Generic SAML application
This page provides generic instructions for setting up a SaaS application in Cloudflare Access using the SAML authentication protocol.
- An identity provider configured in Cloudflare Zero Trust
- Admin access to the account of the SaaS application
Obtain the following URLs from your SaaS application account:
- Entity ID: A unique URL issued for your SaaS application, for example
https://<your-domain>.my.salesforce.com
. - Assertion Consumer Service URL: The service provider's endpoint for receiving and parsing SAML assertions.
-
In Zero Trust ↗, go to Access > Applications.
-
Select Add an application.
-
Select SaaS.
-
Select your Application from the drop-down menu. If your application is not listed, enter a custom name in the Application field and select the textbox that appears below.
-
Select SAML.
-
Select Add application.
-
Enter the Entity ID and Assertion Consumer Service URL obtained from your SaaS application account.
-
Select the Name ID Format expected by your SaaS application (usually Email).
-
Copy the SSO endpoint, Access Entity ID or Issuer, and Public key.
-
If your SaaS application requires additional SAML attribute statements, add the mapping of your IdP's attributes you would like to include in the SAML statement sent to the SaaS application.
-
(Optional) Configure App Launcher settings for the application.
-
Under Block pages, choose what end users will see when they are denied access to the application:
- Cloudflare default: Reload the login page and display a block message below the Cloudflare Access logo. The default message is
That account does not have access
, or you can enter a custom message. - Redirect URL: Redirect to the specified website.
- Custom page template: Display a custom block page hosted in Zero Trust.
- Cloudflare default: Reload the login page and display a block message below the Cloudflare Access logo. The default message is
-
Next, configure how users will authenticate:
-
Select the Identity providers you want to enable for your application.
-
(Recommended) If you plan to only allow access via a single IdP, turn on Instant Auth. End users will not be shown the Cloudflare Access login page. Instead, Cloudflare will redirect users directly to your SSO login event.
-
(Optional) Under WARP authentication identity, allow users to authenticate to the application using their WARP session identity.
-
-
Select Save configuration.
-
To control who can access the SaaS application, create an Access policy.
-
Select Done.
Next, configure your SaaS application to require users to log in through Cloudflare Access. Refer to your SaaS application documentation for instructions on how to configure a third-party SAML SSO provider. You will need the following values from the Zero Trust dashboard:
- SSO endpoint
- Access Entity ID or Issuer
- Public key
You can either manually enter this data into your SaaS application or upload a metadata XML file. The metadata is available at the URL: <SSO endpoint>/saml-metadata
.
When acting as a SAML identity provider, Cloudflare will sign both the SAML Response and the SAML Assertion using the SHA-256 algorithm. The SaaS application can validate this signature using the Public key that you upload to the SaaS application.
Open an incognito browser window and go to the SaaS application's login URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider.