## Update your Zero Trust organization `client.ZeroTrust.Organizations.Update(ctx, params) (*Organization, error)` **put** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations` Updates the configuration for your Zero Trust organization. ### Parameters - `params OrganizationUpdateParams` - `AccountID param.Field[string]` Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `ZoneID param.Field[string]` Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. - `AllowAuthenticateViaWARP param.Field[bool]` Body param: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `AuthDomain param.Field[string]` Body param: The unique subdomain assigned to your Zero Trust organization. - `AutoRedirectToIdentity param.Field[bool]` Body param: When set to `true`, users skip the identity provider selection step during login. - `CustomPages param.Field[OrganizationUpdateParamsCustomPages]` Body param - `Forbidden string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `IdentityDenied string` The uid of the custom page to use when a user is denied access. - `DenyUnmatchedRequests param.Field[bool]` Body param: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `DenyUnmatchedRequestsExemptedZoneNames param.Field[[]string]` Body param: Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `IsUIReadOnly param.Field[bool]` Body param: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `LoginDesign param.Field[LoginDesign]` Body param - `MfaConfig param.Field[OrganizationUpdateParamsMfaConfig]` Body param: Configures multi-factor authentication (MFA) settings for an organization. - `AllowedAuthenticators []OrganizationUpdateParamsMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const OrganizationUpdateParamsMfaConfigAllowedAuthenticatorTotp OrganizationUpdateParamsMfaConfigAllowedAuthenticator = "totp"` - `const OrganizationUpdateParamsMfaConfigAllowedAuthenticatorBiometrics OrganizationUpdateParamsMfaConfigAllowedAuthenticator = "biometrics"` - `const OrganizationUpdateParamsMfaConfigAllowedAuthenticatorSecurityKey OrganizationUpdateParamsMfaConfigAllowedAuthenticator = "security_key"` - `const OrganizationUpdateParamsMfaConfigAllowedAuthenticatorSSHPivKey OrganizationUpdateParamsMfaConfigAllowedAuthenticator = "ssh_piv_key"` - `AmrMatchingSessionDuration string` Allows a user to skip MFA via Authentication Method Reference (AMR) matching when the AMR claim provided by the IdP the user used to authenticate contains "mfa". Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). - `RequiredAaguids string` Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `MfaRequiredForAllApps param.Field[bool]` Body param: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `MfaSSHPivKeyRequirements param.Field[OrganizationUpdateParamsMfaSSHPivKeyRequirements]` Body param: Configures SSH PIV key requirements for MFA using hardware security keys. - `PinPolicy OrganizationUpdateParamsMfaSSHPivKeyRequirementsPinPolicy` Defines when a PIN is required to use the SSH key. Valid values: `never` (no PIN required), `once` (PIN required once per session), `always` (PIN required for each use). - `const OrganizationUpdateParamsMfaSSHPivKeyRequirementsPinPolicyNever OrganizationUpdateParamsMfaSSHPivKeyRequirementsPinPolicy = "never"` - `const OrganizationUpdateParamsMfaSSHPivKeyRequirementsPinPolicyOnce OrganizationUpdateParamsMfaSSHPivKeyRequirementsPinPolicy = "once"` - `const OrganizationUpdateParamsMfaSSHPivKeyRequirementsPinPolicyAlways OrganizationUpdateParamsMfaSSHPivKeyRequirementsPinPolicy = "always"` - `RequireFipsDevice bool` Requires the SSH PIV key to be stored on a FIPS 140-2 Level 1 or higher validated device. - `SSHKeySize []OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize` Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. Ed25519 has a fixed key size and does not accept this parameter. - `const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize256 OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize = 256` - `const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize384 OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize = 384` - `const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize521 OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize = 521` - `const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize2048 OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize = 2048` - `const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize3072 OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize = 3072` - `const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize4096 OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeySize = 4096` - `SSHKeyType []OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeyType` Specifies the allowed SSH key types. Valid values are `ecdsa`, `ed25519`, and `rsa`. - `const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeyTypeEcdsa OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeyType = "ecdsa"` - `const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeyTypeEd25519 OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeyType = "ed25519"` - `const OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeyTypeRSA OrganizationUpdateParamsMfaSSHPivKeyRequirementsSSHKeyType = "rsa"` - `TouchPolicy OrganizationUpdateParamsMfaSSHPivKeyRequirementsTouchPolicy` Defines when physical touch is required to use the SSH key. Valid values: `never` (no touch required), `always` (touch required for each use), `cached` (touch cached for 15 seconds). - `const OrganizationUpdateParamsMfaSSHPivKeyRequirementsTouchPolicyNever OrganizationUpdateParamsMfaSSHPivKeyRequirementsTouchPolicy = "never"` - `const OrganizationUpdateParamsMfaSSHPivKeyRequirementsTouchPolicyAlways OrganizationUpdateParamsMfaSSHPivKeyRequirementsTouchPolicy = "always"` - `const OrganizationUpdateParamsMfaSSHPivKeyRequirementsTouchPolicyCached OrganizationUpdateParamsMfaSSHPivKeyRequirementsTouchPolicy = "cached"` - `Name param.Field[string]` Body param: The name of your Zero Trust organization. - `SessionDuration param.Field[string]` Body param: The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UIReadOnlyToggleReason param.Field[string]` Body param: A description of the reason why the UI read only field is being toggled. - `UserSeatExpirationInactiveTime param.Field[string]` Body param: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `WARPAuthSessionDuration param.Field[string]` Body param: The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Returns - `type Organization struct{…}` - `AllowAuthenticateViaWARP bool` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `AuthDomain string` The unique subdomain assigned to your Zero Trust organization. - `AutoRedirectToIdentity bool` When set to `true`, users skip the identity provider selection step during login. - `CustomPages OrganizationCustomPages` - `Forbidden string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `IdentityDenied string` The uid of the custom page to use when a user is denied access. - `DenyUnmatchedRequests bool` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `DenyUnmatchedRequestsExemptedZoneNames []string` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `IsUIReadOnly bool` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `LoginDesign LoginDesign` - `BackgroundColor string` The background color on your login page. - `FooterText string` The text at the bottom of your login page. - `HeaderText string` The text at the top of your login page. - `LogoPath string` The URL of the logo on your login page. - `TextColor string` The text color on your login page. - `MfaConfig OrganizationMfaConfig` Configures multi-factor authentication (MFA) settings for an organization. - `AllowedAuthenticators []OrganizationMfaConfigAllowedAuthenticator` Lists the MFA methods that users can authenticate with. - `const OrganizationMfaConfigAllowedAuthenticatorTotp OrganizationMfaConfigAllowedAuthenticator = "totp"` - `const OrganizationMfaConfigAllowedAuthenticatorBiometrics OrganizationMfaConfigAllowedAuthenticator = "biometrics"` - `const OrganizationMfaConfigAllowedAuthenticatorSecurityKey OrganizationMfaConfigAllowedAuthenticator = "security_key"` - `const OrganizationMfaConfigAllowedAuthenticatorSSHPivKey OrganizationMfaConfigAllowedAuthenticator = "ssh_piv_key"` - `AmrMatchingSessionDuration string` Allows a user to skip MFA via Authentication Method Reference (AMR) matching when the AMR claim provided by the IdP the user used to authenticate contains "mfa". Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). - `RequiredAaguids string` Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs. - `SessionDuration string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `MfaRequiredForAllApps bool` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `MfaSSHPivKeyRequirements OrganizationMfaSSHPivKeyRequirements` Configures SSH PIV key requirements for MFA using hardware security keys. - `PinPolicy OrganizationMfaSSHPivKeyRequirementsPinPolicy` Defines when a PIN is required to use the SSH key. Valid values: `never` (no PIN required), `once` (PIN required once per session), `always` (PIN required for each use). - `const OrganizationMfaSSHPivKeyRequirementsPinPolicyNever OrganizationMfaSSHPivKeyRequirementsPinPolicy = "never"` - `const OrganizationMfaSSHPivKeyRequirementsPinPolicyOnce OrganizationMfaSSHPivKeyRequirementsPinPolicy = "once"` - `const OrganizationMfaSSHPivKeyRequirementsPinPolicyAlways OrganizationMfaSSHPivKeyRequirementsPinPolicy = "always"` - `RequireFipsDevice bool` Requires the SSH PIV key to be stored on a FIPS 140-2 Level 1 or higher validated device. - `SSHKeySize []OrganizationMfaSSHPivKeyRequirementsSSHKeySize` Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. Ed25519 has a fixed key size and does not accept this parameter. - `const OrganizationMfaSSHPivKeyRequirementsSSHKeySize256 OrganizationMfaSSHPivKeyRequirementsSSHKeySize = 256` - `const OrganizationMfaSSHPivKeyRequirementsSSHKeySize384 OrganizationMfaSSHPivKeyRequirementsSSHKeySize = 384` - `const OrganizationMfaSSHPivKeyRequirementsSSHKeySize521 OrganizationMfaSSHPivKeyRequirementsSSHKeySize = 521` - `const OrganizationMfaSSHPivKeyRequirementsSSHKeySize2048 OrganizationMfaSSHPivKeyRequirementsSSHKeySize = 2048` - `const OrganizationMfaSSHPivKeyRequirementsSSHKeySize3072 OrganizationMfaSSHPivKeyRequirementsSSHKeySize = 3072` - `const OrganizationMfaSSHPivKeyRequirementsSSHKeySize4096 OrganizationMfaSSHPivKeyRequirementsSSHKeySize = 4096` - `SSHKeyType []OrganizationMfaSSHPivKeyRequirementsSSHKeyType` Specifies the allowed SSH key types. Valid values are `ecdsa`, `ed25519`, and `rsa`. - `const OrganizationMfaSSHPivKeyRequirementsSSHKeyTypeEcdsa OrganizationMfaSSHPivKeyRequirementsSSHKeyType = "ecdsa"` - `const OrganizationMfaSSHPivKeyRequirementsSSHKeyTypeEd25519 OrganizationMfaSSHPivKeyRequirementsSSHKeyType = "ed25519"` - `const OrganizationMfaSSHPivKeyRequirementsSSHKeyTypeRSA OrganizationMfaSSHPivKeyRequirementsSSHKeyType = "rsa"` - `TouchPolicy OrganizationMfaSSHPivKeyRequirementsTouchPolicy` Defines when physical touch is required to use the SSH key. Valid values: `never` (no touch required), `always` (touch required for each use), `cached` (touch cached for 15 seconds). - `const OrganizationMfaSSHPivKeyRequirementsTouchPolicyNever OrganizationMfaSSHPivKeyRequirementsTouchPolicy = "never"` - `const OrganizationMfaSSHPivKeyRequirementsTouchPolicyAlways OrganizationMfaSSHPivKeyRequirementsTouchPolicy = "always"` - `const OrganizationMfaSSHPivKeyRequirementsTouchPolicyCached OrganizationMfaSSHPivKeyRequirementsTouchPolicy = "cached"` - `Name string` The name of your Zero Trust organization. - `SessionDuration string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `UIReadOnlyToggleReason string` A description of the reason why the UI read only field is being toggled. - `UserSeatExpirationInactiveTime string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `WARPAuthSessionDuration string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/option" "github.com/cloudflare/cloudflare-go/zero_trust" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) organization, err := client.ZeroTrust.Organizations.Update(context.TODO(), zero_trust.OrganizationUpdateParams{ }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", organization.AutoRedirectToIdentity) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_authenticate_via_warp": true, "auth_domain": "test.cloudflareaccess.com", "auto_redirect_to_identity": true, "created_at": "2014-01-01T05:20:00.12345Z", "custom_pages": { "forbidden": "699d98642c564d2e855e9661899b7252", "identity_denied": "699d98642c564d2e855e9661899b7252" }, "deny_unmatched_requests": true, "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "is_ui_read_only": true, "login_design": { "background_color": "#c5ed1b", "footer_text": "This is an example description.", "header_text": "This is an example description.", "logo_path": "https://example.com/logo.png", "text_color": "#c5ed1b" }, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "amr_matching_session_duration": "12h", "required_aaguids": "2fc0579f-8113-47ea-b116-bb5a8db9202a", "session_duration": "24h" }, "mfa_required_for_all_apps": false, "mfa_ssh_piv_key_requirements": { "pin_policy": "always", "require_fips_device": true, "ssh_key_size": [ 256, 2048 ], "ssh_key_type": [ "ecdsa", "rsa" ], "touch_policy": "always" }, "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "updated_at": "2014-01-01T05:20:00.12345Z", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" } } ```