Cloudflare Docs
Cloudflare Zero Trust
Cloudflare Docs
Cloudflare Zero Trust
GitHub icon
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)
  1. Products
  2. Cloudflare Zero Trust
  3. ...
  4. SSO integration
  5. Generic OIDC

Generic OIDC

Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you integrate IdPs not already set in Access.

​​ Set up a generic OIDC

  1. Visit your identity provider and create a client/app.

  2. When creating a client/app, your IdP may request an authorized redirect URI. Enter your team domain followed by this callback at the end of the path: /cdn-cgi/access/callback. For example:


    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback

  3. Copy the content of these fields:

    • Client ID
    • Client secret
    • Auth URL: The authorization_endpoint URL of your IdP
    • Token URL: The token_endpoint URL of your IdP
    • Certificate URL: The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

    You can find these values on your identity provider’s OIDC discovery endpoint. Some providers call this the “well-known URL”.

  4. In Zero Trust, go to Settings > Authentication.

  5. Under Login methods, select Add new.

  6. Choose OpenID Connect..

  7. Name your identity provider and fill in the required fields with the information obtained in Step 3.

  8. (Optional) Enable Proof of Key Exchange (PKCE) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.

  9. (Optional) Under Optional configurations, enter custom OIDC claims that you wish to add to your Access application token.

  10. Select Save.

To test that your connection is working, go to Authentication > Login methods and select Test next to the login method you want to test. On success, a confirmation screen displays.

​​ Optional configurations

​​ OIDC claims

OIDC integrations support the use of custom OIDC claims. Custom OIDC claims can be referenced in Access policies, offering a means to control user access based on these specific attributes. Custom OIDC claims are not currently supported in Gateway policies.

​​ Email claim

You can specify a custom Email claim name that Access will use to identify user emails. This is useful if your IdP does not return the standard email claim in the OIDC ID token. For example, you may wish to identify Azure AD users based on their upn instead of email.

​​ Multi-record OIDC claims

Cloudflare Access extends support for multi-record OIDC claims. These claims are parsed out and can be individually referenced in policies. This feature enables granular access control and precise user authorization in applications.

Cloudflare Access does not support partial OIDC claim value references or OIDC scopes.

​​ Example API Configuration


{
  "config": {
    "client_id": "<your client id>",
    "client_secret": "<your client secret>",
    "auth_url": "https://accounts.google.com/o/oauth2/auth",
    "token_url": "https://accounts.google.com/o/oauth2/token",
    "certs_url": "https://www.googleapis.com/oauth2/v3/certs",
    "scopes": ["openid", "email", "profile"]
  },
  "type": "oidc",
  "name": "Generic Google"

}