Add a SaaS application to Access
Cloudflare Access allows you to add an additional authentication layer to your SaaS applications. When you integrate a SaaS application with Access, users log in using your existing identity providers and are only granted access if they pass your Access policies.
This page provides generic instructions for setting up a SaaS application in Zero Trust.
1. Get SaaS application URLs
Obtain the following URLs from your SaaS application account:
- Entity ID: A unique URL issued for your SaaS application, for example
- Assertion Consumer Service URL: The service provider’s endpoint for receiving and parsing SAML assertions.
2. Add your application to Access
In Zero Trust, go to Access > Applications.
Select Add an application.
Select your Application from the drop-down menu. If your application is not listed, enter a custom name in the Application field and select the textbox that appears below.
Enter the Entity ID and Assertion Consumer Service URL obtained from your SaaS application account.
Select the Name ID Format expected by your SaaS application (usually Email).
If your SaaS application requires additional SAML attribute statements, add the mapping of your IdP’s attributes you would like to include in the SAML statement sent to the SaaS application.
(Optional) Turn on App Launcher visibility if you want the application to be visible in the App Launcher.
(Optional) Add a custom logo for your application by selecting Custom and entering a link to your desired image.
Next, choose the Identity providers you want to enable for your application.
Turn on Instant Auth if you are selecting only one login method for your application, and would like your end users to skip the identity provider selection step.
2. Add an Access policy
To control who can access your application, create an Access policy.
3. Configure SSO in your SaaS application
Finally, you will need to configure your SaaS application to require users to log in through Cloudflare Access.
Configure the following fields with your SAML SSO-compliant application:
- SSO endpoint
- Access Entity ID or Issuer
- Public key
You can either manually enter this data into your SaaS application or upload the application’s metadata XML file. The metadata is available at the URL:
Your application will appear on the Applications page.
The following tutorials provide detailed integration instructions for specific SaaS applications.