GSuite

You must be an admin for the GSuite organization you are connecting to connect your GSuite account to Cloudflare.

Begin by logging in to the Google Cloud console. This is a separate dashboard from your GSuite Admin console. You can use the link below to reach it for your account:

https://console.cloud.google.com/

Create a new GCP Project and title it ‘Cloudflare Access’. Ensure that the ‘Organization’ field matches your GSuite domain. gsnewproject

Once created, you will be taken to the GCP project dashboard. Within the dashboard, find the card titled ‘APIs’ and select ‘Go to APIs overview’. gsdash

In the sidebar to the left, click “Credentials” and click the button ‘Create credentials’ in the card on the Credentials screen. Select ‘OAuth client ID’ from the list.

Click Create Credentials, and from the list select OAuth Client ID. gsdash

On the next page, click the ‘Configure consent screen’ button and you’ll be asked to name the application in the following screen.

Under ‘Application type’ select ‘Internal’. Input a name under ‘Application Name’. In the ‘Authorized domains’ field, you must input cloudflareaccess.com and click save.

gsoauth

Clicking save will take you to a wizard to build the Application. Start by selecting ‘Web application’ from the available options and provide a name.

gsoauth

For ‘Authorized JavaScript origins’ input the authentication domain from the Cloudflare Access admin dashboard. It will be in the format: https://example.cloudflareaccess.com.

Under ‘Authorized redirect URIs’, you will need to input the callback URI path, /cdn-cgi/access/callback for your authentication domain. For example: https://example.cloudflareaccess.com/cdn-cgi/access/callback.

Google will display a modal with your OAuth client ID and client secret. Copy those down, you will need these details in the GSuite Admin step and to complete your Cloudflare Access configuration.

Now that you have created your application in GCP, you need to return to your GSuite admin account. You can reach the dashboard at https://admin.google.com/ and, once there, select ‘MORE CONTROLS’ at the bottom of the screen and click ‘Security’.

gsoauth

Select the row ‘Advance Settings’ and click ‘Manage API client access’.

gsoauth

In the Client Name field, input the Client ID you copied from the GCP modal. In the field ‘One or More API Scopes’ paste the following:

https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly

You can then click Authorize.

gsoauth

Once authorized, you can return to the Cloudflare Access dashboard and input your Client ID and Secret to complete the integration.

In the Cloudflare configuration panel, make sure to input your Google domain with the TLD included.