Cloudflare
Configure Cloudflare Zero Trust SSO
Prerequisites
- Administrator access to Cloudflare Zero Trust dashboard
- A SplitSecure Identity Provider created and approved
- A verified domain in Cloudflare (for SSO configuration)
- A separate browser or browser profile with SplitSecure configured (for testing)
Cloudflare Configuration
Add a New Identity Provider
- Log in to the Cloudflare Zero Trust dashboard
- Navigate to Settings → Authentication → Login methods
- Click Add new
- Select SAML
Configure SAML Settings
Required Configuration
| Field | Value |
|---|---|
| Name | (e.g., “SplitSecure SAML”) |
| Populate details with .xml file (Optional) | Found in SplitSecure → [Your IdP] → Details → Download Metadata |
| Single sign-on URL | (Auto-filled if using metadata) |
| IdP Entity ID or Issuer URL | (Auto-filled if using metadata) |
| Signing certificate | (Auto-filled if using metadata) |
| Enable SCIM | Off |
Optional Configurations
| Field | Value |
|---|---|
| Sign SAML authentication request | On |
| Email attribute name | email (default) |
| SAML attributes | Leave blank |
| SAML header attributes | Leave blank |
Click Save
Dashboard SSO
This section enables SSO for Cloudflare dashboard access. For detailed information, see the Cloudflare Dashboard SSO documentation .
Invite Members
Go to Cloudflare dashboard
Navigate to Manage Account → Members
Click Invite members
Enter one or more email addresses
Configure the member scope:
- Select a scope: Account-level
- Roles: [Super Administrator - All Privileges]
Click Invite
Add and Verify Your Domain
Click Settings
Under Single Sign-On (SSO) for all members, click Add domain
Enter your organization’s domain
Cloudflare will provide DNS verification details:
- Type: TXT
- Name: Provided value
- Value: Provided value
Add the TXT record to your DNS provider
Return to Cloudflare and click Verify
Access Policies for IdP Control
Cloudflare Access policies allow you to control which identity providers users can authenticate with and restrict access based on various criteria.
Access policies consist of:
- Actions: Allow, Block, Bypass, or Service Auth
- Rule Types: Include (OR logic), Exclude (NOT logic), Require (AND logic)
- Selectors: Criteria such as email, country, login method, etc.
For more information: Cloudflare Access Policies
- In Cloudflare Zero Trust , navigate to Settings
- Under Admin controls find Manage Cloudflare dashboard SSO applications
- Find the domain added in the previous step and click Edit
- A policy should already exist for your domain, find it and click the ellipsis menu (⋮)
The following steps control how users authenticate to your Cloudflare dashboard. Misconfiguration can lock users out of your account. Proceed carefully.
An existing configuration rule should appear under Configuration Rules → Include. Click Add require, then fill:
Selector Value Login Method Select your IdP (e.g., “SAML • Your IdP”)
If your IdP doesn’t appear by name, look for SAML Groups - [IdP Name] in the dropdown.
Login Method Options
The Login Methods selector allows you to enable multiple authentication options simultaneously. Each selected method gives users an additional way to access the dashboard.
| Selection | User Experience | Security Level | Recovery Option |
|---|---|---|---|
| SAML only | Users must authenticate through SplitSecure | High | No fallback if misconfigured |
| Both One-time PIN + SAML | Users can choose either method at login | Medium | Email fallback available |
- Click Save Policy
- Review your selected login methods and rule type
- Click Save Policy
Do not close your current session. Test authentication before logging out.
SplitSecure Configuration
Download Cloudflare SAML Metadata
Download your Cloudflare SAML metadata file using one of the following URLs:
| Type | URL | When to Use |
|---|---|---|
| Default | https://<team-name>.cloudflareaccess.com/cdn-cgi/access/saml-metadata | Standard configuration |
| IdP-specific | https://<team-name>.cloudflareaccess.com/cdn-cgi/access/<idp-id>/saml-metadata | Multiple IdPs configured, or IdP requires non-standard configuration or custom SAML attribute mappings |
Finding your values:
- Team name: Found in Cloudflare Zero Trust under Settings → Team domain
- IdP ID: Obtain from the Cloudflare API endpoint List Access identity providers
Create the Cloudflare Secure Account
- In SplitSecure, navigate to Secure Accounts → Create Account → Cloudflare
- Enter a name for your account
- Select the Identity Provider used in the Cloudflare configuration
- Upload the metadata file downloaded in Step 1 (filename:
access_saml_metadata.xml) - Provide your SSO endpoint which can be found on Cloudflare at Access Controls → Application → SSO App
- Click Create Account
Test Authentication
Use a separate browser or browser profile with SplitSecure configured to test without affecting your current session.
Test Authentication (SP-Initiated)
- Navigate to dash.cloudflare.com
- Enter an email address using your verified organization domain
- The login button should change to Log in with SSO
- Click Log in with SSO and select your SAML identity provider
- You will be redirected to SplitSecure
- Enter your email address when prompted
- Click Request Access
- Complete the authentication flow
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| “Log in with SSO” button doesn’t appear | Domain not verified | Complete DNS verification in Cloudflare |
| Test connection fails | Incorrect SSO URL or Entity ID | Re-download metadata from SplitSecure and re-upload to Cloudflare |
| Certificate error | Certificate mismatch or expiration | Download a fresh certificate from SplitSecure |
| User cannot authenticate | Email domain not added to SSO | Add and verify the user’s email domain in Cloudflare |
| Multiple IdPs shown during login | Multiple SAML providers configured | Select the IdP corresponding to your SplitSecure account |
| SAML response signature invalid | “Sign SAML authentication request” disabled | Enable this option in Cloudflare SAML settings |
External Resources
- Identity Providers Supported IdP integrations overview
- Generic SAML 2.0 SAML configuration guide
Last updated: