Skip to content

Cloudflare Access — OIDC and SAML Integration

DodaTech 4 min read

Cloudflare Access supports OIDC and SAML identity providers, allowing you to connect your existing IdP for single sign-on authentication across all protected applications.

What You Will Learn

You will learn how to configure OIDC and SAML identity providers in Cloudflare Access, map user attributes from your IdP to Access policies, and troubleshoot common integration issues.

Why It Matters

Connecting your existing identity provider centralises user management and enables single sign-on across all Cloudflare-protected applications. Users authenticate once and gain access based on their existing group memberships.

Real-World Use Case

A multinational company integrated Azure AD with Cloudflare Access using OIDC. They configured automatic group sync so that new hires in the Azure AD Engineering group instantly gained access to all engineering tools without manual Cloudflare configuration.

IdP Integration Architecture

Cloudflare Access acts as a service provider that trusts your identity provider for authentication.

flowchart LR
    A[User] -->|Access Request| B[Cloudflare Access]
    B -->|OIDC/SAML Redirect| C[Identity Provider]
    C -->|Assertion| B
    B -->|Policy Evaluation| D[Protected App]
    C -->|Azure AD / Okta / Google| E[User Directory]

Configuring an OIDC Identity Provider

Add an OIDC provider such as Azure AD or Okta to Cloudflare Access.

# Create an OIDC identity provider
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity-providers" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Azure AD",
    "type": "azureAD",
    "config": {
      "client_id": "azure-client-id",
      "client_secret": "azure-client-secret",
      "directory_id": "azure-tenant-id",
      "prompt": "select_account",
      "claims": ["email", "groups", "name"]
    }
  }' | jq '.result.name, .result.type'

Expected output:

"Azure AD"
"azureAD"

Configuring a SAML Identity Provider

Add a SAML 2.0 provider such as Okta or OneLogin.

curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity-providers" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Okta SAML",
    "type": "saml",
    "config": {
      "issuer_url": "https://okta.com/issuer-id",
      "sso_target_url": "https://okta.com/sso-url",
      "idp_public_cert": "MIID...certificate-data...",
      "sign_request": true,
      "attributes": {
        "email": "email",
        "groups": "groups",
        "name": "name"
      }
    }
  }' | jq '.success'

Expected output:

true

Testing the IdP Connection

Verify that the identity provider connection is working by testing authentication.

# List configured identity providers
curl -s -X GET "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity-providers" \
  -H "Authorization: Bearer $API_TOKEN" | jq '.result[] | {name: .name, type: .type, id: .id}'

Expected output:

{
  "name": "Azure AD",
  "type": "azureAD",
  "id": "idp-abc-123"
}
{
  "name": "Okta SAML",
  "type": "saml",
  "id": "idp-def-456"
}

Mapping Groups to Access Policies

Use group claims from your IdP to build Access policies.

# Create a policy using IdP group membership
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Okta Engineering Access",
    "decision": "allow",
    "include": [
      {
        "okta": {
          "name": "Engineering",
          "id": "okta-group-id-123]
        }
      }
    ],
    "require": [{"auth_method": {"auth_method": "mfa"}}]
  }' | jq '.result.name'

Expected output:

"Okta Engineering Access"

Common Mistakes

Mistake Consequence
Not configuring the redirect URI in the IdP Authentication callback fails with a redirect URI mismatch error
Using the wrong certificate format for SAML TLS handshake fails during assertion signing verification
Not requesting the groups claim Group-based policies always evaluate to false
Setting prompt=none for OIDC Users cannot select a different account on shared devices
Forgetting to add the IdP to the allowed_idps list on the app Users see a generic authentication error

Practice Questions

  1. What is the difference between OIDC and SAML in the context of Cloudflare Access?
  2. Why must the groups claim be explicitly configured in the OIDC provider settings?
  3. What happens if the redirect URI configured in the IdP does not match Cloudflare's expected URI?

Challenge

Configure Azure AD as an OIDC identity provider in Cloudflare Access. Create an application that uses only this IdP. Set up a policy that grants access to users in the Finance Azure AD group and requires MFA. Test by simulating a login with a Finance user and a non-Finance user.

Real-World Task

Your company uses Okta with 15 groups mapped to different teams. Integrate Okta as a SAML identity provider in Cloudflare Access. Create Access policies for five internal applications, each using a different Okta group as the include selector. Configure automatic group claim mapping and verify that adding a user to an Okta group grants them access within minutes.

FAQ

Can I configure multiple identity providers for a single application?

Yes. You can add multiple IdPs to Cloudflare Access and select which ones are available for each application. Users see a picker screen where they choose their identity provider. This is useful during mergers or when contractors use a different IdP than full-time employees.

Does Cloudflare Access store user passwords or credentials?

No. Cloudflare Access never receives or stores user passwords. Authentication happens entirely on your identity provider. Cloudflare receives only a signed assertion containing identity claims. This keeps credential management with your existing IdP and maintains your existing password policies and MFA configurations.


Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro