Setting Up Access

To secure your origin, you must first enable Argo Tunnel or limit connections to your origin to only allow Cloudflare IPs and verify the JWT per the instructions here.

1. Login to Cloudflare

An application must be using Cloudflare’s authoritative DNS to use Access. You can check if a subdomain is on Cloudflare by checking for the orange cloud in the DNS tab.

To begin configuring Access, login to the Cloudflare dashboard. Click the ‘Access’ tile in the navigation bar.

Access Tab

2. Create an authentication domain

Cloudflare Access assigns each customer account with its own authentication domain. Your end users will see this domain in the address bar when they reach the login page. All applications in your Cloudflare account will share this domain when using Access. Cloudflare relies on this unique domain to store the cookie used to identify authenticated users.

Access will automatically generate an authentication domain for you, or you can customize it on the dashboard.

3. Add an Identity Provider

Your identity provider is the service your user’s will login against to authenticate with your site. For example, if you use Google Apps, connect Google as your identity provider. It should be a service where your user’s to already have an account.

If you don’t have an identity provider, you can use the One-Time Pin integration, which will email your visitors a one-time pin they can use to authenticate as long as they are included in your policy criteria. The One-Time Pin option is enabled by default. To integrate with an identity provider, follow the instructions below:

  • Click the button that reads Add Your First Identity Provider.
  • Select which identity provider you wish to add. Access supports the following identity providers today:

    • Google
    • GSuite
    • Okta
    • Azure Active Directory
    • Facebook
    • Github
    • Yandex
    • OneLogin
    • Centrify
  • Follow the identity provider-specific options available here and in the UI.

Enabling Instant Auth

If your organization only uses one identity provider, you can skip the need to select that IdP by enabling Cloudflare Instant Auth. With Cloudflare Instant Auth enabled, your users will be redirected directly to your identity provider login page. They will not need to select the identity provider; it will default to the single identity provider you have configured.

If you have multiple identity providers configured, you cannot enable Instant Auth. Your users will instead need to select the identity provider to initiate the login flow when they attempt to reach a site behind Access.

Enable Instant Auth

4. Create an application

Access policies define who can and cannot visit a given location on your site or the entire site. A collection of policies are saved as an Application.

Create a Policy Modal

  • Click Create Access Policy.
  • If you’d like the policy to only apply to a specific subdomain or path, enter those details.
  • Name your application to make it easy to find this policy in the future.
  • Add at least one Rule. For example, you might want to only allow access to your email address, or to a certain group of users. You can also enter an email domain like to allow everyone in your organization.

You can review additional details about policy creation and management here.

5. Test your policy

Visit the subdomain or path where Access is configured and attempt to connect.

Continue to add policies to any portions of your site you would like to keep private (like development sites and internal resources), and to any external services which have subdomains on your site (like Box or Google Apps for Business).