Setting Up Access

An application must be using Cloudflare (you can see if a subdomain is on Cloudflare by checking for the orange cloud in the DNS tab) to use Access.

1. Login to Cloudflare

Login to the Cloudflare dashboard. Click the ‘Access’ tile in the nav bar to visit the Access configuration.

Access Tab

2. Authentication Domain

Each user of Cloudflare Access lives on their own authentication domain. This domain will show in the address bar while the user is authenticating onto your site. This domain will be shared for all the sites hosted on your Cloudflare account. This domain is necessary, as it is used by Cloudflare to store the cookie used to identify authenticated users.

3. Add an Identity Provider

Your identity provider is the service your user’s will login to to authenticate with your site. For example, if you use Google Apps, it’s common to link with Google as your identity provider. It should be a service you expect your user’s to already have an account with.

If you don’t have an identity provider, you can always use the ‘Password-less’ provider which will email your visitors to confirm their identity. The password-less provider should already be installed for you by default. If you wish to use an alternative provider like Google, Facebook, or Github to authenticate your visitors:

  • Click the button that says Add Your First Identity Provider.
  • Select which identity provider you wish to add. The current supported identity providers are:

    • Google
    • GSuite
    • Okta
    • Azure Active Directory
    • Facebook
    • Github
    • Yandex
  • Follow the identity provider-specific options.

4. Create a Policy

Access policies define who can and can’t visit a given location on your site.

Create a Policy Modal

  • Click Create Access Policy.
  • If you’d like the policy to only apply to a specific subdomain or path, enter them.
  • Name your application to make it easy to find this policy in the future.
  • Add at least one Property. For example, you might want to only allow access to your email address, or to a certain group of users. You can also enter an email domain like to allow everyone in your organization.

5. Try your Policy

Visit the subdomain or path you configured Access for, and observe you are now asked to login!

Now is the time to add policies to any portions of your site you would like to keep private (like development sites and internal resources), and to any external services which have subdomains on your site (like Box or Google Apps for Business).