Update reference to include migration guide for scim virtual groups #25437
+50
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| --- | ||
| pcx_content_type: navigation | ||
| title: Migration guides | ||
| sidebar: | ||
| order: 1 | ||
| group: | ||
| hideIndex: true | ||
| --- | ||
|
|
||
| import { DirectoryListing } from "~/components"; | ||
|
|
||
| <DirectoryListing /> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,38 @@ | ||||||
| --- | ||||||
| pcx_content_type: reference | ||||||
| title: SCIM v1 to v2 Migration | ||||||
| sidebar: | ||||||
| order: 1 | ||||||
| label: SCIM migration | ||||||
| head: [] | ||||||
| description: Migrate from SCIM v1 Virtual Groups to Cloudflare’s GA SCIM User Groups | ||||||
| --- | ||||||
|
|
||||||
| Cloudflare's first iteration of [SCIM integration](/scim/) introduced a concept called *Virtual Groups*, typically identified by the pattern `CF-<accountID>-<Role Name>` in your IdP. Virtual Groups were an early implementation of group-based access control: they acted as placeholders created automatically by SCIM to map IdP groups to account memberships. | ||||||
|
|
||||||
| While customers could add or remove members from these groups within their IdP, Virtual Groups had important limitations: | ||||||
| - They could not be renamed or deleted in the IdP | ||||||
| - They could not be managed within Cloudflare | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| - Functionally, managing a Virtual Group was equivalent to syncing users and editing each member’s policies individually | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| With the GA of [User Groups](https://developers.cloudflare.com/changelog/2025-06-23-user-groups-ga/), Virtual Groups are now deprecated. Customers should migrate to User Groups, which provide a more flexible and scalable way to assign and manage policies. To maintain SCIM synchronization with the Cloudflare Dashboard, we strongly recommend migrating to **SCIM User Groups**. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| If you have never synced a group linked to a `CF-<accountID>-<Role Name>` Virtual Group from your IdP to Cloudflare, no action is needed. | ||||||
|
|
||||||
| ## Migration steps | ||||||
|
|
||||||
| 1. **Create a new SCIM integration** in your IdP using an [Account Owned Token](/scim/authentication/) provisioned in Cloudflare | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| 2. **Assign users & groups to your new Application** in your IdP, following a naming convention that aligns with your internal processes | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| 3. **Sync groups to Cloudflare** and verify they appear in the **User Groups** pane of the Cloudflare Dashboard | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| 4. **Attach permission policies** to the new User Groups so members inherit the correct access upon assignment to the group | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| 5. **Migrate users** into the new groups incrementally, testing synchronization of users & groups into the Cloudflare Dashboard | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| 6. **Clean up legacy resources** by removing SCIM v1 Virtual Groups and IdP mappings that follow the `CF-<accountID>-<Role Name>` pattern | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| ## More resources | ||||||
|
|
||||||
| * [User Groups changelog](https://developers.cloudflare.com/changelog/2025-06-02-user-groups-beta/) | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| * [User Groups documentation](https://developers.cloudflare.com/fundamentals/manage-members/user-groups/) | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| * [Create an Account Owned Token](https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/#create-an-account-owned-token) | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| * [SCIM provisioning setup guide](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/) | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
|
|
||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.