← Barbican Identity Demo
SCIM

Group A — Restricted

Access gated by Entra group membership, synchronised to Cloudflare via SCIM provisioning.

Your Identity

CF Access — /cdn-cgi/access/get-identity
Loading...

How This Works

SCIM (System for Cross-domain Identity Management) is a protocol that allows Entra ID to push user and group data to Cloudflare in real time. This means group membership changes in Entra are reflected in Cloudflare Access policies without any manual synchronisation.

The authentication itself still uses an IdP (OIDC or SAML from Entra). SCIM adds the group dimension: Cloudflare knows which Entra groups exist and who belongs to them. The Access policy for this page uses group membership as its condition — only users in the CF-Demo-Group-A Entra group are permitted.

Key distinction: OIDC/SAML handle authentication (who are you?). SCIM handles provisioning (what groups do you belong to, and keep that up to date). They work together — OIDC/SAML for the login flow, SCIM to keep group data current.

Entra Configuration

1. Create the Group

  1. Entra ID → Groups → New group
  2. Name: CF-Demo-Group-A, assign members who should have restricted access

2. Enterprise Application — SCIM Provisioning

  1. Entra ID → Enterprise Applications → find the application used for Cloudflare Access (OIDC or SAML app)
  2. Provisioning → Get started → Automatic
  3. Tenant URL: https://<your-team>.cloudflareaccess.com/cdn-cgi/access/scim/v2/
  4. Secret Token: generate a SCIM API token in Cloudflare (see below) and paste it here
  5. Test connection → Save
  6. Under Mappings, ensure Groups are enabled
  7. Add the CF-Demo-Group-A group to the application's scope under Users and groups
  8. Start provisioning — Entra will push the group to Cloudflare

Cloudflare Configuration

1. Generate SCIM Token

  1. Zero Trust → Settings → Authentication → Identity provider (your Entra OIDC/SAML) → Edit
  2. Enable SCIM Provisioning → Generate token
  3. Copy the token — paste into Entra's Secret Token field above

2. Add Access Application

  1. Zero Trust → Access → Applications → Add an Application → Self-hosted
  2. Domain: barbicancloud.co.uk/scim-a/* (path) or scim-a.barbicancloud.co.uk (subdomain)
  3. Add a policy: Action = Allow, Selector = Azure Groups → select CF-Demo-Group-A

Once SCIM has synced, the group will appear in the selector. Membership changes in Entra propagate to Cloudflare automatically on the provisioning cycle.

Routing

Path-based
barbicancloud.co.uk/scim-a/
Subdomain
scim-a.barbicancloud.co.uk