Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

PingFederate®

The PingFederate® offering from PingIdentity provides SSO identity management. Cloudflare Access supports PingFederate as a SAML identity provider.

​​ Set up PingFederate as an identity provider

  1. Log in to your Ping dashboard and go to Applications.

  2. Select Add Application.

  3. Select New SAML Application.

  4. Complete the fields for name, description, and category.

    These can be any value. A prompt displays to select a signing certificate to use.

  5. In the SAML attribute configuration dialog select Email attribute > urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

      
  6. In the Signature Policy tab, disable the option to Always Sign Assertion.

  7. Leave the option enabled for Sign Response As Required.

    This ensures that SAML destination headers are sent during the integration.

    In versions 9.0 above, you can leave both of these options enabled.

  8. A prompt displays to download the SAML metadata from Ping.

    This file shares several fields with Cloudflare Access so you do not have to input this data.

  9. In Zero Trust, go to Settings > Authentication.

  10. Under Login methods, select Add new.

  11. Select SAML.

  12. In the IdP Entity ID field, enter the following URL:

    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback

    You can find your team name in Zero Trust under Settings > Custom Pages.

  13. Fill the other fields with values from your Ping dashboard.

  14. Select Save.

To test that your connection is working, go to Authentication > Login methods and select Test next to the login method you want to test.

​​ Example API configuration

{
"config": {
"issuer_url": "https://example.cloudflareaccess.com/cdn-cgi/access/callback",
"sso_target_url": "https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=aebe6668-32fe-4a87-8c2b-avcd3599a123",
"attributes": ["PingOne.AuthenticatingAuthority", "PingOne.idpid"],
"email_attribute_name": "",
"sign_request": false,
"idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o"
},
"type": "saml",
"name": "ping saml example"
}