Identity Providers

resource cloudflare_zero_trust_access_identity_provider

required Expand Collapse

The name of the identity provider, shown to users on the login page.

type: String

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

config: Attributes

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: List[String]

Custom claims

client_id?: String

Your OAuth Client ID

client_secret?: String

Your OAuth Client Secret

conditional_access_enabled?: Bool

Should Cloudflare try to load authentication contexts from your account

directory_id?: String

Your Azure directory uuid

email_claim_name?: String

The claim name for email in the id_token response.

prompt?: String

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

support_groups?: Bool

Should Cloudflare try to load groups from your account

centrify_account?: String

Your centrify account url

centrify_app_id?: String

Your centrify app id

apps_domain?: String

Your companies TLD

auth_url?: String

The authorization_endpoint URL of your IdP

certs_url?: String

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

pkce_enabled?: Bool

Enable Proof Key for Code Exchange (PKCE)

scopes?: List[String]

OAuth scopes

token_url?: String

The token_endpoint URL of your IdP

authorization_server_id?: String

Your okta authorization server id

okta_account?: String

Your okta account url

onelogin_account?: String

Your OneLogin account url

ping_env_id?: String

Your PingOne environment identifier

attributes?: List[String]

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

email_attribute_name?: String

The attribute name for email in the SAML response.

header_attributes?: List[Attributes]

Add a list of attribute names that will be returned in the response header from the Access callback.

attribute_name?: String

attribute name from the IDP

header_name?: String

header that will be added on the request to the origin

idp_public_certs?: List[String]

X509 certificate to verify the signature in the SAML authentication response

issuer_url?: String

IdP Entity ID or Issuer URL

sign_request?: Bool

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

sso_target_url?: String

URL to send the SAML authentication requests to

redirect_url: String

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

scim_config?: Attributes

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: Bool

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: String

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

scim_base_url: String

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: Bool

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: String

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: Bool

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

computed Expand Collapse

id: String

UUID.

cloudflare_zero_trust_access_identity_provider

resource "cloudflare_zero_trust_access_identity_provider" "example_zero_trust_access_identity_provider" {
  config = {
    claims = ["email_verified", "preferred_username", "custom_claim_name"]
    client_id = "<your client id>"
    client_secret = "<your client secret>"
    conditional_access_enabled = true
    directory_id = "<your azure directory uuid>"
    email_claim_name = "custom_claim_name"
    prompt = "login"
    support_groups = true
  }
  name = "Widget Corps IDP"
  type = "onetimepin"
  zone_id = "zone_id"
  scim_config = {
    enabled = true
    identity_update_behavior = "automatic"
    seat_deprovision = true
    user_deprovision = true
  }
}

data cloudflare_zero_trust_access_identity_provider

optional Expand Collapse

identity_provider_id?: String

UUID.

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

filter?: Attributes

scim_enabled?: String

Indicates to Access to only retrieve identity providers that have the System for Cross-Domain Identity Management (SCIM) enabled.

computed Expand Collapse

id: String

UUID.

The name of the identity provider, shown to users on the login page.

type: String

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

config: Attributes

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: List[String]

Custom claims

client_id: String

Your OAuth Client ID

client_secret: String

Your OAuth Client Secret

conditional_access_enabled: Bool

Should Cloudflare try to load authentication contexts from your account

directory_id: String

Your Azure directory uuid

email_claim_name: String

The claim name for email in the id_token response.

prompt: String

support_groups: Bool

Should Cloudflare try to load groups from your account

centrify_account: String

Your centrify account url

centrify_app_id: String

Your centrify app id

apps_domain: String

Your companies TLD

auth_url: String

The authorization_endpoint URL of your IdP

certs_url: String

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

pkce_enabled: Bool

Enable Proof Key for Code Exchange (PKCE)

scopes: List[String]

OAuth scopes

token_url: String

The token_endpoint URL of your IdP

authorization_server_id: String

Your okta authorization server id

okta_account: String

Your okta account url

onelogin_account: String

Your OneLogin account url

ping_env_id: String

Your PingOne environment identifier

attributes: List[String]

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

email_attribute_name: String

The attribute name for email in the SAML response.

header_attributes: List[Attributes]

Add a list of attribute names that will be returned in the response header from the Access callback.

attribute_name: String

attribute name from the IDP

header_name: String

header that will be added on the request to the origin

idp_public_certs: List[String]

X509 certificate to verify the signature in the SAML authentication response

issuer_url: String

IdP Entity ID or Issuer URL

sign_request: Bool

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

sso_target_url: String

URL to send the SAML authentication requests to

redirect_url: String

scim_config: Attributes

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Bool

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: String

scim_base_url: String

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision: Bool

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: String

user_deprovision: Bool

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

cloudflare_zero_trust_access_identity_provider

data "cloudflare_zero_trust_access_identity_provider" "example_zero_trust_access_identity_provider" {
  identity_provider_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  account_id = "account_id"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_identity_providers

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

scim_enabled?: String

Indicates to Access to only retrieve identity providers that have the System for Cross-Domain Identity Management (SCIM) enabled.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

config: Attributes

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: List[String]

Custom claims

client_id: String

Your OAuth Client ID

client_secret: String

Your OAuth Client Secret

conditional_access_enabled: Bool

Should Cloudflare try to load authentication contexts from your account

directory_id: String

Your Azure directory uuid

email_claim_name: String

The claim name for email in the id_token response.

prompt: String

support_groups: Bool

Should Cloudflare try to load groups from your account

centrify_account: String

Your centrify account url

centrify_app_id: String

Your centrify app id

apps_domain: String

Your companies TLD

auth_url: String

The authorization_endpoint URL of your IdP

certs_url: String

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

pkce_enabled: Bool

Enable Proof Key for Code Exchange (PKCE)

scopes: List[String]

OAuth scopes

token_url: String

The token_endpoint URL of your IdP

authorization_server_id: String

Your okta authorization server id

okta_account: String

Your okta account url

onelogin_account: String

Your OneLogin account url

ping_env_id: String

Your PingOne environment identifier

attributes: List[String]

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

email_attribute_name: String

The attribute name for email in the SAML response.

header_attributes: List[Attributes]

Add a list of attribute names that will be returned in the response header from the Access callback.

attribute_name: String

attribute name from the IDP

header_name: String

header that will be added on the request to the origin

idp_public_certs: List[String]

X509 certificate to verify the signature in the SAML authentication response

issuer_url: String

IdP Entity ID or Issuer URL

sign_request: Bool

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

sso_target_url: String

URL to send the SAML authentication requests to

The name of the identity provider, shown to users on the login page.

type: String

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: String

UUID.

scim_config: Attributes

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Bool

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: String

scim_base_url: String

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision: Bool

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: String

user_deprovision: Bool

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

cloudflare_zero_trust_access_identity_providers

data "cloudflare_zero_trust_access_identity_providers" "example_zero_trust_access_identity_providers" {
  account_id = "account_id"
  zone_id = "zone_id"
  scim_enabled = "scim_enabled"
}