@workos/mcp-docs-server 0.1.0

package/.docs/organized/docs/integrations/cezanne.mdx

@@ -0,0 +1,74 @@
+---
+title: Cezanne HR
+description: Learn about syncing your user list with Cezanne HR.
+icon: cezanne-hr
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/cezanne.mdx
+---
+
+## Introduction
+
+This guide outlines how to synchronize your application’s Cezanne HR directories.
+
+To synchronize an organization’s users and groups provisioned for your application, you’ll need the following information from the organization:
+
+- Cezanne HR Client ID
+- Cezanne HR Client Secret
+
+> Note: The Cezanne HR integration isn't enabled by default in the WorkOS Dashboard or Admin Portal. Please reach out to [support@workos.com](mailto:support@workos.com) or via your team’s WorkOS Slack channel if you would like Cezanne HR enabled.
+
+---
+
+## (1) Set up your Directory Sync Connection
+
+Login to your WorkOS Dashboard and select “Organizations” from the left hand navigation bar.
+
+Select the organization you’ll be configuring a new Directory Sync Connection with.
+
+Click “Manually Configure Connection”.
+
+![A screenshot showing where to find "Manually Configure Directory" button for an organization in the WorkOS dashboard.](https://images.workoscdn.com/images/e65f54ae-6010-4492-a838-8583dc614e50.png?auto=format&fit=clip&q=50)
+
+Input the Name, and select “Cezanne HR” as the directory type.
+
+Click the “Create Directory” button.
+
+![A screenshot showing "Create Directory" details in the WorkOS dashboard.](https://images.workoscdn.com/images/1217ac5a-6d04-4783-8ce5-b005c14aa005.png?auto=format&fit=clip&q=50)
+
+You will now see your Cezanne HR directory sync has created successfully with an input for the Client ID and Client Secret
+
+---
+
+## (2) Obtain a Cezanne HR Client ID and Client Secret
+
+To obtain these credentials, you will need to request a new API Application from the Cezanne HR Support Team.
+
+---
+
+## (3) Enter the details in the Directory’s detail page
+
+Click “Update Directory”.
+
+There are two fields to enter, the Client ID and Client Secret that Cezanne support provided for you.
+
+![A screenshot showing where to find the "Update Directory" button in the WorkOS dashboard.](https://images.workoscdn.com/images/1b94ab4a-b001-47ea-a89f-548011881ff0.png?auto=format&fit=clip&q=50)
+
+---
+
+## (4) Sync Users and Groups to Your Application
+
+When the connection is successfully made, you will see the green “Linked” icon appear. Now, whenever the organization assigns users or groups to your application, you’ll receive Dashboard updates based on changes in their directory.
+
+Click on the “Users” tab in the Dashboard to view synced users.
+
+![A screenshot showing where to find the "Users" tab in the WorkOS directory.](https://images.workoscdn.com/images/ed0393d9-84de-416b-8410-b5596e091d67.png?auto=format&fit=clip&q=50)
+
+A detailed guide to integrate the WorkOS API with your application can be found [here](/directory-sync)
+
+## Frequently asked questions
+
+### How often do Cezanne HR directories perform a sync?
+
+Cezanne HR directories poll every 30 minutes starting from the time of the initial sync.

package/.docs/organized/docs/integrations/classlink-saml.mdx

@@ -0,0 +1,100 @@
+---
+title: ClassLink
+description: "Learn how to configure a\_connection to\_ClassLink via SAML."
+icon: classlink
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/classlink-saml.mdx
+---
+
+## Introduction
+
+Each SSO Identity Provider requires specific information to create and configure a new [Connection](/glossary/connection). Often, the information required to create a Connection will differ by Identity Provider.
+
+To create a ClassLink SAML Connection, you’ll need the Identity Provider Metadata URL that is available from the organization's ClassLink SAML instance.
+
+Start by logging in to your WorkOS dashboard and browse to the “Organizations” tab on the left hand navigation bar.
+
+Select the organization you’d like to configure a ClassLink SAML Connection for, and select “Manually Configure Connection” under “Identity Provider”.
+
+![A screenshot showing the "Manual Configure Connection" option in the WorkOS Dashboard.](https://images.workoscdn.com/images/fe7f0470-1d95-4708-b364-6dfea9e94e59.png?auto=format&fit=clip&q=50)
+
+Select “ClassLink SAML” from the Identity Provider dropdown, enter a descriptive name for the connection, and then select the “Create Connection” button.
+
+![A screenshot showing a ClassLink connection being created in the WorkOS Dashboard.](https://images.workoscdn.com/images/20fabb8d-91a2-4f7d-965f-837f886a8481.png?auto=format&fit=clip&q=50)
+
+---
+
+## What WorkOS provides
+
+WorkOS provides the [ACS URL](/glossary/acs-url), the [SP Metadata](/glossary/sp-metadata) link and the [SP Entity ID](/glossary/sp-entity-id). They are readily available in your Connection Settings in the [Developer Dashboard](https://dashboard.workos.com/).
+
+The SP Metadata link contains a metadata file that the organization can use to set up the SAML integration.
+
+![A screenshot showing the Service Provider Details provided by WorkOS for a ClassLink connection in the WorkOS Dashboard.](https://images.workoscdn.com/images/46a922ac-10d2-424a-9b10-762702f8fc05.png?auto=format&fit=clip&q=50)
+
+---
+
+## What you’ll need
+
+In order to integrate you’ll need the [IdP Metadata URL](/glossary/idp-metadata).
+
+Normally, this will come from the organization's IT Management team when they set up your application’s SAML 2.0 configuration in their ClassLink instance. Here’s how to obtain them:
+
+---
+
+## (1) Select or create your application
+
+Login to the ClassLink Management Console (CMC), click Single Sign-On and select SAML Console.
+
+Click ADD NEW or COPY EXISTING. Copy Existing contains pre-configured SAML apps which need to be updated to fit your unique settings.
+
+![A screenshot showing where to select "Add Application" in the ClassLink console.](https://images.workoscdn.com/images/2adb6c82-eeb2-4fee-9eb1-cd1655d08e35.png?auto=format&fit=clip&q=50)
+
+---
+
+## (2) Initial SAML Application Setup
+
+Edit the new application by click the three dots menu icon, and then selecting Edit.
+
+![A screenshot showing where to edit the ClassLink application.](https://images.workoscdn.com/images/70877547-fcac-40ec-a98f-87f5333ad59f.png?auto=format&fit=clip&q=50)
+
+Update the Metadata URL in the ClassLink application settings with the SP Metadata URL provided to you by WorkOS.
+
+![A screenshot showing where to enter the SP Metadata URL in the ClassLink application settings.](https://images.workoscdn.com/images/d97393b1-5066-4f48-a6e4-bb5cf1a2c6c8.png?auto=format&fit=clip&q=50)
+
+---
+
+## (3) Configure SAML Application
+
+Under the “Attribute Mapping” section of the SAML app, map the following four attributes as shown below, and the select “Update”.
+
+- `id` → `Login id`
+- `email` → `Email`
+- `firstName` → `Given Name`
+- `lastName` → `Family Name`
+
+![A screenshot showing how to input user attribute mapping in the ClassLink dashboard.](https://images.workoscdn.com/images/a6f3d9da-cb06-4eda-a243-f3fb84f9df76.png?auto=format&fit=clip&q=50)
+
+### Role Assignment (optional)
+
+With [identity provider role assignment](/sso/identity-provider-role-assignment), users can receive roles within your application based on their group memberships. To return this information in the attribute statement, map the groups in your identity provider to a SAML attribute named `groups`.
+
+> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
+
+## (4) Upload Metadata URL
+
+Copy the IdP Metadata URL from your ClassLink SAML settings and upload it to your WorkOS Connection settings.
+
+![A screenshot highlighting where the ClassLink Metadata URL is located in the ClassLink console.](https://images.workoscdn.com/images/a75ed9fa-3b21-469b-93e4-3b8483da3717.png?auto=format&fit=clip&q=50)
+
+In the Connection settings in the WorkOS Dashboard, click “Edit Metadata Configuration”.
+
+![A screenshot highlighting the "Edit Metadata Configuration" button in a Connection details view in the WorkOS Dashboard.](https://images.workoscdn.com/images/c03dd1dc-84b3-4909-bee5-61249280e35f.png?auto=format&fit=clip&q=50)
+
+Paste the Metadata URL from ClassLink into the “Metadata URL” field and select “Save Metadata Configuration”.
+
+![A screenshot showing how to input the Metadata URL into the Connection in the WorkOS Dashboard.](https://images.workoscdn.com/images/88884c90-bb7d-4f18-9a7c-bb7c7ad1fee2.png?auto=format&fit=clip&q=50)
+
+Your Connection will then be linked and good to go!

package/.docs/organized/docs/integrations/cloudflare-saml.mdx

@@ -0,0 +1,164 @@
+---
+title: Cloudflare
+description: "Learn how to configure a connection to\_Cloudflare via SAML."
+icon: cloudflare
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/cloudflare-saml.mdx
+---
+
+## Introduction
+
+Each SSO Identity Provider requires specific information to create and configure a new [Connection](/glossary/connection). Often, the information required to create a Connection will differ by Identity Provider.
+
+To create a Cloudflare SAML Connection, you’ll need to manually enter the SSO URL, [IdP Entity ID](/glossary/idp-uri-entity-id), and X.509 Certificate obtained from your Cloudflare instance. Instructions on where to obtain these will be covered in this guide.
+
+---
+
+## What WorkOS provides
+
+The first thing you’ll need to do is create a new Cloudflare SAML connection in your [WorkOS Dashboard](https://dashboard.workos.com/). Start by logging in to your WorkOS dashboard and browse to the “Organizations” tab on the left hand navigation bar.
+
+Select the organization you’d like to configure a Cloudflare SAML Connection for, and from the dropdown menu select “Add Connection”.
+
+![A screenshot showing how to add an SSO connection in the WorkOS Dashboard.](https://images.workoscdn.com/images/685a5cfc-14f2-44b9-95de-3b6af1c1b4b1.png?auto=format&fit=clip&q=50)
+
+Select “Cloudflare SAML” as the Identity Provider and give the Connection a descriptive name. Once this is filled out, click “Create Connection”.
+
+![A screenshot showing how to create a Cloudflare SAML Connection.](https://images.workoscdn.com/images/bb5d99c0-0f69-4ef6-b67d-654dd2311745.png?auto=format&fit=clip&q=50)
+
+WorkOS provides the [ACS URL](/glossary/acs-url) and the [SP Entity ID](/glossary/sp-entity-id). These are available in your Connection’s Settings in the Developer Dashboard.
+
+![A screenshot showing where to find the Service Provider details in the WorkOS Dashboard.](https://images.workoscdn.com/images/bea6f73d-6dae-452b-be22-f22861c9497c.png?auto=format&fit=clip&q=50)
+
+The ACS URL is the location an Identity Provider redirects its authentication response to. In Cloudflare’s case, it needs to be set by the organization when configuring the application in the Cloudflare instance.
+
+The SP Entity ID is a URI used to identify the issuer of a SAML request. In this case, the entity ID is used to communicate that WorkOS will be the party performing SAML requests to the organization's Cloudflare instance.
+
+---
+
+## What you’ll need
+
+Cloudflare SAML is a unique integration in that it sits between WorkOS and the Identity Provider. This allows for additional rules to be configured, but also means there are two connections that need to be made. The first necessary connection is between Cloudflare and the IdP, and the second connection is between WorkOS and Cloudflare.
+
+---
+
+## (1) Connect Cloudflare with your Identity Provider
+
+First, create the connection between Cloudflare and the Identity Provider. Cloudflare Access allows you to connect with any IdP that supports a SAML 2.0 connection. Follow the [documentation from Cloudflare](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/generic-saml) to configure a SAML application connection between Cloudflare and your IdP.
+
+The one deviation from the CloudFlare documentation is that the SAML attributes must include `email`, `firstName`, `lastName`, and `id`. Email is included by default as the “Email attribute name”, but you will need to add the other three as SAML attributes.
+
+When setting up the connection, be sure to enter `email`, `firstName`, `lastName`, and `id` as SAML attributes.
+
+![A screenshot showing how to configure SAML attributes in Cloudflare Access.](https://images.workoscdn.com/images/57473539-2c40-4c16-b59b-471cbdce1764.png?auto=format&fit=clip&q=50)
+
+Save the connection and then click the “Test” button. When successful, you will see a success screen including your `saml_attributes` that have been added.
+
+![A screenshot showing a successful test of Cloudflare Access.](https://images.workoscdn.com/images/bd575c26-8d01-4e12-8e7e-70198da3e33d.png?auto=format&fit=clip&q=50)
+
+---
+
+## (2) Add an Application in Cloudflare Access
+
+Next, create the connection between Cloudflare and WorkOS. From the Cloudflare Zero Trust dashboard Access menu, select “Applications”, then “Add an application”.
+
+![A screenshot showing where to add an application in Cloudflare Access.](https://images.workoscdn.com/images/ae6525fa-194c-44f5-a20b-f6ea14667ec2.png?auto=format&fit=clip&q=50)
+
+Select “SaaS” for the type of application.
+
+![A screenshot highlighting the SaaS application type in Cloudflare.](https://images.workoscdn.com/images/9202ac92-d1b7-4ad7-9c2d-486528e8edcb.png?auto=format&fit=clip&q=50)
+
+Copy the ACS URL and Entity ID from the Connection Settings in your WorkOS Dashboard.
+
+![A screenshot showing where to find the Service Provider details in the WorkOS Dashboard.](https://images.workoscdn.com/images/bea6f73d-6dae-452b-be22-f22861c9497c.png?auto=format&fit=clip&q=50)
+
+Select the name of your application from the dropdown menu. If your application is not listed, type the name to save it.
+
+Paste the ACS URL and SP Entity ID to the corresponding fields in Cloudflare. Then select the Name ID Format that you would like to use for this application. For this example we’ll use Unique ID.
+
+![A screenshot showing where to input Service Provider details into the Cloudflare application.](https://images.workoscdn.com/images/2417371c-2a7d-41e7-a98b-295461e1741f.png?auto=format&fit=clip&q=50)
+
+---
+
+## (3) Configure Attribute Mapping
+
+Now, Configure the attribute statements. WorkOS requires that `email`, `firstName`, `lastName`, and `id` be included. Cloudflare automatically sends `id` and `email`, so you only need to add `firstName` and `lastName`. These attributes were configured in Step 1, and the mapped values are the same here.
+
+Add `firstName` and `lastName` to both the right and left sides of the SAML attribute statements.
+
+![A screenshot showing where to configure Cloudflare attribute mapping.](https://images.workoscdn.com/images/6d0a7e54-e912-4cb7-8688-427d595d30e6.png?auto=format&fit=clip&q=50)
+
+### Role Assignment (optional)
+
+With [identity provider role assignment](/sso/identity-provider-role-assignment), users can receive roles within your application based on their group memberships. To return this information, add a new attribute statement with `groups` as the "Name" and map it to the "IdP attribute" for `groups`, as shown in the example below.
+
+![A screenshot showing how to configure a groups attribute in Cloudflare.](https://images.workoscdn.com/images/659df99d-79b9-4fd4-bcec-69b337504cfe.png?auto=format&fit=clip&q=50)
+
+> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
+
+---
+
+## (4) Finish SSO Application Configuration
+
+Select the Identity Provider that you are using from the list. In this example we are using an Okta SAML connection.
+
+![A screenshot highlighting where to select the Identity Provider in the Cloudflare application.](https://images.workoscdn.com/images/0f4ea850-5111-4659-a67f-8887cde842dd.png?auto=format&fit=clip&q=50)
+
+Configure at least one policy and one rule, then click next. For this example the Policy sets the session length to 30 minutes for everyone.
+
+![A screenshot showing where to configure policy and rules for the Cloudflare application.](https://images.workoscdn.com/images/c6141486-5b88-47e5-88d8-161294698ece.png?auto=format&fit=clip&q=50)
+
+---
+
+## (5) Copy Connection Credentials
+
+The SSO endpoint, Entity ID, and Public key (X.509 certificate) all will be entered in the Connection details in the [WorkOS Dashboard](https://dashboard.workos.com/). The SSO endpoint and Entity ID can be entered as-is, but the Public Key needs to be formatted as an X.509 certificate.
+
+![A screenshot showing where to copy the connection credentials from the Cloudflare dashboard.](https://images.workoscdn.com/images/81f19129-0b22-4f78-b238-e9b087a3a52b.png?auto=format&fit=clip&q=50)
+
+To format the Public Key, copy the value to a text editor and add the following header and footer to the Public Key. Ensure there are no spaces above or below the Key value, then save with the file extension “.cert”.
+
+```shell title="Certificate format"
+-----BEGIN CERTIFICATE-----
+<PUBLIC KEY VALUE>
+-----END CERTIFICATE-----
+```
+
+The format of the file should look like this when you’re finished.
+
+```shell title="Completed Certificate Format"
+-----BEGIN CERTIFICATE-----
+MIIDUTCCAjmgAwIBAgIRAN557boQ2ZxW4Ww08cZYK2IwDQYJKoZIhvcNAQELBQAw
+YjELMAkGA1UEBhMCVVMxDjAMxxxxxAgTBVRleGFzMQ8wDQYDVQQHEwZBdXN0aW4x
+EzARBgNVBAoTCkNsb3VkZmxhcmUxHTAbBgNVBAMTFGNsb3VkZmxhcmVhY2Nlc3Mu
+Y29tMB4XDTxxxxxwMjE5MzMxM1oXDTMyMDIwMjE5MzMxM1owYjELMAkGA1UEBhMC
+VVMxDjAMBgNVBAgTBVRleGFzMQ8wDQYDVQQHEwZBdXN0aW4xEzARBgNVBAoTCkNs
+b3VkZmxhcmUxHTAbBgNVBAMTFGNsb3VkZmxxxxxhY2Nlc3MuY29tMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA49p6jXzk65DeG4DI2NgW0UOOJrd+9qYS
+OCuBYq/e4IqSeqchsm1JDY9MjB6xmiw+urC1qWuj0MS4dwAJQwiGFbCGDh5m4FAF
+mZm5VaMkW5Q+MG5zXRfeLmhvLuT0XVBcDlkwPC3k28/moKi1KlwPcujLF43+rf2d
+8Rm6ZNCJgfVzRxxxxxPd5NGpNlEZ0ViPXM1gsO15/1Iginevv+xKqRTx0vMsNLWJ
+BwWLAAqm5b6U9XQefwy9lPqPywFwCuZEMXwI9Rpm0f2xmOK56EudtdSkQ1JtSgYX
+x9rf/97NfP8wI2x1IncQtwdWNdW5cvxMqYU/Za6WZvjNCnpFQGXLJQIDAQABowIw
+ADANBgkqhkiG9w0BAQsFAAOCAQEARZ0h2ZeNXSme0EbQeJfEFOX+mj9rPkHIJFfQ
+G7+dRG6DwDubxG56TsvUINcJX8O5C6oQ0T6dRutO/jG5LxJqmCz5wLUTA/6/YLDk
+95gbYyJ/yfLm4sd6DEoXzWSld+EZ5b86pxFnvR/+cPY2tcSghQ+moZKR5THwHLsZ
+hie2Pr6UVvuS5D9BC4ijR+cPyB5r4qliI9C1p8phuZctoX9dPpFY+UwkWgUDx9sz
+UXFJsqueoibxfVqh4Jzdw+2XH6xN3WvTdJN4Sh1fqEpBeOxxxxxlRrCAJiMnLtG6
+QgHF9ZnNRbIFcUHF/lyWY3oxcvgeUwEnE5QVVbdoMMGKKgffbQ==
+-----END CERTIFICATE-----
+```
+
+---
+
+## (6) Provide Connection Credentials
+
+Navigate to the Connection in your Developer Dashboard. Enter the SSO endpoint in the [IdP SSO URL](/glossary/idp-sso-url) field and enter the “Access Entity ID or Issuer” value into the “IdP URI (Entity ID)” field.
+
+Upload the file that you saved for the X.509 certificate to the “Add an X.509 Certificate” field. Click Save Configuration.
+
+![A screenshot showing where upload the Metadata configuration details.](https://images.workoscdn.com/images/2d149107-fbc3-4e09-a644-b68dc5ff151b.png?auto=format&fit=clip&q=50)
+
+Your Connection will then be Active and good to go!

package/.docs/organized/docs/integrations/cyberark-saml.mdx

@@ -0,0 +1,138 @@
+---
+title: CyberArk SAML
+description: "Learn how to configure a connection to\_CyberArk via SAML."
+icon: cyberark
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/cyberark-saml.mdx
+---
+
+## Introduction
+
+Each SSO Identity Provider requires specific information to create and configure a new [Connection](/glossary/connection). Often, the information required to create a Connection will differ by Identity Provider.
+
+To create a CyberArk SAML Connection, you’ll need the Identity Provider metadata that is available from your CyberArk instance.
+
+---
+
+## What WorkOS provides
+
+The first thing you’ll need to do is create a new CyberArk SAML connection in your [WorkOS dashboard](https://dashboard.workos.com/). Start by logging in to your WorkOS dashboard and browse to the “Organizations” tab on the left hand navigation bar.
+
+Select the organization you’d like to configure a CyberArk SAML Connection for, and then click “Manually Configure Connection”.
+
+![A screenshot showing where to select "Manually Configure Connection" in the WorkOS dashboard.](https://images.workoscdn.com/images/72c85573-ffe7-4be4-8fe1-2ea60db0c77a.png?auto=format&fit=clip&q=50)
+
+Select “CyberArk SAML” as the Identity Provider, give the Connection a descriptive name, and click “Create Connection”.
+
+![A screenshot showing the "Create Connection" modal in the WorkOS dashboard.](https://images.workoscdn.com/images/d5ef1aab-8d6d-47ff-9af8-ae237ed31440.png?auto=format&fit=clip&q=50)
+
+WorkOS provides the [ACS URL](/glossary/acs-url) and [SP Entity ID](/glossary/sp-entity-id). They are readily available in your Connection Settings in the [WorkOS dashboard](https://dashboard.workos.com/).
+
+![A screenshot showing where to locate the "ACS URL" and "SP Entity ID" in the WorkOS dashboard.](https://images.workoscdn.com/images/d443909c-712a-4084-9ac8-2b47f560a6fa.png?auto=format&fit=clip&q=50)
+
+The ACS URL is the location an Identity Provider redirects its authentication response to. In CyberArk’s case, it needs to be set by the organization when configuring your application in their CyberArk instance.
+
+The SP Entity ID is a URI used to identify the issuer of a SAML request and the audience of a SAML response. In this case, the SP Entity ID is used to communicate that WorkOS will be the party performing SAML requests to the organization's CyberArk instance, and that WorkOS is the intended audience of the SAML responses from the CyberArk instance.
+
+Specifically, the ACS URL will need to be set as the “Assertion Consumer Service (ACS) URL”, and the SP Entity ID will need to be set as the “SP Entity Id / Issuer / Audience”, in the “Service Provider Configuration” section of the “Trust” tab in the SAML App.
+
+![A screenshot showing where to input the WorkOS ACS URL and SP Entity ID in the “SP Entity ID” and "ACS URL" fields in the CyberArk dashboard.](https://images.workoscdn.com/images/bb1b0fe6-0e13-4c45-8bfd-fd0b4d9dc028.png?auto=format&fit=clip&q=50)
+
+---
+
+## What you’ll need
+
+Next, provide the Identity Provider metadata.
+
+Normally, this information will come from the organization's IT Management team when they set up your application’s SAML configuration in their CyberArk Identity Admin Portal. If that’s not the case during your setup, the following steps describe how to get the necessary information.
+
+---
+
+## (1) Log in
+
+Log in to the [CyberArk Identity Admin Portal](https://pod0.idaptive.app/my) and select “Web Apps” from the left-side navigation.
+
+![A screenshot showing where to select 'Web Apps" in the CyberArk dashboard.](https://images.workoscdn.com/images/1e496ecf-4948-4161-8d0e-7dd085d1cc74.png?auto=format&fit=clip&q=50)
+
+---
+
+## (2) Select or create your application
+
+If your application is already created, select it from the list of applications and move to Step 4. If you haven’t created a SAML application in CyberArk, select “Add Web Apps”.
+
+![A screenshot showing where to select "Add Web Apps" in the CyberArk dashboard.](https://images.workoscdn.com/images/034f7256-e5d1-40bf-a258-4532ba462966.png?auto=format&fit=clip&q=50)
+
+Select the “Custom” tab and then click to add “SAML”.
+
+![A screenshot showing how to select the "SAML" web application type in the CyberArk dashboard.](https://images.workoscdn.com/images/48709bed-91f5-4549-8fec-3766ca10b5ee.png?auto=format&fit=clip&q=50)
+
+Select “Yes” to begin setting up the SAML App.
+
+![A screenshot indicating to select "Yes" in the confirmation to add the new application in the CyberArk dashboard.](https://images.workoscdn.com/images/2877ea73-3e8b-4370-9dd2-b3a64ea8990a.png?auto=format&fit=clip&q=50)
+
+---
+
+## (3) Initial SAML Application Setup
+
+Enter a descriptive App Name and Description, then click “Save”.
+
+![A screenshot showing how to populate the "Name" and "Description" fields in the CyberArk dashboard.](https://images.workoscdn.com/images/bb5bf913-edae-4286-9a72-20eaa12ca1e7.png?auto=format&fit=clip&q=50)
+
+Next, navigate to the “Trust” tab and enter the SP Entity ID from the Connection Settings into “SP Entity Id / Issuer / Audience” and the ACS URL from the Connection Settings into “Assertion Consumer Service (ACS) URL” in the “Service Provider Configuration” section of the “Trust” tab in the SAML App.
+
+> IMPORTANT: Be sure to check “Both” under “Sign Response or Assertion?”.
+
+![A screenshot showing where to input the WorkOS ACS URL and SP Entity ID in the “SP Entity ID” and "ACS URL" fields in the CyberArk dashboard.](https://images.workoscdn.com/images/bb1b0fe6-0e13-4c45-8bfd-fd0b4d9dc028.png?auto=format&fit=clip&q=50)
+
+---
+
+## (4) Configure Attribute Mapping
+
+Select the “SAML Response” tab and use the “Add” button to add the following key-value pairs. Then, click “Save”.
+
+- `id` → `LoginUser.Uuid`
+- `email` → `LoginUser.Email`
+- `firstName` → `LoginUser.FirstName`
+- `lastName` → `LoginUser.LastName`
+
+![A screenshot showing the "SAML Response" tab successfully configured in the CyberArk dashboard.](https://images.workoscdn.com/images/63c47f86-6205-4c23-b4b2-1c2950d94fe7.png?auto=format&fit=clip&q=50)
+
+### Role Assignment (optional)
+
+With [identity provider role assignment](/sso/identity-provider-role-assignment), users can receive roles within your application based on their group memberships. To return this information in the attribute statement, first add a new attribute in the "SAML Response" tab. In the "Attribute Name" column, input `groups`, and map it to the "Attribute Value" for a user’s group membership, such as `LoginUser.GroupNames`, as shown in the example below.
+
+![A screenshot showing the groups attribute successfully configured in CyberArk.](https://images.workoscdn.com/images/e5b30513-3915-46a3-b876-650898f8f288.png?auto=format&fit=clip&q=50)
+
+Once your SAML app is configured to return groups, navigate to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
+
+---
+
+## (5) Add Users to SAML Application
+
+To give users permission to authenticate via this SAML app, you will need to assign individual users and/or groups of users to the CyberArk SAML app.
+
+Click on the “Permissions” tab, and select “Add”.
+
+![A screenshot showing where to select "Add" in the "Permissions" tab of the application in the CyberArk dashboard.](https://images.workoscdn.com/images/473838e4-cf5f-4feb-a577-f167ac907f01.png?auto=format&fit=clip&q=50)
+
+Search for the individual user(s) and/or group(s) that you would like to assign to the app, and check the box next to them. Click “Add” when you are finished. Once users have been successfully added, you should also notice the “Status” of your CyberArk SAML app change to “Deployed”.
+
+![A screenshot showing the selection of a user to add to the SAML application in the CyberArk dashboard.](https://images.workoscdn.com/images/a09d23b6-5eb7-4fdf-999b-fff77159d43c.png?auto=format&fit=clip&q=50)
+
+---
+
+## (6) Copy Metadata
+
+On the “Trust” tab of the SAML App, go to the “Service Provider Configuration Section” and select “Metadata”. Then click on “Copy URL” button to copy the Metadata URL. This URL will get entered in the WorkOS dashboard in the next step.
+
+![A screenshot showing where to obtain the "Metadata URL" in the CyberArk dashboard.](https://images.workoscdn.com/images/5da3432f-1105-44f1-9433-d1002d1c832d.png?auto=format&fit=clip&q=50)
+
+---
+
+## (7) Provide Metadata
+
+Finally, select "Edit Metadata Configuration" and input the Metadata URL in your WorkOS Connection Settings. Your Connection will then be verified and good to go!
+
+![A screenshot showing where to select "Edit Metadata Configuration" in the "Identity Provider Configuration" in the WorkOS dashboard.](https://images.workoscdn.com/images/bedce7fc-3dcd-468d-ab31-1e65f8f14cb9.png?auto=format&fit=clip&q=50)

package/.docs/organized/docs/integrations/cyberark-scim.mdx

@@ -0,0 +1,100 @@
+---
+title: CyberArk SCIM
+description: "Learn about syncing your user list with\_CyberArk SCIM."
+icon: cyberark
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/cyberark-scim.mdx
+---
+
+## Introduction
+
+This guide outlines how to synchronize your application’s CyberArk directories using SCIM.
+
+To synchronize an organization’s users and groups provisioned for your application, you’ll need to provide the organization with two pieces of information:
+
+- An [Endpoint](/glossary/endpoint) that CyberArk will make requests to.
+- A [Bearer Token](/glossary/bearer-token) for CyberArk to authenticate its endpoint requests.
+
+After completing step 1 below, both of these are available in your Endpoint’s Settings in the [WorkOS Dashboard](https://dashboard.workos.com/).
+
+> The rest of the steps below will need to be carried out by the organization when configuring your application in their CyberArk instance.
+
+---
+
+## (1) Set up your directory in the WorkOS Dashboard
+
+In your WorkOS Dashboard, select or create an Organization. Then select “Manually Configure Directory”.
+
+![A screenshot showing where to select "Manually Configure Directory" in the WorkOS dashboard.](https://images.workoscdn.com/images/2865e608-6524-4bd6-8f35-070de0d6cf2b.png?auto=format&fit=clip&q=50)
+
+Select “CyberArk” as the Directory Provider and add a descriptive name for the directory sync connection.
+
+![A screenshot showing the proper configuration of the "Create Directory" modal in the WorkOS dashboard.](https://images.workoscdn.com/images/ea86a861-c18c-4d8b-ad92-5942f11a98c7.png?auto=format&fit=clip&q=50)
+
+On the Directory Sync connection settings page, save the Endpoint and the Bearer Token. You’ll input these in the CyberArk settings.
+
+![A screenshot showing the Endpoint and Bearer Token in the WorkOS dashboard.](https://images.workoscdn.com/images/f77f41f5-8641-4452-b933-3a2d3f2351c5.png?auto=format&fit=clip&q=50)
+
+> We have support for whitelabeled URLs for Directory Sync endpoints. [Contact us](mailto:support@workos.com) for more info!
+
+---
+
+## (2) Select or create your CyberArk application
+
+CyberArk supports SCIM provisioning in the context of a SAML app. The usual set up is to enable SAML first, following [our docs here](/integrations/cyberark-saml).
+
+Log in to the CyberArk Admin Portal, and navigate to your SAML app. Open the “Provisioning” tab, and select the box to “Enable provisioning for this application”.
+
+![A screenshot showing where to enable the "Enable provisioning for this application" setting in the CyberArk dashboard.](https://images.workoscdn.com/images/83b18d01-90d6-4cf2-8866-84c2046cd1f5.png?auto=format&fit=clip&q=50)
+
+Click “Yes” in the confirmation modal.
+
+![A screenshot showing where to select "Yes" in the confirmation modal in the CyberArk dashboard.](https://images.workoscdn.com/images/38f35897-4fb6-47d0-9445-53b0405b8809.png)
+
+Enter the Endpoint from the WorkOS Dashboard into the "SCIM Service URL" field, and enter the Bearer Token from the WorkOS Dashboard into the corresponding field in the Provisioning tab. Select “Verify” to save these credentials.
+
+![A screenshot showing where to input the WorkOS Endpoint as the "SCIM Service URL" and the Bearer Token in the CyberArk dashboard.](https://images.workoscdn.com/images/2bee64a8-cbb8-4d31-9f35-4f2bb3c237bd.png)
+
+Once the credentials have been verified, more options will be appear below. Deselect "Do not de-provision (deactivate or delete) users in target application" as seen below.
+
+![A screenshot showing which checkboxes to disable in the CyberArk dashboard.](https://images.workoscdn.com/images/f8e6980a-76f7-4cf5-a5c5-958dae8268ba.png)
+
+---
+
+## (3) Configure your role mappings in CyberArk
+
+Users assigned to the SAML app will be synced, and roles mapped will be synced as groups. The roles are mapped on the Provisioning settings page, by selecting the “Add” button.
+
+![A screenshot showing where to select “Add” in the CyberArk dashboard.](https://images.workoscdn.com/images/8a6039da-ccc0-493d-9888-40337e70da74.png)
+
+In the role mapping modal, select the role you’d like to map, and then create a destination group. The name will be what you see as the group name in directory sync. All users assigned to that role will be members of the mapped group. Select “Done”.
+
+![A screenshot showing how to configure the "Role" and "Destination Group" settings in the "Role Mapping" modal of the CyberArk dashboard.](https://images.workoscdn.com/images/34f5f6cf-5011-4540-a911-d68d583e8411.png)
+
+After the role mapping is completed, click “Save”. The SCIM configuration part of the setup is complete.
+
+---
+
+## (4) Trigger the directory sync run in CyberArk
+
+In CyberArk, navigate to the Settings → Users → Outbound Provisioning page. Under Synchronizations, start the sync. You can also set up scheduled syncs here.
+
+![A screenshot showing where to select "Start Sync" in the "Outbound Provisioning" settings in the CyberArk dashboard.](https://images.workoscdn.com/images/fe15e2da-4312-4b22-9750-6d9657d569f2.png)
+
+In the CyberArk SCIM directory in the WorkOS dashboard, select the "Users" tab and you will now see the users and groups synced over.
+
+![A screenshot showing the populated "Users" tab in the CyberArk SCIM directory in the WorkOS dashboard.](https://images.workoscdn.com/images/fd7f1d1b-4390-44e5-9aa6-95308d911829.png)
+
+A detailed guide to integrate the WorkOS API with your application can be found [here](/directory-sync)
+
+## Frequently asked questions
+
+### When a group is removed, I don't see a `dsync.group.deleted` or `dsync.group.user_removed` events - is this expected?
+
+Instead of individually assigning users to a SCIM application, CyberArk SCIM requires that users are assigned to the application through group membership.
+
+It is a known issue with CyberArk SCIM that when a group is removed from the app, no indication is received that the group has changed.
+
+The users of the group must be cleaned up before the group itself is removed from the SCIM application.