G Suite

G Suite provides OpenID Connect (OIDC) Identity Provider support that you can use with many SaaS apps in the G Suite Marketplace, and adds support for SAML 2.0 (Security Assertion Markup Language) for more than 15 popular SaaS providers. Cloudflare Access supports G Suite as an IdP.

You must be an administrator for the G Suite organization you are connecting in order to connect your G Suite account to Cloudflare.

Set up G Suite as your IdP

Use these steps to set up G Suite as your IdP.

  1. Log in to the Google Cloud console at https://console.cloud.google.com/.

    This console is separate from your G Suite Admin console.

  2. Create a new Google Cloud Platform (GCP) project.

  3. Enter Cloudflare Access in the Project Name field.

  4. Ensure that the setting in the Location field matches your G Suite domain.

    Access Location

The GCP dashboard displays.

  1. In the APIs card, click → Go to APIs overview. GCP dashboard APIs card

  2. Follow the Admin SDK link here and click enable.

    Enable admin API

  3. Return to the APIs overview page. Select Credentials in the left menu pane.

    GCP dashboard APIs card

The Credentials page displays.

  1. Click Create credentials > OAuth client ID.

    OAuth client ID field

    The OAuth consent screen page displays.

  2. In Application type, select the Internal option.

    API Credentials

  3. Enter an Application Name.

  4. Scroll to the Authorized Domains field, and enter cloudflareaccess.com.

  5. Click Save.

    The Application builder wizard displays.

  6. Click Web Application.

  7. Enter a name for your application.

  8. In Authorized JavaScript Origins, enter the authentication domain from Cloudflare Access.

    For example, https://example.cloudflareaccess.com.

  9. Enter your authentication domain in the Authorized redirect URIs field, and add this to the end of the path: /cdn-cgi/access/callback

    For example: https://example.cloudflareaccess.com/cdn-cgi/access/callback

    A window displays with your OAuth Client ID and Client Secret. Copy these to enter in your Cloudflare Access app.

  10. Return to your G Suite Admin console, and click MORE CONTROLS at the bottom of the window.

  11. Click Security.

    G Suite Security Badge

    The Security page displays.

    Manage API access

  12. Click Advanced Settings > Manage API client access.

Manage API client access

  1. Enter your copied Client ID in the Client Name field.
  2. Paste these URLs in the One or More API Scopes field:

    https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly
  3. Click Authorize.

  4. In the Cloudflare Access app, under click Add under Login Methods, and select G Suite as your IdP.

  5. Paste in the Client ID and Client Secret.

  6. In the Cloudflare Access Configuration panel, enter your Google domain, including the TLD.

  7. Click Save and Test.

    On success, a confirmirmation displays that your connection works.

    Cloudflare IdP Connection Success

Example API Configuration

```json { “config”: { “client_id”: “”, “client_secret”: “<your client secret”, “apps_domain”: “mycompany.com” }, “type”: “google-apps”, “name”: “my example idp” }