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: Optional[List[str]]

Custom claims

client_id: Optional[str]

Your OAuth Client ID

client_secret: Optional[str]

Your OAuth Client Secret

email_claim_name: Optional[str]

The claim name for email in the id_token response.

onelogin_account: Optional[str]

Your OneLogin account url

name: str

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

id: Optional[str]

UUID.

maxLength36

saml_certificate_set: Optional[AccessOneloginSAMLCertificateSet]

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: datetime

Timestamp when the certificate set was created

formatdate-time

uid: str

Unique identifier for the certificate set

formatuuid

updated_at: datetime

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate: Optional[AccessOneloginSAMLCertificateSetCurrentCertificate]

The currently active certificate used for encrypting SAML assertions

is_current: bool

Indicates whether this is the currently active certificate

not_after: datetime

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: str

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: str

Unique identifier for the certificate

formatuuid

previous_certificate: Optional[object]

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id: Optional[str]

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config: Optional[IdentityProviderSCIMConfig]

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Optional[bool]

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: Optional[str]

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Optional[bool]

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: Optional[str]

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Optional[bool]

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

class AccessPingone: …

config: AccessPingoneConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: Optional[List[str]]

Custom claims

client_id: Optional[str]

Your OAuth Client ID

client_secret: Optional[str]

Your OAuth Client Secret

email_claim_name: Optional[str]

The claim name for email in the id_token response.

ping_env_id: Optional[str]

Your PingOne environment identifier

name: str

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

id: Optional[str]

UUID.

maxLength36

saml_certificate_set: Optional[AccessPingoneSAMLCertificateSet]

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: datetime

Timestamp when the certificate set was created

formatdate-time

uid: str

Unique identifier for the certificate set

formatuuid

updated_at: datetime

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate: Optional[AccessPingoneSAMLCertificateSetCurrentCertificate]

The currently active certificate used for encrypting SAML assertions

is_current: bool

Indicates whether this is the currently active certificate

not_after: datetime

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: str

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: str

Unique identifier for the certificate

formatuuid

previous_certificate: Optional[object]

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id: Optional[str]

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config: Optional[IdentityProviderSCIMConfig]

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Optional[bool]

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: Optional[str]

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Optional[bool]

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: Optional[str]

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Optional[bool]

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

class AccessSAML: …

config: AccessSAMLConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

attributes: Optional[List[str]]

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

email_attribute_name: Optional[str]

The attribute name for email in the SAML response.

enable_encryption: Optional[bool]

Enable SAML assertion encryption. When enabled, the Identity Provider will encrypt SAML assertions using the certificate from the assigned certificate set.

To enable encryption:

1. Create a certificate set via POST to /identity_providers/{id}/saml_certificate
2. Set this field to true and include saml_certificate_set_id in the PUT request
3. Configure the public certificate in your external Identity Provider

Note: Requires saml_certificate_set_id to be set when true.

header_attributes: Optional[List[AccessSAMLConfigHeaderAttribute]]

Add a list of attribute names that will be returned in the response header from the Access callback.

attribute_name: Optional[str]

attribute name from the IDP

header_name: Optional[str]

header that will be added on the request to the origin

idp_public_certs: Optional[List[str]]

X509 certificate to verify the signature in the SAML authentication response

issuer_url: Optional[str]

IdP Entity ID or Issuer URL

sign_request: Optional[bool]

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

sso_target_url: Optional[str]

URL to send the SAML authentication requests to

name: str

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

id: Optional[str]

UUID.

maxLength36

saml_certificate_set: Optional[AccessSAMLSAMLCertificateSet]

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: datetime

Timestamp when the certificate set was created

formatdate-time

uid: str

Unique identifier for the certificate set

formatuuid

updated_at: datetime

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate: Optional[AccessSAMLSAMLCertificateSetCurrentCertificate]

The currently active certificate used for encrypting SAML assertions

is_current: bool

Indicates whether this is the currently active certificate

not_after: datetime

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: str

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: str

Unique identifier for the certificate

formatuuid

previous_certificate: Optional[object]

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id: Optional[str]

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config: Optional[IdentityProviderSCIMConfig]

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Optional[bool]

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: Optional[str]

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Optional[bool]

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: Optional[str]

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Optional[bool]

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

class AccessYandex: …

config: GenericOAuthConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

client_id: Optional[str]

Your OAuth Client ID

client_secret: Optional[str]

Your OAuth Client Secret

name: str

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

id: Optional[str]

UUID.

maxLength36

saml_certificate_set: Optional[AccessYandexSAMLCertificateSet]

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: datetime

Timestamp when the certificate set was created

formatdate-time

uid: str

Unique identifier for the certificate set

formatuuid

updated_at: datetime

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate: Optional[AccessYandexSAMLCertificateSetCurrentCertificate]

The currently active certificate used for encrypting SAML assertions

is_current: bool

Indicates whether this is the currently active certificate

not_after: datetime

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: str

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: str

Unique identifier for the certificate

formatuuid

previous_certificate: Optional[object]

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id: Optional[str]

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config: Optional[IdentityProviderSCIMConfig]

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Optional[bool]

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: Optional[str]

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Optional[bool]

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: Optional[str]

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Optional[bool]

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

class AccessOnetimepin: …

config: AccessOnetimepinConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

redirect_url: Optional[str]

name: str

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

id: Optional[str]

UUID.

maxLength36

saml_certificate_set: Optional[AccessOnetimepinSAMLCertificateSet]

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: datetime

Timestamp when the certificate set was created

formatdate-time

uid: str

Unique identifier for the certificate set

formatuuid

updated_at: datetime

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate: Optional[AccessOnetimepinSAMLCertificateSetCurrentCertificate]

The currently active certificate used for encrypting SAML assertions

is_current: bool

Indicates whether this is the currently active certificate

not_after: datetime

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: str

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: str

Unique identifier for the certificate

formatuuid

previous_certificate: Optional[object]

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id: Optional[str]

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config: Optional[IdentityProviderSCIMConfig]

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Optional[bool]

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: Optional[str]

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Optional[bool]

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: Optional[str]

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Optional[bool]

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

class AccessCloudflare: …

config: AccessCloudflareConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

redirect_url: Optional[str]

restrict_to_account_members: Optional[bool]

When enabled, only users who are members of your Cloudflare account can authenticate through this identity provider. When disabled, any user with a Cloudflare account can authenticate, subject to your Access policies.

name: str

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

"cloudflare"

id: Optional[str]

UUID.

maxLength36

saml_certificate_set: Optional[AccessCloudflareSAMLCertificateSet]

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: datetime

Timestamp when the certificate set was created

formatdate-time

uid: str

Unique identifier for the certificate set

formatuuid

updated_at: datetime

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time

current_certificate: Optional[AccessCloudflareSAMLCertificateSetCurrentCertificate]

The currently active certificate used for encrypting SAML assertions

is_current: bool

Indicates whether this is the currently active certificate

not_after: datetime

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time

public_certificate: str

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: str

Unique identifier for the certificate

formatuuid

previous_certificate: Optional[object]

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id: Optional[str]

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

formatuuid

scim_config: Optional[IdentityProviderSCIMConfig]

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Optional[bool]

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: Optional[Literal["automatic", "reauth", "no_action"]]

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: Optional[str]

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Optional[bool]

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: Optional[str]

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Optional[bool]

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

Update an Access identity provider

Python

HTTP

TypeScript

Python

Go

Terraform

import os
from cloudflare import Cloudflare

client = Cloudflare(
    api_token=os.environ.get("CLOUDFLARE_API_TOKEN"),  # This is the default and can be omitted
)
identity_provider = client.zero_trust.identity_providers.update(
    identity_provider_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    config={},
    name="Widget Corps IDP",
    type="onetimepin",
    account_id="account_id",
)
print(identity_provider)

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "config": {
      "claims": [
        "email_verified",
        "preferred_username",
        "custom_claim_name"
      ],
      "client_id": "<your client id>",
      "client_secret": "<your client secret>",
      "conditional_access_enabled": true,
      "directory_id": "<your azure directory uuid>",
      "email_claim_name": "custom_claim_name",
      "prompt": "login",
      "support_groups": true
    },
    "name": "Widget Corps IDP",
    "type": "onetimepin",
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "saml_certificate_set": {
      "created_at": "2026-05-07T19:16:19.821162Z",
      "uid": "c409ef44-e72c-41c8-8c0b-278c8a6f4fd8",
      "updated_at": "2026-05-07T19:16:19.821162Z",
      "current_certificate": {
        "is_current": true,
        "not_after": "2027-05-07T19:11:00Z",
        "public_certificate": "-----BEGIN CERTIFICATE-----\nMIIEpzCCA4+gAwIBAgIUTh2VSDDJ0oB/gabio6j1L9QwWoUwDQYJKoZIhvcNAQEL\n...\n-----END CERTIFICATE-----\n",
        "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
      },
      "previous_certificate": {}
    },
    "saml_certificate_set_id": "c409ef44-e72c-41c8-8c0b-278c8a6f4fd8",
    "scim_config": {
      "enabled": true,
      "identity_update_behavior": "automatic",
      "scim_base_url": "scim_base_url",
      "seat_deprovision": true,
      "secret": "secret",
      "user_deprovision": true
    }
  }
}

Returns Examples

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "config": {
      "claims": [
        "email_verified",
        "preferred_username",
        "custom_claim_name"
      ],
      "client_id": "<your client id>",
      "client_secret": "<your client secret>",
      "conditional_access_enabled": true,
      "directory_id": "<your azure directory uuid>",
      "email_claim_name": "custom_claim_name",
      "prompt": "login",
      "support_groups": true
    },
    "name": "Widget Corps IDP",
    "type": "onetimepin",
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "saml_certificate_set": {
      "created_at": "2026-05-07T19:16:19.821162Z",
      "uid": "c409ef44-e72c-41c8-8c0b-278c8a6f4fd8",
      "updated_at": "2026-05-07T19:16:19.821162Z",
      "current_certificate": {
        "is_current": true,
        "not_after": "2027-05-07T19:11:00Z",
        "public_certificate": "-----BEGIN CERTIFICATE-----\nMIIEpzCCA4+gAwIBAgIUTh2VSDDJ0oB/gabio6j1L9QwWoUwDQYJKoZIhvcNAQEL\n...\n-----END CERTIFICATE-----\n",
        "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
      },
      "previous_certificate": {}
    },
    "saml_certificate_set_id": "c409ef44-e72c-41c8-8c0b-278c8a6f4fd8",
    "scim_config": {
      "enabled": true,
      "identity_update_behavior": "automatic",
      "scim_base_url": "scim_base_url",
      "seat_deprovision": true,
      "secret": "secret",
      "user_deprovision": true
    }
  }
}