Skip to content

Generic OIDC application

Beta

This page provides generic instructions for setting up a SaaS application in Cloudflare Access using the OpenID Connect (OIDC) authentication protocol.

Prerequisites

  • An identity provider configured in Cloudflare Zero Trust
  • Admin access to the account of the SaaS application

1. Get SaaS application URL

In your SaaS application account, obtain the Redirect URL (also known as the callback URL). This is the SaaS endpoint where users are redirected to after they authenticate with Cloudflare Access.

Some SaaS applications provide the Redirect URL after you configure the SSO provider.

2. Add your application to Access

  1. In Zero Trust, go to Access > Applications.

  2. Select Add an application.

  3. Select SaaS.

  4. Select your Application from the drop-down menu. If your application is not listed, enter a custom name in the Application field and select the textbox that appears below.

  5. Select OIDC.

  6. Select Add application.

  7. In Scopes, select the attributes that you want Access to send in the ID token.

    ScopeDescription
    openidInclude a unique identifier for the user (required).
    emailInclude the user’s email address.
    profileInclude all custom OIDC claims from the IdP.
    groupsInclude the user’s IdP group membership.
  8. In Redirect URLs, enter the callback URL obtained from the SaaS application.

  9. (Optional) Enable Proof of Key Exchange (PKCE) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.

  10. Copy the following values to input into your SaaS application. Different SaaS applications may require different sets of input values.

    FieldDescription
    Client secretCredential used to authorize Access as an SSO provider
    Client IDUnique identifier for this Access application
    Configuration endpointIf supported by your SaaS application, you can configure OIDC using this endpoint instead of manually entering the URLs listed below.
    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/sso/oidc/<client-id>/.well-known/openid-configuration
    IssuerBase URL for this OIDC integration
    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/sso/oidc/<client-id>
    Token endpointReturns the user’s ID token
    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/sso/oidc/<client-id>/token
    Authorization endpointURL where users authenticate with Access
    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/sso/oidc/<client-id>/authorization
    Key endpointReturns the current public keys used to verify the Access JWT
    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/sso/oidc/<client-id>/jwks
    User info endpointReturns all user claims in JSON format
    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/sso/oidc/<client-id>/userinfo
  11. (Optional) Configure App Launcher settings by turning on Enable App in App Launcher and, in App Launcher URL, entering the URL that users should be sent to when they select the tile.

  12. Under Block pages, choose what end users will see when they are denied access to the application:

    • Cloudflare default: Reload the login page and display a block message below the Cloudflare Access logo. The default message is That account does not have access, or you can enter a custom message.
    • Redirect URL: Redirect to the specified website.
    • Custom page template: Display a custom block page hosted in Zero Trust.
  13. Next, configure how users will authenticate:

    1. Select the Identity providers you want to enable for your application.

    2. (Recommended) If you plan to only allow access via a single IdP, turn on Instant Auth. End users will not be shown the Cloudflare Access login page. Instead, Cloudflare will redirect users directly to your SSO login event.

    3. (Optional) Under WARP authentication identity, allow users to authenticate to the application using their WARP session identity.

  14. Select Save configuration.

3. Add an Access policy

  1. To control who can access the SaaS application, create an Access policy.

  2. Select Done.

4. Configure SSO in your SaaS application

Next, configure your SaaS application to require users to log in through Cloudflare Access. Refer to your SaaS application documentation for instructions on how to configure a third-party OIDC SSO provider.

5. Test the integration

Open an incognito browser window and go to the SaaS application’s login URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider.