Skip to content
Access
Visit Access on GitHub
Set theme to dark (⇧+D)

G Suite

G Suite provides OpenID Connect (OIDC) Identity Provider support that you can use with many SaaS apps in the G Suite Marketplace, and adds support for SAML 2.0 (Security Assertion Markup Language) for more than 15 popular SaaS providers. Cloudflare Access supports G Suite as an IdP.

Set up G Suite as your IdP

Use these steps to set up G Suite as your IdP.

  1. Log in to the Google Cloud console at https://console.cloud.google.com/.

    This console is separate from your G Suite Admin console.

  2. Create a new Google Cloud Platform (GCP) project.

  3. Enter Cloudflare Access in the Project Name field.

  4. Ensure that the setting in the Location field matches your G Suite domain.

    Access Location

  5. In the APIs card, click → Go to APIs overview. GCP dashboard APIs card

  6. Follow the Admin SDK link here (or find Admin SDK in the API Library) and click enable.

    Enable admin API

  7. Return to the APIs overview page. Select Credentials in the left menu pane.

    GCP dashboard APIs card

  8. Click Create credentials > OAuth client ID.

    OAuth client ID field

  9. Configure OAuth via CONFIGURE CONSENT SCREEN button.

    OAuth client ID field

  10. In Application type, select the Internal option.

    API Credentials

  11. In App information fill:

    • App Name (you can write e.g. Cloudflare Access)
    • User support email (pick from dropdown)
    • As Authorized domains enter cloudflareaccess.com.
    • In Developexr contact information you can write the same address as in support email.
  12. Click Save and continue, skip Scopes (there is nothing to do) and check Summary.

    App Information

  13. Go back to Credentials, if you were not redirected and continue creating OAuth Client ID.

    • Application type: Web Application.

    • Pick some name (you can write e.g. Cloudflare Access)

    • In Authorized JavaScript Origins, enter the authentication domain from Cloudflare Access.

      For example, https://example.cloudflareaccess.com.

    • Enter your authentication domain in the Authorized redirect URIs field, and add this to the end of the path: /cdn-cgi/access/callback

      For example: https://example.cloudflareaccess.com/cdn-cgi/access/callback

  14. A window displays with your OAuth Client ID and Client Secret. Copy these to enter in your Cloudflare Access app.

  15. Return to your G Suite Admin console (https://admin.google.com/), and click Security.

    G Security

  16. Choose API Controls.

    API Controls

  17. Click Domain wide delegation on the bottom of the screen.

    Domain wide delegation

  18. Add new.

    Add new

  19. Enter your copied Client ID.

  20. Paste these URLs in the OAuth Scopes field:

    https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly

    Add a new client ID

  21. Click Authorize.

  22. In the Cloudflare Access app, under click Add under Login Methods, and select G Suite as your IdP.

  23. Paste in the Client ID and Client Secret.

  24. In the Cloudflare Access Configuration panel, enter your Google domain, including the TLD (e.g.: my-project.com).

  25. Click Save and Test.

    On success, a confirmirmation displays that your connection works.

    Cloudflare IdP Connection Success

Example API Configuration

{    "config": {        "client_id": "<your client id>",        "client_secret": "<your client secret",        "apps_domain": "mycompany.com"    },    "type": "google-apps",    "name": "my example idp"}

export const _frontmatter = {"order":12}