Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Add a SaaS application to Access

Cloudflare Access allows you to add an additional authentication layer to your SaaS applications. When you integrate a SaaS application with Access, users log in using your existing identity providers and are only granted access if they pass your Access policies.

This page provides generic instructions for setting up a SaaS application in Zero Trust.

​​ 1. Get SaaS application URLs

Obtain the following URLs from your SaaS application account:

  • Entity ID: A unique URL issued for your SaaS application, for example https://<your-domain>.my.salesforce.com.
  • Assertion Consumer Service URL: The service provider’s endpoint for receiving and parsing SAML assertions.

​​ 2. Add your application to Access

  1. In Zero Trust, go to Access > Applications.

  2. Select Add an application.

  3. Select SaaS.

  4. Select your Application from the drop-down menu. If your application is not listed, enter a custom name in the Application field and select the textbox that appears below.

  5. Enter the Entity ID and Assertion Consumer Service URL obtained from your SaaS application account.

  6. Select the Name ID Format expected by your SaaS application (usually Email).

  7. If your SaaS application requires additional SAML attribute statements, add the mapping of your IdP’s attributes you would like to include in the SAML statement sent to the SaaS application.

  1. (Optional) Configure App Launcher settings for the application.

  2. Under Block pages, choose what end users will see when they are denied access to the application:

    • Cloudflare default: Reload the login page and display a block message below the Cloudflare Access logo. The default message is That account does not have access, or you can enter a custom message.
    • Redirect URL: Redirect to the specified website.
    • Custom page template: Display a custom block page hosted in Zero Trust.
  3. Next, configure how users will authenticate:

    1. Select the Identity providers you want to enable for your application.
    2. (Optional) Turn on Instant Auth if you selected only one IdP and want users to skip the identity provider selection step.
    3. (Optional) Under WARP authentication identity, allow users to authenticate to the application using their WARP session identity.
  4. Select Next.

​​ 2. Add an Access policy

  1. To control who can access your application, create an Access policy.

  2. Select Next.

​​ 3. Configure SSO in your SaaS application

Finally, you will need to configure your SaaS application to require users to log in through Cloudflare Access.

  1. Configure the following fields with your SAML SSO-compliant application:

    • SSO endpoint
    • Access Entity ID or Issuer
    • Public key

    You can either manually enter this data into your SaaS application or upload a metadata XML file. The metadata is available at the URL: <SSO Endpoint>/saml-metadata. The SSO Endpoint can be copied out of the dashboard.

  2. Select Done.

Your application will appear on the Applications page.

The following tutorials provide detailed integration instructions for specific SaaS applications.