Skip to content

Provision with SCIM

Last reviewed: 21 days ago

Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare and quickly onboard and manage users and their permissions. Cloudflare supports SCIM onboarding with Okta and Microsoft Entra.

Limitations

  • If a user is the only Super Administrator on an Enterprise account, they will not be deprovisioned.
  • Cloudflare currently only supports Account-scoped Roles and does not support Domain-scoped Roles provisioning via SCIM.
  • Cloudflare does not allow custom user groups.

Prerequisites

  • Cloudflare provisioning with SCIM is only available to Enterprise customers using Okta or Microsoft Entra.
  • You must be a Super Administrator on the account.
  • In your identity provider, you must have the ability to create applications and groups.

Gather the required data

To start, you will need to collect a couple of pieces of data from Cloudflare and set these aside for later use.

Get your Account ID

  1. In the Cloudflare dashboard, go to the Cloudflare account that you want to configure for SCIM provisioning.
  2. Copy your account ID from the account home page.

Create an API token

  1. Create an API token with the following permissions:

    TypeItemPermission
    AccountSCIM ProvisioningEdit
  2. Under Account Resources, select the specific account to include or exclude from the dropdown menu, if applicable.

  3. Select Continue to summary.

  4. Validate the permissions and select Create Token.

  5. Copy the token value.


Provision with Okta

Set up your Okta SCIM application.

  1. In the Okta dashboard, go to Applications > Applications.

  2. Select Browse App Catalog.

  3. Locate and select SCIM 2.0 Test App (OAuth Bearer Token).

  4. Select Add Integration and name your integration.

  5. Enable the following options:

    • Do not display application icon to users
    • Do not display application icon in the Okta Mobile App
  6. Disable Automatically log in when user lands on login page.

  7. Select Next, then select Done.

Integrate the Cloudflare API.

  1. In your integration page, go to Provisioning > Configure API Integration.
  2. Enable Enable API Integration.
  3. In SCIM 2.0 Base URL, enter: https://api.cloudflare.com/client/v4/accounts/<accountID>/scim/v2.
  4. In OAuth Bearer Token, enter your API token value.
  5. Select Save.

Set up your SCIM users.

  1. In Provisioning to App, select Edit.
  2. Enable Create Users and Deactivate Users. Select Save.
  3. In the integration page, go to Assignments > Assign > Assign to Groups.
  4. Choose the group(s) that you want to provision to Cloudflare.
  5. Select Done.

This will provision all of the users in the group(s) affected to your Cloudflare account with "minimal account access."

Configure user permissions

There are two options for managing user permissions:

  • Manage your user permissions on a per-user basis in the Cloudflare dashboard, API, or using Terraform.
  • Map your IdP groups to a Cloudflare built-in Role. Groups may only be linked to one role.
  1. Go to your SCIM application in the App Integration Catalog, then select Provisioning.
  2. Under *To App, select Edit.
  3. Enable Create Users and Deactivate Users. Select Save.
  4. Go to Push Groups.
  5. Select + Push Groups, then Find groups by name.
  6. Enter the name of the group(s) that you want to sync to Cloudflare.
  7. Choose Link Group.
  8. Cloudflare provisioned user groups are named in the pattern CF-<accountID> - <Role Name>. Choose the appropriate group that maps to your target role.
  9. Disable Rename groups. Select Save.
  10. Within the Push Groups tab, select Push Groups.
  11. Add the groups you created.
  12. Select Save.

Adding any users to these groups will grant them the role. Removing the users from the identity provider will remove them from the associated role.


Provision with Microsoft Entra ID

Set up the Microsoft Entra ID Enterprise application.

  1. Go to your Microsoft Entra ID instance and select Enterprise Applications.
  2. Select Create your own application and name your application.
  3. Select Integrate any other application you don’t find in the gallery (Non-gallery).
  4. Select Create.

Provision the Microsoft Entra ID Enterprise application.

  1. Under Manage on the sidebar menu, select Provisioning.
  2. Select Automatic on the dropdown menu for the Provisioning Mode.
  3. Enter your API token value and the tenant URL: https://api.cloudflare.com/client/v4/accounts/<your_account_ID>/scim/v2.
  4. Select Test Connection, then select Save.

Configure user permissions in Microsoft Entra ID

Currently, groups need to match a specific format to provision specific Cloudflare account-level roles. Cloudflare is in the process of adding Cloudflare Groups, which can take in freeform group names in the future.

These permissions work on an exact string match with the form CF-<your_account_ID> - <Role_Name>

Refer to the list of Roles for more details.

  1. To ensure that only required groups are provisioned, go to your Microsoft Entra ID instance.
  2. Under Manage on the sidebar menu, select Provisioning.
  3. Select Provision Entra Groups in Mappings.
  4. Select All records under Source Object Scope.
  5. Select Add scoping filter and create the appropriate filtering criteria to capture only the necessary groups.
  6. Save the Attribute Mapping by selecting OK and return to the Enterprise Application Provisioning overview page.
  7. Select Start provisioning to view the new users and groups populated on the Cloudflare dashboard.