Workshop
- Identity provider
- WARP and device posture
- Cloudflare Tunnel
- Access and Private Network
- Browser isolation and App launcher
- Digital experience monitoring
Tenant control
Task
For the final exercise, you will set up tenant control for a SaaS application.
Your task is to authenticate to our SaaS application and retrieve a completion token by adding an HTTP header with a shared secret to your request.
Why
- Tenant control allows IT admins to set custom request headers on traffic originating from WARP.
- These custom headers would typicaly contain some user identifier and a shared secret.
- This is then used to authenticate Cloudflare Zero Trust traffic to the SaaS application.
Steps
We created a mock SaaS application that will only return a token if a header with a shared secret is present. The service is available at the following URL:
https://saas.app.cfiq.io/zt/v1/seed
1. Verify default behavior
Before you start, verify the default response from this service when the header is not present. With WARP on, run the following command:
curl.exe https://saas.app.cfiq.io/zt/v1/seedUnauthorized, missing x-get-token.ℹ️
You will receive
Unfinished as the response, because the service isn’t able to authenticate the user.2. Add HTTP header
We won’t be providing specific steps for this exercise, you now have all the knowledge you need to set this up yourself.
Using the knowledge you’ve gained from the lab so far, add the following header to all HTTP requests sent from WARP-connected clients to the SaaS application.
Custom Header Name: x-get-token
Custom Header Value: ZKdBpMwDm0An8GtOv, {LAB_SLUG}
ℹ️
Keep in mind that both TCP Proxy and TLS decryption will need to be enabled for this to work. Verify that is the case in Settings ‣ Network ‣ Firewall.
3. Verify token is returned
Return to your terminal and with WARP on run the same command again. The request should now have the custom header added and that will allow the mock SaaS application to authenticate the user. The service should then return a token in response.
curl.exe https://saas.app.cfiq.io/zt/v1/seed⚙️ nocopy ⚙️
Enter this token in the 301 Zero Trust e-learning course:
🟨completion-token-will-be-here⚠️
If the above command fails on a certificate revocation check, you can add
-k parameter to curl to bypass this check.If you’re doing this lab as part of a Cloudflare University course, use the completion token returned above to collect your credit.