Skip to content
Access
Visit Access on GitHub
Set theme to dark (⇧+D)

Google Suite

You can integrate a Google Workspace (formerly Google Suite) account with Cloudflare Access. Unlike the instructions for generic Google authentication, the steps below will allow you to pull group membership information from your Google Workspace account.

Once integrated, users will login with their Google Suite credentials to reach resources protected by Cloudflare Access or to enroll their device into Cloudflare Gateway.

  1. Log in the Google Cloud Platform [console][https://console.cloud.google.com/]. This is separate from your Google Workspace console.

GCP Console

  1. Click Create Project to create a new project. Name the project and click Create.

Create Project

You should now see a Dashboard for your project.

Post Create

  1. On the left-hand side, select APIs & Services and click Dashboard.

Click API

  1. In the screen that loads, click + Enable APIs and Services in the top toolbar.

Enable API

  1. The API Library will load. Search for admin in the search bar.

API Library

  1. Select Admin SDK API by Google.

Admin SDK

  1. Click Enable on the Admin SDK API page.

Admin SDK

The Admin SDK will be added to your project.

Admin SDK

  1. Return to the APIs & Services page. Click Credentials in the navigation bar. You will see a warning that you need to configure a consent screen. Click Configure Consent Screen.

Configure Consent Screen

  1. Cloudflare Access will gather information about users in your Google Workspace account, but not other accounts. Toggle Internal to limit this to members in your account.

Internal Users

  1. Input information about the application.

App Domain

In this case, you are making an application available to your users and can add your team's contact information.

Internal Users

You will not need to configure scopes in this screen and can leave these fields blank.

Consent Screen Scope

The summary page will load and you can save and exit.

Consent Screen Summary

  1. Return to the Credentials page. Click + Create Credentials

Create Credentials

  1. Select OAuth client ID.

Select OAuth

  1. Select Web application as the Application type.

Create OAuth

  1. You will need to input your Cloudflare authentication domain. The domain will be structured in the following format:
https://<your-auth-domain-here>.cloudflareaccess.com

Input the authentication domain without any path in the Authorized JavaScript origins section. In the Authorized redirect URIs section, input your authentication domain with the path below.

https://<your-auth-domain-here>.cloudflareaccess.com/cdn-cgi/access/callback

Input Auth Domain

Click Create.

  1. Google will present the OAuth Client ID and Secret values. The secret field functions like a password and should be kept securely and not shared. For the purposes of this tutorial, the secret field is kept visible. Copy both values.

Secret Field

The Client ID will now appear in the APIs & Services page.

Client ID Visible

  1. Navigate to the Cloudflare for Teams dashboard. In the Authentication page of the Access section, click + Add.

Add IdP

  1. Select Google Suite.

Add Google Suite

  1. Input the Client ID and Client Secret fields generated previously. Additionally, input the domain of your Google Workspace account. Click Save.

Add Google Suite

  1. To complete setup, you must scroll below and visit the link generated. If you are not the Google Workspace administrator, share the link with the administrator.

Visit Link

  1. The generated link will prompt you to login to your Google account and to authorize Cloudflare Access to view group information.

Authorize Groups

A success page will then load from Cloudflare Access.

Group Success

  1. You can now return to the list of identity providers in the Authentication page of the Cloudflare for Teams dashboard. Select Google Suite and click Test.

Your user identity and group membership should return.

Connection Works

Example API Configuration

{    "config": {        "client_id": "<your client id>",        "client_secret": "<your client secret",        "apps_domain": "mycompany.com"    },    "type": "google-apps",    "name": "my example idp"}
export const _frontmatter = {"order":12}