Cloudflare Access — OIDC and SAML Integration
Cloudflare Access supports OIDC and SAML identity providers, allowing you to connect your existing IdP for single sign-on authentication across all protected applications.
What You Will Learn
You will learn how to configure OIDC and SAML identity providers in Cloudflare Access, map user attributes from your IdP to Access policies, and troubleshoot common integration issues.
Why It Matters
Connecting your existing identity provider centralises user management and enables single sign-on across all Cloudflare-protected applications. Users authenticate once and gain access based on their existing group memberships.
Real-World Use Case
A multinational company integrated Azure AD with Cloudflare Access using OIDC. They configured automatic group sync so that new hires in the Azure AD Engineering group instantly gained access to all engineering tools without manual Cloudflare configuration.
IdP Integration Architecture
Cloudflare Access acts as a service provider that trusts your identity provider for authentication.
flowchart LR
A[User] -->|Access Request| B[Cloudflare Access]
B -->|OIDC/SAML Redirect| C[Identity Provider]
C -->|Assertion| B
B -->|Policy Evaluation| D[Protected App]
C -->|Azure AD / Okta / Google| E[User Directory]
Configuring an OIDC Identity Provider
Add an OIDC provider such as Azure AD or Okta to Cloudflare Access.
# Create an OIDC identity provider
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity-providers" \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Azure AD",
"type": "azureAD",
"config": {
"client_id": "azure-client-id",
"client_secret": "azure-client-secret",
"directory_id": "azure-tenant-id",
"prompt": "select_account",
"claims": ["email", "groups", "name"]
}
}' | jq '.result.name, .result.type'
Expected output:
"Azure AD"
"azureAD"
Configuring a SAML Identity Provider
Add a SAML 2.0 provider such as Okta or OneLogin.
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity-providers" \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Okta SAML",
"type": "saml",
"config": {
"issuer_url": "https://okta.com/issuer-id",
"sso_target_url": "https://okta.com/sso-url",
"idp_public_cert": "MIID...certificate-data...",
"sign_request": true,
"attributes": {
"email": "email",
"groups": "groups",
"name": "name"
}
}
}' | jq '.success'
Expected output:
true
Testing the IdP Connection
Verify that the identity provider connection is working by testing authentication.
# List configured identity providers
curl -s -X GET "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity-providers" \
-H "Authorization: Bearer $API_TOKEN" | jq '.result[] | {name: .name, type: .type, id: .id}'
Expected output:
{
"name": "Azure AD",
"type": "azureAD",
"id": "idp-abc-123"
}
{
"name": "Okta SAML",
"type": "saml",
"id": "idp-def-456"
}
Mapping Groups to Access Policies
Use group claims from your IdP to build Access policies.
# Create a policy using IdP group membership
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Okta Engineering Access",
"decision": "allow",
"include": [
{
"okta": {
"name": "Engineering",
"id": "okta-group-id-123]
}
}
],
"require": [{"auth_method": {"auth_method": "mfa"}}]
}' | jq '.result.name'
Expected output:
"Okta Engineering Access"
Common Mistakes
| Mistake | Consequence |
|---|---|
| Not configuring the redirect URI in the IdP | Authentication callback fails with a redirect URI mismatch error |
| Using the wrong certificate format for SAML | TLS handshake fails during assertion signing verification |
| Not requesting the groups claim | Group-based policies always evaluate to false |
| Setting prompt=none for OIDC | Users cannot select a different account on shared devices |
| Forgetting to add the IdP to the allowed_idps list on the app | Users see a generic authentication error |
Practice Questions
- What is the difference between OIDC and SAML in the context of Cloudflare Access?
- Why must the groups claim be explicitly configured in the OIDC provider settings?
- What happens if the redirect URI configured in the IdP does not match Cloudflare's expected URI?
Challenge
Configure Azure AD as an OIDC identity provider in Cloudflare Access. Create an application that uses only this IdP. Set up a policy that grants access to users in the Finance Azure AD group and requires MFA. Test by simulating a login with a Finance user and a non-Finance user.
Real-World Task
Your company uses Okta with 15 groups mapped to different teams. Integrate Okta as a SAML identity provider in Cloudflare Access. Create Access policies for five internal applications, each using a different Okta group as the include selector. Configure automatic group claim mapping and verify that adding a user to an Okta group grants them access within minutes.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro