Skip to content
Cloudflare for Teams
Visit Cloudflare for Teams on GitHub
Set theme to dark (⇧+D)

SAML | Keycloak

Keycloak is an open source identity and access management solution built by JBoss. Need a Keycloak lab environment for testing? An example is available here.

Set up Keycloak (SAML)

To set up Keycloak (SAML) as your identity provider:

  1. In Keycloak, select Clients in the navigation bar and create a new client.

    SAML Client

  2. Under Client AD, enter your team domain followed by this callback at the end of the path: /cdn-cgi/access/callback. For example:

    https://your-team-name.cloudflareaccess.com/cdn-cgi/access/callback

    SAML Client

  3. Next, set the valid redirect URI to the Keycloak domain that you are using. For example, https://<keycloak_domain>/auth/realms/master/protocol/saml.

  4. Set the Master SAML Processing URL using the same Keycloak domain: https://<keycloak_domain>/auth/realms/master/protocol/saml.

  5. Finally, if you wish to enable client signatures, you will need to configure signing in the Cloudflare Access dashboard.

  6. Set the built-in protocol mapper for the email property.

    Mapper

  7. Next, you'll need to integrate with Cloudflare Access. On the Teams dashboard, navigate to Access > Authentication.

  8. Under Login methods, click + Add.

  9. Choose SAML on the next page.

    You will need to input the Keycloak details manually. The examples below should be replaced with the specific domains in use with Keycloak and Cloudflare Access.

    FieldExample
    Single Sign-On URLhttps://<keycloak_domain>/auth/realms/master/protocol/saml
    IdP Entity ID or Issuer URLhttps://<unique_id>.cloudflareaccess.com/cdn-cgi/access/callback
    Signing certificateUse the X509 Certificate in the Realm Settings from Keycloak

    Access Config

  10. Click Save.

To test that your connection is working, navigate to Authentication > Login methods and click Test next to the login method you want to test.