Provision Cloudflare with SCIM
By connecting a System for Cross-domain Identity Management (SCIM) provider, you can provision access to the Cloudflare dashboard on a per-user basis.
Currently, we only provide SCIM support for Azure Active Directory and Okta in Self-Hosted Access applications.
This guide will use Okta as the SCIM provider.
- You cannot automatically deprovision users under domains that do not have the SSO connector.
- You cannot update from the SCIM provider.
- If a user is the only Super Administrator on an Enterprise account, they will not be deprovisioned.
- Currently, we do not support Okta Integration Network (OIN) integration. This integration is in review.
Before you begin
Create an API token
Assign Cloudflare users to an Okta group
- In the Okta dashboard, go to Directory > Groups.
- Select Add a group and enter a name. Select Save.
- Select the group you created.
- Select Assign people and add your users.
- Select Done.
Set up the Okta application
Create your Okta SCIM application.
In the Okta dashboard, go to Applications > Applications.
Select Browse App Catalog.
Locate and select SCIM 2.0 Test App (OAuth Bearer Token).
Select Add Integration and name your integration.
Enable the following options:
- Do not display application icon to users
- Do not display application icon in the Okta Mobile App
Disable Automatically log in when user lands on login page.
Select Next, then select Done.
Integrate the Cloudflare API.
- In your integration page, go to Provisioning > Configure API Integration.
- Enable Enable API Integration.
- In SCIM 2.0 Base Url, enter
- In OAuth Bearer Token, enter your API token value.
- Disable Import Groups.
- Select Save.
Set up your SCIM users.
- In Provisioning to App, select Edit.
- Enable Create Users and Deactivate Users. Select Save.
- In the integration page, go to Assignments > Assign > Assign to Groups.
- Assign users to your Cloudflare group.
- Select Done.
Configure user permissions
In the tab bar, go to Provisioning. Select Edit.
Enable Create Users and Deactivate Users. Select Save.
Select Add group and add groups with the following names:
Administrator Read Only
Super Administrator - All Privileges
Go to Push Groups and select the gear icon.
Disable Rename groups. Select Save.
Within the Push Groups tab, select Push Groups.
Add the groups you created.
Adding any users to these groups will grant them the role. Removing the users from the identity provider will remove them from the associated role.