Skip to content
Cloudflare for Teams
Visit Cloudflare for Teams on GitHub
Set theme to dark (⇧+D)

Google Suite

You can integrate a Google Workspace (formerly Google Suite) account with Cloudflare Access. Unlike the instructions for generic Google authentication, the steps below will allow you to pull group membership information from your Google Workspace account.

Once integrated, users will login with their Google Suite credentials to reach resources protected by Cloudflare Access or to enroll their device into Cloudflare Gateway.

  1. Log into the Google Cloud Platform console. This is separate from your Google Workspace console.

    GCP Console

  2. Click Create Project to create a new project. Name the project and click Create.

    Create Project

    You should now see a Dashboard for your project.

    Post Create

  3. On the left-hand side, select APIs & Services and click Dashboard.

    Click API

  4. In the screen that loads, click + Enable APIs and Services in the top toolbar.

  5. The API Library will load. Search for admin in the search bar.

    API Library

  6. Select Admin SDK API by Google.

  7. Click Enable on the Admin SDK API page.

    Admin SDK

    The Admin SDK will be added to your project.

    Admin SDK

  8. Return to the APIs & Services page. Click Credentials in the navigation bar. You will see a warning that you need to configure a consent screen. Click Configure Consent Screen.

    Configure Consent Screen

  9. Cloudflare Access will gather information about users in your Google Workspace account, but not other accounts. Toggle Internal to limit this to members in your account.

    Internal Users

  10. Input information about the application.

    App Domain

    In this case, you are making an application available to your users and can add your team's contact information.

    Internal Users

    You will not need to configure scopes in this screen and can leave these fields blank.

    Consent Screen Scope

    The summary page will load and you can save and exit.

    Consent Screen Summary

  11. Return to the Credentials page. Click + Create Credentials

    Create Credentials

  12. Select OAuth client ID.

    Select OAuth

  13. Select Web application as the Application type.

    Create OAuth

  14. Under Authorized JavaScript origins, in the URIs field, enter your team domain.

  15. Under Authorized redirect URIs, in the URIs field, enter your team domain followed by this callback at the end of the path: /cdn-cgi/access/callback. For example:

    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback

    Input Team Domain

    Click Create.

  16. Google will present the OAuth Client ID and Secret values. The secret field functions like a password and should be kept securely and not shared. For the purposes of this tutorial, the secret field is kept visible. Copy both values.

    Secret Field

    The Client ID will now appear in the APIs & Services page.

Client ID Visible

  1. Navigate to the Cloudflare for Teams dashboard. In the Authentication page of the Access section, click + Add.

    Add IdP

  2. Select Google Suite.

    Add Google Suite

  3. Input the Client ID and Client Secret fields generated previously. Additionally, input the domain of your Google Workspace account. Click Save.

    Add Google Suite

  4. To complete setup, you must scroll below and visit the link generated. If you are not the Google Workspace administrator, share the link with the administrator.

    Visit Link

  5. The generated link will prompt you to login to your Google account and to authorize Cloudflare Access to view group information.

    Authorize Groups

    A success page will then load from Cloudflare Access.

    Group Success

  6. You can now return to the list of identity providers in the Authentication page of the Cloudflare for Teams dashboard. Select Google Suite and click Test.

    Your user identity and group membership should return.

    Connection Works

Example API Configuration

{    "config": {        "client_id": "<your client id>",        "client_secret": "<your client secret>",        "apps_domain": "mycompany.com"    },    "type": "google-apps",    "name": "my example idp"}
export const _frontmatter = {"order":12}