Add an Access identity provider
Adds a new identity provider to Access.
Security
API Token
The preferred authorization scheme for interacting with the Cloudflare API. Create a token.
Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYYAPI Email + API Key
The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.
X-Auth-Email: user@example.comThe previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.
X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194Accepted Permissions (at least one required)
Access: Organizations, Identity Providers, and Groups WritePath ParametersExpand Collapse
Body ParametersJSONExpand Collapse
AzureAD { config, name, type, 2 more }
config: { claims, client_id, client_secret, 5 more } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
Should Cloudflare try to load authentication contexts from your account
prompt: optional "login" or "select_account" or "none"Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn’t presented with any interactive prompt. If the request can’t be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.
Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn’t presented with any interactive prompt. If the request can’t be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessCentrify { config, name, type, 2 more }
config: { centrify_account, centrify_app_id, claims, 3 more } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessFacebook { config, name, type, 2 more }
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessGitHub { config, name, type, 2 more }
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessGoogle { config, name, type, 2 more }
config: { claims, client_id, client_secret, email_claim_name } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessGoogleApps { config, name, type, 2 more }
config: { apps_domain, claims, client_id, 2 more } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessLinkedin { config, name, type, 2 more }
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessOIDC { config, name, type, 2 more }
config: { auth_url, certs_url, claims, 6 more } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessOkta { config, name, type, 2 more }
config: { authorization_server_id, claims, client_id, 3 more } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessOnelogin { config, name, type, 2 more }
config: { claims, client_id, client_secret, 2 more } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessPingone { config, name, type, 2 more }
config: { claims, client_id, client_secret, 2 more } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessSAML { config, name, type, 2 more }
config: { attributes, email_attribute_name, header_attributes, 4 more } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.
header_attributes: optional array of { attribute_name, header_name } Add a list of attribute names that will be returned in the response header from the Access callback.
Add a list of attribute names that will be returned in the response header from the Access callback.
X509 certificate to verify the signature in the SAML authentication response
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessYandex { config, name, type, 2 more }
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessOnetimepin { config, name, type, 2 more }
config: { redirect_url } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
ReturnsExpand Collapse
AzureAD { config, name, type, 2 more }
config: { claims, client_id, client_secret, 5 more } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
Should Cloudflare try to load authentication contexts from your account
prompt: optional "login" or "select_account" or "none"Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn’t presented with any interactive prompt. If the request can’t be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.
Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn’t presented with any interactive prompt. If the request can’t be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessCentrify { config, name, type, 2 more }
config: { centrify_account, centrify_app_id, claims, 3 more } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessFacebook { config, name, type, 2 more }
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessGitHub { config, name, type, 2 more }
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessGoogle { config, name, type, 2 more }
config: { claims, client_id, client_secret, email_claim_name } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessGoogleApps { config, name, type, 2 more }
config: { apps_domain, claims, client_id, 2 more } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessLinkedin { config, name, type, 2 more }
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessOIDC { config, name, type, 2 more }
config: { auth_url, certs_url, claims, 6 more } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessOkta { config, name, type, 2 more }
config: { authorization_server_id, claims, client_id, 3 more } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessOnelogin { config, name, type, 2 more }
config: { claims, client_id, client_secret, 2 more } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessPingone { config, name, type, 2 more }
config: { claims, client_id, client_secret, 2 more } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessSAML { config, name, type, 2 more }
config: { attributes, email_attribute_name, header_attributes, 4 more } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.
header_attributes: optional array of { attribute_name, header_name } Add a list of attribute names that will be returned in the response header from the Access callback.
Add a list of attribute names that will be returned in the response header from the Access callback.
X509 certificate to verify the signature in the SAML authentication response
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessYandex { config, name, type, 2 more }
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
AccessOnetimepin { config, name, type, 2 more }
config: { redirect_url } The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more } The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
identity_update_behavior: optional "automatic" or "reauth" or "no_action"Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
Add an Access identity provider
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/identity_providers \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"config": {},
"name": "Widget Corps IDP",
"type": "onetimepin"
}'{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"config": {
"claims": [
"email_verified",
"preferred_username",
"custom_claim_name"
],
"client_id": "<your client id>",
"client_secret": "<your client secret>",
"conditional_access_enabled": true,
"directory_id": "<your azure directory uuid>",
"email_claim_name": "custom_claim_name",
"prompt": "login",
"support_groups": true
},
"name": "Widget Corps IDP",
"type": "onetimepin",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"scim_config": {
"enabled": true,
"identity_update_behavior": "automatic",
"scim_base_url": "scim_base_url",
"seat_deprovision": true,
"secret": "secret",
"user_deprovision": true
}
}
}Returns Examples
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"config": {
"claims": [
"email_verified",
"preferred_username",
"custom_claim_name"
],
"client_id": "<your client id>",
"client_secret": "<your client secret>",
"conditional_access_enabled": true,
"directory_id": "<your azure directory uuid>",
"email_claim_name": "custom_claim_name",
"prompt": "login",
"support_groups": true
},
"name": "Widget Corps IDP",
"type": "onetimepin",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"scim_config": {
"enabled": true,
"identity_update_behavior": "automatic",
"scim_base_url": "scim_base_url",
"seat_deprovision": true,
"secret": "secret",
"user_deprovision": true
}
}
}