Skip to content
Cloudflare API
Start here
API Reference
Zero Trust
Identity Providers
SAML Certificate

Create SAML encryption certificate for Identity Provider

client.ZeroTrust.IdentityProviders.SAMLCertificate.New(ctx, identityProviderID, body) (*IdentityProviderSAMLCertificateNewResponse, error)
POST/accounts/{account_id}/access/identity_providers/{identity_provider_id}/saml_certificate

Creates a new SAML encryption certificate set and assigns it to the specified SAML Identity Provider. This endpoint is idempotent - if the IdP already has a certificate set assigned, the existing certificate set is returned with a 200 status.

Workflow for enabling SAML encryption:

  1. Call this endpoint to create and assign a certificate set to the IdP
  2. Update the IdP configuration (PUT /identity_providers/{id}) with:
    • config.enable_encryption: true
    • saml_certificate_set_id: <uid from step 1>
  3. Configure the certificate’s public key in your external SAML Identity Provider
Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
ParametersExpand Collapse
identityProviderID string

UUID.

maxLength36
body IdentityProviderSAMLCertificateNewParams
AccountID param.Field[string]

Identifier.

maxLength32
ReturnsExpand Collapse
type IdentityProviderSAMLCertificateNewResponse struct{…}

A SAML encryption certificate set containing current and optionally previous certificates for encryption key rotation.

CreatedAt Time

Timestamp when the certificate set was created

formatdate-time
UID string

Unique identifier for the certificate set

formatuuid
UpdatedAt Time

Timestamp when the certificate set was last updated (e.g., during rotation)

formatdate-time
CurrentCertificate IdentityProviderSAMLCertificateNewResponseCurrentCertificateOptional

The currently active certificate used for encrypting SAML assertions

IsCurrent bool

Indicates whether this is the currently active certificate

NotAfter Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

formatdate-time
PublicCertificate string

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

UID string

Unique identifier for the certificate

formatuuid
PreviousCertificate unknownOptional

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

Create SAML encryption certificate for Identity Provider

package main

import (
  "context"
  "fmt"

  "github.com/stainless-sdks/cloudflare-go"
  "github.com/stainless-sdks/cloudflare-go/option"
  "github.com/stainless-sdks/cloudflare-go/zero_trust"
)

func main() {
  client := cloudflare.NewClient(
    option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
  )
  samlCertificate, err := client.ZeroTrust.IdentityProviders.SAMLCertificate.New(
    context.TODO(),
    "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    zero_trust.IdentityProviderSAMLCertificateNewParams{
      AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
    },
  )
  if err != nil {
    panic(err.Error())
  }
  fmt.Printf("%+v\n", samlCertificate.UID)
}

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "created_at": "2026-05-07T19:16:19.821162Z",
    "uid": "c409ef44-e72c-41c8-8c0b-278c8a6f4fd8",
    "updated_at": "2026-05-07T19:16:19.821162Z",
    "current_certificate": {
      "is_current": true,
      "not_after": "2027-05-07T19:11:00Z",
      "public_certificate": "-----BEGIN CERTIFICATE-----\nMIIEpzCCA4+gAwIBAgIUTh2VSDDJ0oB/gabio6j1L9QwWoUwDQYJKoZIhvcNAQEL\n...\n-----END CERTIFICATE-----\n",
      "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
    },
    "previous_certificate": {}
  }
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "created_at": "2026-05-07T19:16:19.821162Z",
    "uid": "c409ef44-e72c-41c8-8c0b-278c8a6f4fd8",
    "updated_at": "2026-05-07T19:16:19.821162Z",
    "current_certificate": {
      "is_current": true,
      "not_after": "2027-05-07T19:11:00Z",
      "public_certificate": "-----BEGIN CERTIFICATE-----\nMIIEpzCCA4+gAwIBAgIUTh2VSDDJ0oB/gabio6j1L9QwWoUwDQYJKoZIhvcNAQEL\n...\n-----END CERTIFICATE-----\n",
      "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
    },
    "previous_certificate": {}
  }
}