Cloudflare Docs
Cloudflare-One
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Okta

Okta provides cloud software that helps companies manage and secure user authentication to modern applications, and helps developers build identity controls into applications, website web services, and devices. You can integrate Okta with Cloudflare Zero Trust and build rules based on user identity and group membership. Cloudflare Zero Trust supports Okta integrations using either the OIDC (default) or SAML protocol.

Set up Okta as an OIDC provider

  1. On your Okta admin dashboard, navigate to Applications > Applications.
  2. Click Create App Integration.
  3. For the Sign-in method, select OIDC - OpenID Connect.

Creating an OIDC application in Okta

  1. For the Application type, select Web Application. Click Next.

  2. Enter any name for the application. In the Sign-in redirect URIs field, input your team domain followed by this callback at the end of the path: /cdn-cgi/access/callback. For example:

    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback
  3. Select the desired Assignment option and click Save.

  4. From the application view, navigate to the Sign On tab.

  5. Scroll down to the OpenID ConnectID Token and click Edit.

    Configuring the Groups claim filter in Okta

  6. Set the Groups claim filter to Matches regex and its value to .*.

  7. In the General tab, copy the Client ID, Client secret, and Okta domain.

    Finding your Client credentials and Okta domain in Okta

  8. On the Zero Trust dashboard, navigate to Settings > Authentication.

  9. Under Login methods, click Add new and select Okta as your identity provider.

  10. Fill in the following information:

    • Name: Name your identity provider
    • App ID: Enter your Okta Client ID.
    • Client secret: Enter your Okta Client secret.
    • Okta account URL: Enter your Okta domain, for example https://<your-domain>.okta.com.
  11. (Optional) Create an Okta API token and enter it in the Zero Trust dashboard (the token can be read-only). This will prevent your Okta groups from failing if you have more than 100 groups.

  12. (Optional) Enable Proof of Key Exchange (PKCE). PKCE will be performed on all login attempts.

  13. Click Save.

To test that your connection is working, navigate to Settings > Authentication > Login methods and click Test next to Okta.

Example API Configuration

{
"config": {
"client_id": "<your client id>",
"client_secret": "<your client secret>",
"okta_account": "https://dev-abc123.oktapreview.com"
},
"type": "okta",
"name": "my example idp"
}