Provision Cloudflare with SCIM

By connecting a System for Cross-domain Identity Management (SCIM) provider, you can provision access to the Cloudflare dashboard on a per-user basis.

Currently, we only provide SCIM support for Azure Active Directory and Okta in Self-Hosted Access applications.

For more information about SCIM support, refer to the Announcing SCIM support for Cloudflare Access & Gateway blog post.

This guide will use Okta as the SCIM provider.

Limitations

You cannot automatically deprovision users under domains that do not have the SSO connector.
You cannot update user attributes from the SCIM provider.
If a user is the only Super Administrator on an Enterprise account, they will not be deprovisioned.
Currently, we do not support Okta Integration Network (OIN) integration. This integration is in review.

Before you begin

In Cloudflare, Super Administrator access on the account that maintains your SSO.
In Okta, access to the Create groups and Manage applications permissions.

Create an API token

Create an API token with the following permissions:
Type Item Permission
Account Account Settings Read
Account Account Settings Edit
User Memberships Read
User Memberships Edit
Add the following under Account Resources:
Action Account
Include <account name>
Copy the token value.

Type	Item	Permission
Account	Account Settings	Read
Account	Account Settings	Edit
User	Memberships	Read
User	Memberships	Edit

Action	Account
Include	<account name>

Assign Cloudflare users to an Okta group

In the Okta dashboard, go to Directory > Groups.
Select Add a group and enter a name. Select Save.
Select the group you created.
Select Assign people and add your users.
Select Done.

Set up the Okta application

Create your Okta SCIM application.
1. In the Okta dashboard, go to Applications > Applications.
2. Select Browse App Catalog.
3. Locate and select SCIM 2.0 Test App (OAuth Bearer Token).
4. Select Add Integration and name your integration.
5. Enable the following options:
  - Do not display application icon to users
  - Do not display application icon in the Okta Mobile App
6. Disable Automatically log in when user lands on login page.
7. Select Next, then select Done.
Integrate the Cloudflare API.
1. In your integration page, go to Provisioning > Configure API Integration.
2. Enable Enable API Integration.
3. In SCIM 2.0 Base Url, enter https://api.cloudflare.com/client/v4/accounts/<your_account_ID>/scim/v2.
4. In OAuth Bearer Token, enter your API token value.
5. Disable Import Groups.
6. Select Save.
Set up your SCIM users.
1. In Provisioning to App, select Edit.
2. Enable Create Users and Deactivate Users. Select Save.
3. In the integration page, go to Assignments > Assign > Assign to Groups.
4. Assign users to your Cloudflare group.
5. Select Done.

Configure user permissions

In the tab bar, go to Provisioning. Select Edit.
Enable Create Users and Deactivate Users. Select Save.
Select Add group and add groups with the following names:
- Administrator Read Only
- Administrator
- Billing
- Super Administrator - All Privileges
Go to Push Groups and select the gear icon.
Disable Rename groups. Select Save.
Within the Push Groups tab, select Push Groups.
Add the groups you created.
Select Save.

Adding any users to these groups will grant them the role. Removing the users from the identity provider will remove them from the associated role.

Provision Cloudflare with SCIM

​​ Limitations

​​ Before you begin

​​ Create an API token

​​ Assign Cloudflare users to an Okta group

​​ Set up the Okta application

​​ Configure user permissions