Applications
With Access, you can protect two types of applications: SaaS and self-hosted.
SaaS applications include applications your team relies on that are not hosted by your organization, such as Slack or Airtable.
Self-hosted applications include your internal tools and applications, such as Jira or Grafana. You must secure self-hosted applications with Cloudflare's authoritative DNS to use Cloudflare Access.
- Protect a SaaS application
- Protect a self-hosted application
Protect a SaaS application
Cloudflare Access allows you to integrate your SaaS products by acting as an identity aggregator, or proxy. This way, users cannot login to SaaS applications without first meeting the criteria you want to introduce.
1. Add your application
- On the Teams dashboard, navigate to the Applications tab.
- Click Add an application.
- Select SaaS.
- In the Configure app section, select an application from the Application drop-down menu. If your application is not listed, type its name in the textbox and select it.
In the Entity ID field, provide the unique identifier of your SaaS application. SaaS applications store this information in different ways.
In the Assertion Consumer Service URL field, input the service provider’s endpoint for receiving and parsing SAML assertions.
Scroll down to the Application logo card to choose a logo that will represent the application in the App Launcher and in the Applications page. You can either:
- Select Default if you want to show the SaaS application’s logo.
- Select Custom if you want to assign a custom logo to the application.
- Next, scroll down to the Identity Providers card to select the identity providers you want to enable for your app.
- Click Next.
2. Add a policy
You can now configure a policy to control who can access your app.
To learn more about how policies work, read our Policies and rules section.
- First, specify a name for your rule. This is a mandatory field.
- Specify a policy action.
- Specify one or more rules in the Configure a rule box. You can add as many include, exception, or require statements as needed.
- Click Next to add your application to Access.
3. Integrate Your SaaS Application With Access
Before you begin using your application through Access, your last step is to integrate your SaaS application to Access.
- First, configure these fields with your SAML SSO-compliant application. Take note of these fields before you click Done:
- Click Done to see your application listed on your Applications tab.
Protect a self-hosted application
Cloudflare Access allows you to securely publish internal tools and applications to the Internet, by providing an authentication layer using your existing identity providers to control who has access to your applications.
Before you begin setting up your self-hosted application, you will need an active domain on Cloudflare. Access rules will be built to secure that domain.
Create Access rules before connecting your application to Cloudflare. To connect your origin to Cloudflare, you can use Argo Tunnel. If you do not wish to use Argo Tunnel, you must validate the token issued by Cloudflare on your origin.
1. Add your app
- On the Teams dashboard, navigate to the Applications tab.
- Click Add an application.
- Select Self-hosted.
You are now ready to start configuring your app.
- Choose an application name and set a session duration. The session duration will determine the minimum frequency a user will be prompted to authenticate with the configured provider.
From the drop-down menu under Application domain, select a hostname that will represent the application. The hostname must be an active zone in your Cloudflare account.
Scroll down to the Application logo card to configure your application logo. To add a custom logo, click Custom and input a link to your desired image.
- Next, scroll down to the Identity Providers card to select the identity providers you want to enable for your app.
- Click Next.
2. Add a policy
You can now configure a policy to control who can access your app.
To learn more about how policies work, read our Policies and rules section.
- First, specify a name for your rule. This is a mandatory field.
- Specify a policy action.
- Specify one or more rules in the Configure a rule box. You can add as many include, exception, or require statements as needed.
- Click Next to add your application to Access.
3. Configure advanced settings
The Setup section allows you to configure a few advanced settings for your application.
Configure cookie settings. For more information, you can read about session management here.
Configure
cloudflared
settings. For more information, you can read about automaticcloudflared
authentication here.Once you've configured the settings as needed, click Add application.
Your application is now connected to Access, and will appear in your Applications list. You can proceed with connecting your origin to Cloudflare at this URL.