G Suite provides OpenID Connect (OIDC) Identity Provider support that you can use with many SaaS apps in the G Suite Marketplace, and adds support for SAML 2.0 (Security Assertion Markup Language) for more than 15 popular SaaS providers. Cloudflare Access supports G Suite as an IdP.
You must be an administrator for the G Suite organization you are connecting in order to connect your G Suite account to Cloudflare.
Use these steps to set up G Suite as your IdP.
Log in to the Google Cloud console at https://console.cloud.google.com/.
This console is separate from your G Suite Admin console.
Create a new Google Cloud Platform (GCP) project.
Enter Cloudflare Access in the Project Name field.
Ensure that the setting in the Location field matches your G Suite domain.
The GCP dashboard displays.
In the APIs card, click → Go to APIs overview.
Follow the Admin SDK link here and click enable.
Return to the APIs overview page. Select Credentials in the left menu pane.
The Credentials page displays.
Click Create credentials > OAuth client ID.
The OAuth consent screen page displays.
In Application type, select the Internal option.
Enter an Application Name.
Scroll to the Authorized Domains field, and enter
The Application builder wizard displays.
Click Web Application.
Enter a name for your application.
Enter your authentication domain in the Authorized redirect URIs field, and add this to the end of the path:
A window displays with your OAuth Client ID and Client Secret. Copy these to enter in your Cloudflare Access app.
Return to your G Suite Admin console, and click MORE CONTROLS at the bottom of the window.
The Security page displays.
Click Advanced Settings > Manage API client access.
Paste these URLs in the One or More API Scopes field:
In the Cloudflare Access app, under click Add under Login Methods, and select G Suite as your IdP.
Paste in the Client ID and Client Secret.
In the Cloudflare Access Configuration panel, enter your Google domain, including the TLD.
Click Save and Test.
On success, a confirmirmation displays that your connection works.