Provision with SCIM
By connecting a System for Cross-domain Identity Management (SCIM) provider, you can provision access to the Cloudflare dashboard on a per-user basis, through your identity provider (IdP).
Currently, we only support SCIM connections for Enterprise customers using Okta or Microsoft Entra. If you are an Enterprise customer using Okta or Microsoft Entra, and you are interested in setting up SCIM support, follow the steps below.
- If a user is the only Super Administrator on an Enterprise account, they will not be deprovisioned.
- Cloudflare currently only supports Account-scoped Roles and does not support Domain-scoped Roles provisioning via SCIM. We are working on this limitation.
- Cloudflare does not currently allow custom group names to leave space for future development.
- Cloudflare provisioning with SCIM is only available to Enterprise customers using Okta or Microsoft Entra.
- In Cloudflare, Super Administrator access on the account.
- In your identity provider, the ability to create applications and groups.
-
Create an API token with the following permissions:
Type Item Permission Account SCIM Provisioning Edit -
Under Account Resources, select the specific account to include or exclude from the dropdown menu, if applicable.
-
Select Continue to summary.
-
Validate the permissions and select Create Token.
-
Copy the token value.
-
In the Okta dashboard, go to Applications > Applications.
-
Select Browse App Catalog.
-
Locate and select SCIM 2.0 Test App (OAuth Bearer Token).
-
Select Add Integration and name your integration.
-
Enable the following options:
- Do not display application icon to users
- Do not display application icon in the Okta Mobile App
-
Disable Automatically log in when user lands on login page.
-
Select Next, then select Done.
- In your integration page, go to Provisioning > Configure API Integration.
- Enable Enable API Integration.
- In SCIM 2.0 Base URL, enter:
https://api.cloudflare.com/client/v4/accounts/<your_account_ID>/scim/v2
. - In OAuth Bearer Token, enter your API token value.
- Disable Import Groups.
- Select Save.
- In Provisioning to App, select Edit.
- Enable Create Users and Deactivate Users. Select Save.
- In the integration page, go to Assignments > Assign > Assign to Groups.
- Assign users to your Cloudflare SCIM group.
- Select Done.
This will provision all of the users affected to your Cloudflare account with "minimal account access."
-
Go to Directory > Groups > Add group and add groups with the following names:
CF-<your_account_ID> - <Role_Name>
-
Go to your SCIM application in the App Integration Catalog, then select Provisioning.
-
Select Edit.
-
Enable Create Users and Deactivate Users. Select Save.
-
Go to Push Groups and make sure the appropriate group matches the existing group of the same name on Cloudflare.
-
Disable Rename groups. Select Save.
-
Within the Push Groups tab, select Push Groups.
-
Add the groups you created.
-
Select Save.
Adding any users to these groups will grant them the role. Removing the users from the identity provider will remove them from the associated role.
- Go to your Microsoft Entra ID instance and select Enterprise Applications.
- Select Create your own application and name your application.
- Select Integrate any other application you don’t find in the gallery (Non-gallery).
- Select Create.
- Under Manage on the sidebar menu, select Provisioning.
- Select Automatic on the dropdown menu for the Provisioning Mode.
- Enter your API token value and the tenant URL:
https://api.cloudflare.com/client/v4/accounts/<your_account_ID>/scim/v2
. - Select Test Connection, then select Save.
Currently, groups need to match a specific format to provision specific Cloudflare account-level roles. Cloudflare is in the process of adding Cloudflare Groups, which can take in freeform group names in the future.
These permissions work on an exact string match with the form CF-<your_account_ID> - <Role_Name>
Refer to the list of Roles for more details.
- To ensure that only required groups are provisioned, go to your Microsoft Entra ID instance.
- Under Manage on the sidebar menu, select Provisioning.
- Select Provision Entra Groups in Mappings.
- Select All records under Source Object Scope.
- Select Add scoping filter and create the appropriate filtering criteria to capture only the necessary groups.
- Save the Attribute Mapping by selecting OK and return to the Enterprise Application Provisioning overview page.
- Select Start provisioning to view the new users and groups populated on the Cloudflare dashboard.