The Access App Launch portal provides end users with a single dashboard from which they can open applications secured by Access.
The Access App Launch portal is available at an authentication domain that is unique to your Cloudflare Access account. The URL to the portal is listed in the Access app, on the Access App Launch card:
Users log in using one of the identity providers configured for the account. Once Access authenticates the user, the App Launch portal displays applications they are authorized to use, represented by tiles. Clicking on a tile launches the application’s hostname, sending the user to that tool as part of their single sign-on flow.
Tiles have a one-to-one relationship to the policies you create in Access. If you create one policy for general access to your Jira deployment and a separate policy that restricts requests to a particular Jira path, a user authorized for both will see separate tiles for each. The tile names displayed in the Access App Launch portal correspond to the application names list in the Access Policies card.
By default, the Access App Launch portal is disabled. To enable it, an administrator must configure a policy that defines which users can access the portal.
The App Launch policy defines which users can access the portal. It does not impact or change any rules about the applications secured behind Access. In many cases, teams build the App Launch policy to include everyone authorized to use an application in the team’s account.
Enable the App Launch Portal as follows:
Once you save the policy, users can access the App Launch portal at the URL listed on the Access App Launch card.
When a user visits the Access App Launch portal, they are prompted to log in via an identity provider you have configured for their account. Once the user has successfully authenticated, Access generates a JWT (JSON Web Token) scoped to their identity and to the Access account. The JWT is identical to the token created when users authenticate directly to an application.
The portal evaluates the JWT against all policies configured in the account. The portal displays an app tile for each application that user is authorized to access. When a user clicks on one of the tiles, Access redirects them to the hostname for that application.
Application tiles have a one-to-one relationship with the application policies you create. For example, if you have a generic policy for Jira deployment, and a separate policy for requests to a particular Jira path, a user allowed to access both will see them as two distinct tiles in the portal.
The portal only displays applications a user is authorized to access. Access enforces any additional rules, such as mTLS or IP range requirements, when the user attempts to connect to the application.
The tile names displayed in the Access App Launch portal correspond to the application names list in the Access Policies card.