Cloudflare v6.1.2, Apr 28 25

Cloudflare v6.1.2 published on Monday, Apr 28, 2025 by Pulumi

cloudflare.ZeroTrustAccessIdentityProvider

Explore with Pulumi AI

Cloudflare v6.1.2 published on Monday, Apr 28, 2025 by Pulumi

Example Usage

Coming soon!

Coming soon!

Coming soon!

Coming soon!

Coming soon!

resources:
  exampleZeroTrustAccessIdentityProvider:
    type: cloudflare:ZeroTrustAccessIdentityProvider
    name: example_zero_trust_access_identity_provider
    properties:
      config:
        claims:
          - email_verified
          - preferred_username
          - custom_claim_name
        client_id: <your client id>
        client_secret: <your client secret>
        conditional_access_enabled: true
        directory_id: <your azure directory uuid>
        email_claim_name: custom_claim_name
        prompt: login
        support_groups: true
      name: Widget Corps IDP
      type: onetimepin
      zoneId: zone_id
      scimConfig:
        enabled: true
        identity_update_behavior: automatic
        seat_deprovision: true
        user_deprovision: true

Create ZeroTrustAccessIdentityProvider Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new ZeroTrustAccessIdentityProvider(name: string, args: ZeroTrustAccessIdentityProviderArgs, opts?: CustomResourceOptions);

@overload
def ZeroTrustAccessIdentityProvider(resource_name: str,
                                    args: ZeroTrustAccessIdentityProviderArgs,
                                    opts: Optional[ResourceOptions] = None)

@overload
def ZeroTrustAccessIdentityProvider(resource_name: str,
                                    opts: Optional[ResourceOptions] = None,
                                    config: Optional[ZeroTrustAccessIdentityProviderConfigArgs] = None,
                                    name: Optional[str] = None,
                                    type: Optional[str] = None,
                                    account_id: Optional[str] = None,
                                    scim_config: Optional[ZeroTrustAccessIdentityProviderScimConfigArgs] = None,
                                    zone_id: Optional[str] = None)

func NewZeroTrustAccessIdentityProvider(ctx *Context, name string, args ZeroTrustAccessIdentityProviderArgs, opts ...ResourceOption) (*ZeroTrustAccessIdentityProvider, error)

public ZeroTrustAccessIdentityProvider(string name, ZeroTrustAccessIdentityProviderArgs args, CustomResourceOptions? opts = null)

public ZeroTrustAccessIdentityProvider(String name, ZeroTrustAccessIdentityProviderArgs args)
public ZeroTrustAccessIdentityProvider(String name, ZeroTrustAccessIdentityProviderArgs args, CustomResourceOptions options)

type: cloudflare:ZeroTrustAccessIdentityProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args ZeroTrustAccessIdentityProviderArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ZeroTrustAccessIdentityProviderArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ZeroTrustAccessIdentityProviderArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ZeroTrustAccessIdentityProviderArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ZeroTrustAccessIdentityProviderArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var zeroTrustAccessIdentityProviderResource = new Cloudflare.ZeroTrustAccessIdentityProvider("zeroTrustAccessIdentityProviderResource", new()
{
    Config = new Cloudflare.Inputs.ZeroTrustAccessIdentityProviderConfigArgs
    {
        AppsDomain = "string",
        Attributes = new[]
        {
            "string",
        },
        AuthUrl = "string",
        AuthorizationServerId = "string",
        CentrifyAccount = "string",
        CentrifyAppId = "string",
        CertsUrl = "string",
        Claims = new[]
        {
            "string",
        },
        ClientId = "string",
        ClientSecret = "string",
        ConditionalAccessEnabled = false,
        DirectoryId = "string",
        EmailAttributeName = "string",
        EmailClaimName = "string",
        HeaderAttributes = new[]
        {
            new Cloudflare.Inputs.ZeroTrustAccessIdentityProviderConfigHeaderAttributeArgs
            {
                AttributeName = "string",
                HeaderName = "string",
            },
        },
        IdpPublicCerts = new[]
        {
            "string",
        },
        IssuerUrl = "string",
        OktaAccount = "string",
        OneloginAccount = "string",
        PingEnvId = "string",
        PkceEnabled = false,
        Prompt = "string",
        RedirectUrl = "string",
        Scopes = new[]
        {
            "string",
        },
        SignRequest = false,
        SsoTargetUrl = "string",
        SupportGroups = false,
        TokenUrl = "string",
    },
    Name = "string",
    Type = "string",
    AccountId = "string",
    ScimConfig = new Cloudflare.Inputs.ZeroTrustAccessIdentityProviderScimConfigArgs
    {
        Enabled = false,
        IdentityUpdateBehavior = "string",
        ScimBaseUrl = "string",
        SeatDeprovision = false,
        Secret = "string",
        UserDeprovision = false,
    },
    ZoneId = "string",
});

example, err := cloudflare.NewZeroTrustAccessIdentityProvider(ctx, "zeroTrustAccessIdentityProviderResource", &cloudflare.ZeroTrustAccessIdentityProviderArgs{
	Config: &cloudflare.ZeroTrustAccessIdentityProviderConfigArgs{
		AppsDomain: pulumi.String("string"),
		Attributes: pulumi.StringArray{
			pulumi.String("string"),
		},
		AuthUrl:               pulumi.String("string"),
		AuthorizationServerId: pulumi.String("string"),
		CentrifyAccount:       pulumi.String("string"),
		CentrifyAppId:         pulumi.String("string"),
		CertsUrl:              pulumi.String("string"),
		Claims: pulumi.StringArray{
			pulumi.String("string"),
		},
		ClientId:                 pulumi.String("string"),
		ClientSecret:             pulumi.String("string"),
		ConditionalAccessEnabled: pulumi.Bool(false),
		DirectoryId:              pulumi.String("string"),
		EmailAttributeName:       pulumi.String("string"),
		EmailClaimName:           pulumi.String("string"),
		HeaderAttributes: cloudflare.ZeroTrustAccessIdentityProviderConfigHeaderAttributeArray{
			&cloudflare.ZeroTrustAccessIdentityProviderConfigHeaderAttributeArgs{
				AttributeName: pulumi.String("string"),
				HeaderName:    pulumi.String("string"),
			},
		},
		IdpPublicCerts: pulumi.StringArray{
			pulumi.String("string"),
		},
		IssuerUrl:       pulumi.String("string"),
		OktaAccount:     pulumi.String("string"),
		OneloginAccount: pulumi.String("string"),
		PingEnvId:       pulumi.String("string"),
		PkceEnabled:     pulumi.Bool(false),
		Prompt:          pulumi.String("string"),
		RedirectUrl:     pulumi.String("string"),
		Scopes: pulumi.StringArray{
			pulumi.String("string"),
		},
		SignRequest:   pulumi.Bool(false),
		SsoTargetUrl:  pulumi.String("string"),
		SupportGroups: pulumi.Bool(false),
		TokenUrl:      pulumi.String("string"),
	},
	Name:      pulumi.String("string"),
	Type:      pulumi.String("string"),
	AccountId: pulumi.String("string"),
	ScimConfig: &cloudflare.ZeroTrustAccessIdentityProviderScimConfigArgs{
		Enabled:                pulumi.Bool(false),
		IdentityUpdateBehavior: pulumi.String("string"),
		ScimBaseUrl:            pulumi.String("string"),
		SeatDeprovision:        pulumi.Bool(false),
		Secret:                 pulumi.String("string"),
		UserDeprovision:        pulumi.Bool(false),
	},
	ZoneId: pulumi.String("string"),
})

var zeroTrustAccessIdentityProviderResource = new ZeroTrustAccessIdentityProvider("zeroTrustAccessIdentityProviderResource", ZeroTrustAccessIdentityProviderArgs.builder()
    .config(ZeroTrustAccessIdentityProviderConfigArgs.builder()
        .appsDomain("string")
        .attributes("string")
        .authUrl("string")
        .authorizationServerId("string")
        .centrifyAccount("string")
        .centrifyAppId("string")
        .certsUrl("string")
        .claims("string")
        .clientId("string")
        .clientSecret("string")
        .conditionalAccessEnabled(false)
        .directoryId("string")
        .emailAttributeName("string")
        .emailClaimName("string")
        .headerAttributes(ZeroTrustAccessIdentityProviderConfigHeaderAttributeArgs.builder()
            .attributeName("string")
            .headerName("string")
            .build())
        .idpPublicCerts("string")
        .issuerUrl("string")
        .oktaAccount("string")
        .oneloginAccount("string")
        .pingEnvId("string")
        .pkceEnabled(false)
        .prompt("string")
        .redirectUrl("string")
        .scopes("string")
        .signRequest(false)
        .ssoTargetUrl("string")
        .supportGroups(false)
        .tokenUrl("string")
        .build())
    .name("string")
    .type("string")
    .accountId("string")
    .scimConfig(ZeroTrustAccessIdentityProviderScimConfigArgs.builder()
        .enabled(false)
        .identityUpdateBehavior("string")
        .scimBaseUrl("string")
        .seatDeprovision(false)
        .secret("string")
        .userDeprovision(false)
        .build())
    .zoneId("string")
    .build());

zero_trust_access_identity_provider_resource = cloudflare.ZeroTrustAccessIdentityProvider("zeroTrustAccessIdentityProviderResource",
    config={
        "apps_domain": "string",
        "attributes": ["string"],
        "auth_url": "string",
        "authorization_server_id": "string",
        "centrify_account": "string",
        "centrify_app_id": "string",
        "certs_url": "string",
        "claims": ["string"],
        "client_id": "string",
        "client_secret": "string",
        "conditional_access_enabled": False,
        "directory_id": "string",
        "email_attribute_name": "string",
        "email_claim_name": "string",
        "header_attributes": [{
            "attribute_name": "string",
            "header_name": "string",
        }],
        "idp_public_certs": ["string"],
        "issuer_url": "string",
        "okta_account": "string",
        "onelogin_account": "string",
        "ping_env_id": "string",
        "pkce_enabled": False,
        "prompt": "string",
        "redirect_url": "string",
        "scopes": ["string"],
        "sign_request": False,
        "sso_target_url": "string",
        "support_groups": False,
        "token_url": "string",
    },
    name="string",
    type="string",
    account_id="string",
    scim_config={
        "enabled": False,
        "identity_update_behavior": "string",
        "scim_base_url": "string",
        "seat_deprovision": False,
        "secret": "string",
        "user_deprovision": False,
    },
    zone_id="string")

const zeroTrustAccessIdentityProviderResource = new cloudflare.ZeroTrustAccessIdentityProvider("zeroTrustAccessIdentityProviderResource", {
    config: {
        appsDomain: "string",
        attributes: ["string"],
        authUrl: "string",
        authorizationServerId: "string",
        centrifyAccount: "string",
        centrifyAppId: "string",
        certsUrl: "string",
        claims: ["string"],
        clientId: "string",
        clientSecret: "string",
        conditionalAccessEnabled: false,
        directoryId: "string",
        emailAttributeName: "string",
        emailClaimName: "string",
        headerAttributes: [{
            attributeName: "string",
            headerName: "string",
        }],
        idpPublicCerts: ["string"],
        issuerUrl: "string",
        oktaAccount: "string",
        oneloginAccount: "string",
        pingEnvId: "string",
        pkceEnabled: false,
        prompt: "string",
        redirectUrl: "string",
        scopes: ["string"],
        signRequest: false,
        ssoTargetUrl: "string",
        supportGroups: false,
        tokenUrl: "string",
    },
    name: "string",
    type: "string",
    accountId: "string",
    scimConfig: {
        enabled: false,
        identityUpdateBehavior: "string",
        scimBaseUrl: "string",
        seatDeprovision: false,
        secret: "string",
        userDeprovision: false,
    },
    zoneId: "string",
});

type: cloudflare:ZeroTrustAccessIdentityProvider
properties:
    accountId: string
    config:
        appsDomain: string
        attributes:
            - string
        authUrl: string
        authorizationServerId: string
        centrifyAccount: string
        centrifyAppId: string
        certsUrl: string
        claims:
            - string
        clientId: string
        clientSecret: string
        conditionalAccessEnabled: false
        directoryId: string
        emailAttributeName: string
        emailClaimName: string
        headerAttributes:
            - attributeName: string
              headerName: string
        idpPublicCerts:
            - string
        issuerUrl: string
        oktaAccount: string
        oneloginAccount: string
        pingEnvId: string
        pkceEnabled: false
        prompt: string
        redirectUrl: string
        scopes:
            - string
        signRequest: false
        ssoTargetUrl: string
        supportGroups: false
        tokenUrl: string
    name: string
    scimConfig:
        enabled: false
        identityUpdateBehavior: string
        scimBaseUrl: string
        seatDeprovision: false
        secret: string
        userDeprovision: false
    type: string
    zoneId: string

ZeroTrustAccessIdentityProvider Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ZeroTrustAccessIdentityProvider resource accepts the following input properties:

Config ZeroTrustAccessIdentityProviderConfig: The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
Name string: The name of the identity provider, shown to users on the login page.
Type string: The type of identity provider. To determine the value for a specific provider, refer to our developer documentation. Available values: "onetimepin", "azureAD", "saml", "centrify", "facebook", "github", "google-apps", "google", "linkedin", "oidc", "okta", "onelogin", "pingone", "yandex".
AccountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
ScimConfig ZeroTrustAccessIdentityProviderScimConfig: The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
ZoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

Config ZeroTrustAccessIdentityProviderConfigArgs: The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
Name string: The name of the identity provider, shown to users on the login page.
Type string: The type of identity provider. To determine the value for a specific provider, refer to our developer documentation. Available values: "onetimepin", "azureAD", "saml", "centrify", "facebook", "github", "google-apps", "google", "linkedin", "oidc", "okta", "onelogin", "pingone", "yandex".
AccountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
ScimConfig ZeroTrustAccessIdentityProviderScimConfigArgs: The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
ZoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

config ZeroTrustAccessIdentityProviderConfig: The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
name String: The name of the identity provider, shown to users on the login page.
type String: The type of identity provider. To determine the value for a specific provider, refer to our developer documentation. Available values: "onetimepin", "azureAD", "saml", "centrify", "facebook", "github", "google-apps", "google", "linkedin", "oidc", "okta", "onelogin", "pingone", "yandex".
accountId String: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
scimConfig ZeroTrustAccessIdentityProviderScimConfig: The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
zoneId String: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

config ZeroTrustAccessIdentityProviderConfig: The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
name string: The name of the identity provider, shown to users on the login page.
type string: The type of identity provider. To determine the value for a specific provider, refer to our developer documentation. Available values: "onetimepin", "azureAD", "saml", "centrify", "facebook", "github", "google-apps", "google", "linkedin", "oidc", "okta", "onelogin", "pingone", "yandex".
accountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
scimConfig ZeroTrustAccessIdentityProviderScimConfig: The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
zoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

config ZeroTrustAccessIdentityProviderConfigArgs: The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
name str: The name of the identity provider, shown to users on the login page.
type str: The type of identity provider. To determine the value for a specific provider, refer to our developer documentation. Available values: "onetimepin", "azureAD", "saml", "centrify", "facebook", "github", "google-apps", "google", "linkedin", "oidc", "okta", "onelogin", "pingone", "yandex".
account_id str: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
scim_config ZeroTrustAccessIdentityProviderScimConfigArgs: The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
zone_id str: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

config Property Map: The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
name String: The name of the identity provider, shown to users on the login page.
type String: The type of identity provider. To determine the value for a specific provider, refer to our developer documentation. Available values: "onetimepin", "azureAD", "saml", "centrify", "facebook", "github", "google-apps", "google", "linkedin", "oidc", "okta", "onelogin", "pingone", "yandex".
accountId String: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
scimConfig Property Map: The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
zoneId String: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

Outputs

All input properties are implicitly available as output properties. Additionally, the ZeroTrustAccessIdentityProvider resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing ZeroTrustAccessIdentityProvider Resource

Get an existing ZeroTrustAccessIdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ZeroTrustAccessIdentityProviderState, opts?: CustomResourceOptions): ZeroTrustAccessIdentityProvider

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_id: Optional[str] = None,
        config: Optional[ZeroTrustAccessIdentityProviderConfigArgs] = None,
        name: Optional[str] = None,
        scim_config: Optional[ZeroTrustAccessIdentityProviderScimConfigArgs] = None,
        type: Optional[str] = None,
        zone_id: Optional[str] = None) -> ZeroTrustAccessIdentityProvider

func GetZeroTrustAccessIdentityProvider(ctx *Context, name string, id IDInput, state *ZeroTrustAccessIdentityProviderState, opts ...ResourceOption) (*ZeroTrustAccessIdentityProvider, error)

public static ZeroTrustAccessIdentityProvider Get(string name, Input<string> id, ZeroTrustAccessIdentityProviderState? state, CustomResourceOptions? opts = null)

public static ZeroTrustAccessIdentityProvider get(String name, Output<String> id, ZeroTrustAccessIdentityProviderState state, CustomResourceOptions options)

resources:  _:    type: cloudflare:ZeroTrustAccessIdentityProvider    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
Config ZeroTrustAccessIdentityProviderConfig: The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
Name string: The name of the identity provider, shown to users on the login page.
ScimConfig ZeroTrustAccessIdentityProviderScimConfig: The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
Type string: The type of identity provider. To determine the value for a specific provider, refer to our developer documentation. Available values: "onetimepin", "azureAD", "saml", "centrify", "facebook", "github", "google-apps", "google", "linkedin", "oidc", "okta", "onelogin", "pingone", "yandex".
ZoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

AccountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
Config ZeroTrustAccessIdentityProviderConfigArgs: The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
Name string: The name of the identity provider, shown to users on the login page.
ScimConfig ZeroTrustAccessIdentityProviderScimConfigArgs: The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
Type string: The type of identity provider. To determine the value for a specific provider, refer to our developer documentation. Available values: "onetimepin", "azureAD", "saml", "centrify", "facebook", "github", "google-apps", "google", "linkedin", "oidc", "okta", "onelogin", "pingone", "yandex".
ZoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

accountId String: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
config ZeroTrustAccessIdentityProviderConfig: The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
name String: The name of the identity provider, shown to users on the login page.
scimConfig ZeroTrustAccessIdentityProviderScimConfig: The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
type String: The type of identity provider. To determine the value for a specific provider, refer to our developer documentation. Available values: "onetimepin", "azureAD", "saml", "centrify", "facebook", "github", "google-apps", "google", "linkedin", "oidc", "okta", "onelogin", "pingone", "yandex".
zoneId String: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

accountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
config ZeroTrustAccessIdentityProviderConfig: The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
name string: The name of the identity provider, shown to users on the login page.
scimConfig ZeroTrustAccessIdentityProviderScimConfig: The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
type string: The type of identity provider. To determine the value for a specific provider, refer to our developer documentation. Available values: "onetimepin", "azureAD", "saml", "centrify", "facebook", "github", "google-apps", "google", "linkedin", "oidc", "okta", "onelogin", "pingone", "yandex".
zoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

account_id str: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
config ZeroTrustAccessIdentityProviderConfigArgs: The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
name str: The name of the identity provider, shown to users on the login page.
scim_config ZeroTrustAccessIdentityProviderScimConfigArgs: The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
type str: The type of identity provider. To determine the value for a specific provider, refer to our developer documentation. Available values: "onetimepin", "azureAD", "saml", "centrify", "facebook", "github", "google-apps", "google", "linkedin", "oidc", "okta", "onelogin", "pingone", "yandex".
zone_id str: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

accountId String: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
config Property Map: The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.
name String: The name of the identity provider, shown to users on the login page.
scimConfig Property Map: The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
type String: The type of identity provider. To determine the value for a specific provider, refer to our developer documentation. Available values: "onetimepin", "azureAD", "saml", "centrify", "facebook", "github", "google-apps", "google", "linkedin", "oidc", "okta", "onelogin", "pingone", "yandex".
zoneId String: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

Supporting Types

ZeroTrustAccessIdentityProviderConfig, ZeroTrustAccessIdentityProviderConfigArgs

AppsDomain string: Your companies TLD
Attributes List<string>: A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.
AuthUrl string: The authorization_endpoint URL of your IdP
AuthorizationServerId string: Your okta authorization server id
CentrifyAccount string: Your centrify account url
CentrifyAppId string: Your centrify app id
CertsUrl string: The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens
Claims List<string>: Custom claims
ClientId string: Your OAuth Client ID
ClientSecret string: Your OAuth Client Secret
ConditionalAccessEnabled bool: Should Cloudflare try to load authentication contexts from your account
DirectoryId string: Your Azure directory uuid
EmailAttributeName string: The attribute name for email in the SAML response.
EmailClaimName string: The claim name for email in the id_token response.
HeaderAttributes List<ZeroTrustAccessIdentityProviderConfigHeaderAttribute>: Add a list of attribute names that will be returned in the response header from the Access callback.
IdpPublicCerts List<string>: X509 certificate to verify the signature in the SAML authentication response
IssuerUrl string: IdP Entity ID or Issuer URL
OktaAccount string: Your okta account url
OneloginAccount string: Your OneLogin account url
PingEnvId string: Your PingOne environment identifier
PkceEnabled bool: Enable Proof Key for Code Exchange (PKCE)
Prompt string: Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interactionrequired error. prompt=selectaccount interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. Available values: "login", "select_account", "none".
RedirectUrl string
Scopes List<string>: OAuth scopes
SignRequest bool: Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.
SsoTargetUrl string: URL to send the SAML authentication requests to
SupportGroups bool: Should Cloudflare try to load groups from your account
TokenUrl string: The token_endpoint URL of your IdP

AppsDomain string: Your companies TLD
Attributes []string: A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.
AuthUrl string: The authorization_endpoint URL of your IdP
AuthorizationServerId string: Your okta authorization server id
CentrifyAccount string: Your centrify account url
CentrifyAppId string: Your centrify app id
CertsUrl string: The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens
Claims []string: Custom claims
ClientId string: Your OAuth Client ID
ClientSecret string: Your OAuth Client Secret
ConditionalAccessEnabled bool: Should Cloudflare try to load authentication contexts from your account
DirectoryId string: Your Azure directory uuid
EmailAttributeName string: The attribute name for email in the SAML response.
EmailClaimName string: The claim name for email in the id_token response.
HeaderAttributes []ZeroTrustAccessIdentityProviderConfigHeaderAttribute: Add a list of attribute names that will be returned in the response header from the Access callback.
IdpPublicCerts []string: X509 certificate to verify the signature in the SAML authentication response
IssuerUrl string: IdP Entity ID or Issuer URL
OktaAccount string: Your okta account url
OneloginAccount string: Your OneLogin account url
PingEnvId string: Your PingOne environment identifier
PkceEnabled bool: Enable Proof Key for Code Exchange (PKCE)
Prompt string: Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interactionrequired error. prompt=selectaccount interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. Available values: "login", "select_account", "none".
RedirectUrl string
Scopes []string: OAuth scopes
SignRequest bool: Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.
SsoTargetUrl string: URL to send the SAML authentication requests to
SupportGroups bool: Should Cloudflare try to load groups from your account
TokenUrl string: The token_endpoint URL of your IdP

appsDomain String: Your companies TLD
attributes List<String>: A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.
authUrl String: The authorization_endpoint URL of your IdP
authorizationServerId String: Your okta authorization server id
centrifyAccount String: Your centrify account url
centrifyAppId String: Your centrify app id
certsUrl String: The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens
claims List<String>: Custom claims
clientId String: Your OAuth Client ID
clientSecret String: Your OAuth Client Secret
conditionalAccessEnabled Boolean: Should Cloudflare try to load authentication contexts from your account
directoryId String: Your Azure directory uuid
emailAttributeName String: The attribute name for email in the SAML response.
emailClaimName String: The claim name for email in the id_token response.
headerAttributes List<ZeroTrustAccessIdentityProviderConfigHeaderAttribute>: Add a list of attribute names that will be returned in the response header from the Access callback.
idpPublicCerts List<String>: X509 certificate to verify the signature in the SAML authentication response
issuerUrl String: IdP Entity ID or Issuer URL
oktaAccount String: Your okta account url
oneloginAccount String: Your OneLogin account url
pingEnvId String: Your PingOne environment identifier
pkceEnabled Boolean: Enable Proof Key for Code Exchange (PKCE)
prompt String: Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interactionrequired error. prompt=selectaccount interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. Available values: "login", "select_account", "none".
redirectUrl String
scopes List<String>: OAuth scopes
signRequest Boolean: Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.
ssoTargetUrl String: URL to send the SAML authentication requests to
supportGroups Boolean: Should Cloudflare try to load groups from your account
tokenUrl String: The token_endpoint URL of your IdP

appsDomain string: Your companies TLD
attributes string[]: A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.
authUrl string: The authorization_endpoint URL of your IdP
authorizationServerId string: Your okta authorization server id
centrifyAccount string: Your centrify account url
centrifyAppId string: Your centrify app id
certsUrl string: The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens
claims string[]: Custom claims
clientId string: Your OAuth Client ID
clientSecret string: Your OAuth Client Secret
conditionalAccessEnabled boolean: Should Cloudflare try to load authentication contexts from your account
directoryId string: Your Azure directory uuid
emailAttributeName string: The attribute name for email in the SAML response.
emailClaimName string: The claim name for email in the id_token response.
headerAttributes ZeroTrustAccessIdentityProviderConfigHeaderAttribute[]: Add a list of attribute names that will be returned in the response header from the Access callback.
idpPublicCerts string[]: X509 certificate to verify the signature in the SAML authentication response
issuerUrl string: IdP Entity ID or Issuer URL
oktaAccount string: Your okta account url
oneloginAccount string: Your OneLogin account url
pingEnvId string: Your PingOne environment identifier
pkceEnabled boolean: Enable Proof Key for Code Exchange (PKCE)
prompt string: Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interactionrequired error. prompt=selectaccount interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. Available values: "login", "select_account", "none".
redirectUrl string
scopes string[]: OAuth scopes
signRequest boolean: Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.
ssoTargetUrl string: URL to send the SAML authentication requests to
supportGroups boolean: Should Cloudflare try to load groups from your account
tokenUrl string: The token_endpoint URL of your IdP

apps_domain str: Your companies TLD
attributes Sequence[str]: A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.
auth_url str: The authorization_endpoint URL of your IdP
authorization_server_id str: Your okta authorization server id
centrify_account str: Your centrify account url
centrify_app_id str: Your centrify app id
certs_url str: The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens
claims Sequence[str]: Custom claims
client_id str: Your OAuth Client ID
client_secret str: Your OAuth Client Secret
conditional_access_enabled bool: Should Cloudflare try to load authentication contexts from your account
directory_id str: Your Azure directory uuid
email_attribute_name str: The attribute name for email in the SAML response.
email_claim_name str: The claim name for email in the id_token response.
header_attributes Sequence[ZeroTrustAccessIdentityProviderConfigHeaderAttribute]: Add a list of attribute names that will be returned in the response header from the Access callback.
idp_public_certs Sequence[str]: X509 certificate to verify the signature in the SAML authentication response
issuer_url str: IdP Entity ID or Issuer URL
okta_account str: Your okta account url
onelogin_account str: Your OneLogin account url
ping_env_id str: Your PingOne environment identifier
pkce_enabled bool: Enable Proof Key for Code Exchange (PKCE)
prompt str: Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interactionrequired error. prompt=selectaccount interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. Available values: "login", "select_account", "none".
redirect_url str
scopes Sequence[str]: OAuth scopes
sign_request bool: Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.
sso_target_url str: URL to send the SAML authentication requests to
support_groups bool: Should Cloudflare try to load groups from your account
token_url str: The token_endpoint URL of your IdP

appsDomain String: Your companies TLD
attributes List<String>: A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.
authUrl String: The authorization_endpoint URL of your IdP
authorizationServerId String: Your okta authorization server id
centrifyAccount String: Your centrify account url
centrifyAppId String: Your centrify app id
certsUrl String: The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens
claims List<String>: Custom claims
clientId String: Your OAuth Client ID
clientSecret String: Your OAuth Client Secret
conditionalAccessEnabled Boolean: Should Cloudflare try to load authentication contexts from your account
directoryId String: Your Azure directory uuid
emailAttributeName String: The attribute name for email in the SAML response.
emailClaimName String: The claim name for email in the id_token response.
headerAttributes List<Property Map>: Add a list of attribute names that will be returned in the response header from the Access callback.
idpPublicCerts List<String>: X509 certificate to verify the signature in the SAML authentication response
issuerUrl String: IdP Entity ID or Issuer URL
oktaAccount String: Your okta account url
oneloginAccount String: Your OneLogin account url
pingEnvId String: Your PingOne environment identifier
pkceEnabled Boolean: Enable Proof Key for Code Exchange (PKCE)
prompt String: Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interactionrequired error. prompt=selectaccount interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. Available values: "login", "select_account", "none".
redirectUrl String
scopes List<String>: OAuth scopes
signRequest Boolean: Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.
ssoTargetUrl String: URL to send the SAML authentication requests to
supportGroups Boolean: Should Cloudflare try to load groups from your account
tokenUrl String: The token_endpoint URL of your IdP

ZeroTrustAccessIdentityProviderConfigHeaderAttribute, ZeroTrustAccessIdentityProviderConfigHeaderAttributeArgs

AttributeName string: attribute name from the IDP
HeaderName string: header that will be added on the request to the origin

AttributeName string: attribute name from the IDP
HeaderName string: header that will be added on the request to the origin

attributeName String: attribute name from the IDP
headerName String: header that will be added on the request to the origin

attributeName string: attribute name from the IDP
headerName string: header that will be added on the request to the origin

attribute_name str: attribute name from the IDP
header_name str: header that will be added on the request to the origin

attributeName String: attribute name from the IDP
headerName String: header that will be added on the request to the origin

ZeroTrustAccessIdentityProviderScimConfig, ZeroTrustAccessIdentityProviderScimConfigArgs

Enabled bool: A flag to enable or disable SCIM for the identity provider.
IdentityUpdateBehavior string: Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "noaction" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. Available values: "automatic", "reauth", "noaction".
ScimBaseUrl string: The base URL of Cloudflare's SCIM V2.0 API endpoint.
SeatDeprovision bool: A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
Secret string: A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identityproviders/:idpID/refreshscim_secret.
UserDeprovision bool: A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

Enabled bool: A flag to enable or disable SCIM for the identity provider.
IdentityUpdateBehavior string: Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "noaction" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. Available values: "automatic", "reauth", "noaction".
ScimBaseUrl string: The base URL of Cloudflare's SCIM V2.0 API endpoint.
SeatDeprovision bool: A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
Secret string: A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identityproviders/:idpID/refreshscim_secret.
UserDeprovision bool: A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

enabled Boolean: A flag to enable or disable SCIM for the identity provider.
identityUpdateBehavior String: Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "noaction" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. Available values: "automatic", "reauth", "noaction".
scimBaseUrl String: The base URL of Cloudflare's SCIM V2.0 API endpoint.
seatDeprovision Boolean: A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
secret String: A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identityproviders/:idpID/refreshscim_secret.
userDeprovision Boolean: A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

enabled boolean: A flag to enable or disable SCIM for the identity provider.
identityUpdateBehavior string: Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "noaction" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. Available values: "automatic", "reauth", "noaction".
scimBaseUrl string: The base URL of Cloudflare's SCIM V2.0 API endpoint.
seatDeprovision boolean: A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
secret string: A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identityproviders/:idpID/refreshscim_secret.
userDeprovision boolean: A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

enabled bool: A flag to enable or disable SCIM for the identity provider.
identity_update_behavior str: Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "noaction" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. Available values: "automatic", "reauth", "noaction".
scim_base_url str: The base URL of Cloudflare's SCIM V2.0 API endpoint.
seat_deprovision bool: A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
secret str: A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identityproviders/:idpID/refreshscim_secret.
user_deprovision bool: A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

enabled Boolean: A flag to enable or disable SCIM for the identity provider.
identityUpdateBehavior String: Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "noaction" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. Available values: "automatic", "reauth", "noaction".
scimBaseUrl String: The base URL of Cloudflare's SCIM V2.0 API endpoint.
seatDeprovision Boolean: A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.
secret String: A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identityproviders/:idpID/refreshscim_secret.
userDeprovision Boolean: A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

Import

$ pulumi import cloudflare:index/zeroTrustAccessIdentityProvider:ZeroTrustAccessIdentityProvider example '<{accounts|zones}/{account_id|zone_id}>/<identity_provider_id>'

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Cloudflare pulumi/pulumi-cloudflare
License: Apache-2.0
Notes: This Pulumi package is based on the cloudflare Terraform Provider.

Cloudflare v6.1.2 published on Monday, Apr 28, 2025 by Pulumi

pulumi/pulumi-cloudflare

cloudflare.ZeroTrustAccessIdentityProvider

On this page

On this page

Example Usage

Create ZeroTrustAccessIdentityProvider Resource

Constructor syntax

Parameters

Constructor example

ZeroTrustAccessIdentityProvider Resource Properties

Inputs

Outputs

Look up Existing ZeroTrustAccessIdentityProvider Resource

Supporting Types

ZeroTrustAccessIdentityProviderConfig, ZeroTrustAccessIdentityProviderConfigArgs

ZeroTrustAccessIdentityProviderConfigHeaderAttribute, ZeroTrustAccessIdentityProviderConfigHeaderAttributeArgs

ZeroTrustAccessIdentityProviderScimConfig, ZeroTrustAccessIdentityProviderScimConfigArgs

Import

Package Details

On this page

On this page