SAML with Okta
Okta provides cloud software that helps companies manage and secure user authentication to modern applications, and helps developers build identity controls into applications, website web services, and devices. Cloudflare Access can integrate SAML with Okta as an IdP.
Set up Okta as your IdP
To set up SAML with Okta as your IdP:
Log in to your Okta Admin portal, and choose Applications.
Click Add Application.
Click Create New App.
The Create a New Application Integration card displays.
Select SAML 2.0.
Click Create.
The Create SAML Integration card displays.
Enter an App name.
Click Next.
The SAML Settings card displays.
In the Single sign on URL and the Audience URI (SP Entity ID) fields, enter your authorization domain, and include this callback at the end of the path:
/cdn-cgi/access/callback.Tip: You can find your organization’s authorization domain in Cloudflare Access. It begins with a subdomain unique to your organization and ends with the domain
cloudflareaccess.com, including the callback path specified above.Select the value to pass from the Name ID drop-down list.
In Attribute Statements Name field, enter “email” to create a new attribute.
In the Value field, enter a user email.
Click Next.
Click Finish.
The Applications page displays.
Click Assign Applications.
The application name page displays where you assign groups or users who can access this application. Our example application name is samlapp.
Click People or Groups.
The Assign application name to Groups card displays, where you grant users or groups permission to access your application.
Click Done.
The assignments display on the Application page.
Choose the Sign On tab to retrieve the identity provider information.
Scroll to the bottom of the screen, copy the metadata and save it as an XML file.
Name the metadata file
sp-metadata.xml.In Cloudflare Access, scroll to Login Methods, click Add and select the SAML icon.
The Add a SAML identity provider card displays.
Click to browse and select or drag the metadata file into the file upload box.
Confirm that the field entries from the metadata file upload are accurate.
Click Save and then Test.
On successful connection to your Ping Identity deployment, a confirmation displays.
To manually enter metadata from your Okta IdP
Copy and paste the following information into the Cloudflare Access Edit a SAML identity provider card.
Provider Name: Name your IdP.
Single Sign On URL: Enter the IdP Single-Sign-On URL.
IdP Entity ID: Enter the IdP issuer.
Signing Certificate: Copy the certificate from Okta in X.509 Certificate between Begin Certificate and End Certificate.
After completing the information, enter the name “email” as your email attribute for the SAML assertion field.
Click Save.
Click Close.
Click Save and then Test.
On successful connection to your Okta deployment, a confirmation displays.
Close the Edit a SAML identity provider card.
Download SP metadata (optional)
Some IdPs allow administrators to upload metadata files from their SP (service provider).
To get your Cloudflare metadata file:
Download your unique SAML metadata file at the following URL:
https://auth-domain.cloudflareaccess.com/cdn-cgi/access/saml-metadataReplace authentication domain with your account’s Login Page Domain found in the Access tab in Cloudflare Access.
In Cloudflare Access, you can find a link to this URL in the Edit a SAML identity provider dialog. The link returns a web page with your SAML SP data in XML format.
Save the file in XML format.
Upload the XML document to your Okta account.
Example API Configuration
{ "config": { "issuer_url": "http://www.okta.com/exkbhqj29iGxT7GwT0h7", "sso_target_url": "https://dev-abc123.oktapreview.com/app/myapp/exkbhqj29iGxT7GwT0h7/sso/saml", "attributes": [ "email", "group", "email_attribute_name": "", "sign_request": false, "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" ] }, "type": "saml", "name": "okta saml example"}