Part I
- Identity provider
- WARP and device posture
- Cloudflare Tunnel
- Access and Private Network
- In-browser SSH terminal
Identity provider
Task
Integrate Cloudflare Access with an Identity Provider using SAML.
Why
- To control access to your resources, Cloudflare Access needs to verify the identity of users requesting access.
- However, Cloudflare Access does not directly manage user accounts, it relies on Identity Providers (IdPs) to do so.
- By integrating Access with one or more IdPs, you can provide a list of authorized users for Access to verify against.
Steps
As part of this lab, we created a SAML-based IdP named TS² (Trusted SAML Server). TS² is designed to mock a small organization.
Let’s integrate Cloudflare Access with this IdP.
1. Log in
Login to Cloudflare & navigate to the Zero Trust dashboard
2. Verify your Team domain prefix
In your Zero Trust dashboard, navigate to Settings ‣ Custom Pages and verify that your Team domain is set to <LAB_SLUG>.cloudflareaccess.com.
Example:
LAB_SLUG: ancient-uncle
Domain: ancient-uncle.cloudflareaccess.com
⚠️
If you don't see the team domain set up, it's an indication you are probably not using the lab account we created for you.
If that's the case, double-check:
1. If you received Cloudflare account email invite, make sure you clicked on the link inside to accept the invite
2. You have switched to your lab account in your Cloudflare dashboard and you're not working with some other account
If that's the case, double-check:
1. If you received Cloudflare account email invite, make sure you clicked on the link inside to accept the invite
2. You have switched to your lab account in your Cloudflare dashboard and you're not working with some other account
3. Create a SAML provider
Open this URL: https://lab.cfiq.io/en/registration/d669fe246bad551500469b17ff6a244a8dfae83a/saml
Here, create an identity provider that you will use throughout the rest of this lab by pasting in your LAB_SLUG.
Download the SAML metadata file by clicking on the provided link:
4. Add a new SAML IdP to your account
Return to the Zero Trust Dashboard, then open Settings ‣ Authentication. In the Login methods card, click Add new and select SAML.
Drag and drop the metadata file you created in step #3 into the Import box on the callout:
5. Test
Press Save, then Test.
ℹ️
It may take up to 60 seconds for the new SAML provider to be provisioned. If you receive an error indicating SAML provider was not found, please wait a while and retry.
When prompted to log in, use the following credentials:
Email: [email protected]
Password: #Savetheinternet
Press Continue
You should see your user’s identity successfully retrieved via the SAML callback
