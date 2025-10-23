This guide covers how to configure AWS ↗ as a SAML application in Cloudflare Zero Trust.

Prerequisites

An identity provider configured in Cloudflare Zero Trust

Admin access to an AWS account

1. Get AWS URLs

In the AWS admin panel, search for IAM Identity Center . Go to IAM Identity Center > Settings. In the Identity source tab, select the Actions dropdown and select Change identity source. Change the identity source to External identity provider. Copy the values shown in Service provider metadata. You will need these values when configuring the SaaS application in Zero Trust.

Next, we will obtain Identity provider metadata from Zero Trust.

2. Add a SaaS application to Cloudflare Zero Trust

In a separate tab or window, open Zero Trust ↗ and go to Access > Applications. Select SaaS. For Application, select Amazon AWS. For the authentication protocol, select SAML. Select Add application. Fill in the following fields: Entity ID : IAM Identity Center issuer URL

: IAM Identity Center issuer URL Assertion Consumer Service URL : IAM Identity Center Assertion Consumer Service (ACS) URL

: IAM Identity Center Assertion Consumer Service (ACS) URL Name ID format: Email (Optional) Additional SAML attribute statements can be passed from your IdP to AWS SSO. To learn more about AWS Attribute mapping, refer to Attribute mappings - AWS Single Sign-On ↗ . AWS supports uploading a metadata XML file. To download your SAML metadata from Access: Copy the SAML Metadata endpoint. In a separate browser window, go to the SAML Metadata endpoint ( https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/sso/saml/xxx/saml-metadata ). Save the page as access_saml_metadata.xml . Configure Access policies for the application. Save the application.

3. Complete AWS configuration

Return to the IAM Identity Center > Settings > Change identity source tab. Under IdP SAML metadata, upload your access_saml_metadata.xml file. Select Next to review settings, type ACCEPT and select Change identity source to confirm changes. Confirm that Provisioning is set to Manual.

Important Access for SaaS does not currently support SCIM provisioning. Make sure that: Users are created in both your identity provider and AWS. Users have matching usernames in your identity provider and AWS. Usernames are email addresses. This is the only format AWS supports with third-party SSO providers.

4. Test the integration

To test the connection, go to your AWS access portal URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider.