SAML | Okta
Okta provides cloud software that helps companies manage and secure user authentication to modern applications, and helps developers build identity controls into applications, website web services, and devices. Cloudflare Access can integrate SAML with Okta as an identity provider.
Set up Okta (SAML)
To set up SAML with Okta as your identity provider:
Log in to your Okta Admin portal, and choose Applications.
Click Add Application.
Click Create New App.
The Create a New Application Integration card displays.
Select SAML 2.0.
Click Create.
The Create SAML Integration card displays.
Enter an App name.
Click Next.
The SAML Settings card displays.
In the Single sign on URL and the Audience URI (SP Entity ID) fields, enter your team domain followed by this callback at the end of the path:
/cdn-cgi/access/callback
. For example:https://your-team-name.cloudflareaccess.com/cdn-cgi/access/callback
Select the value to pass from the Name ID drop-down list.
In Attribute Statements Name field, enter “email” to create a new attribute.
In the Value field, enter a user email.
Click Next.
Click Finish.
The Applications page displays.
Click Assign Applications.
The application name page displays where you assign groups or users who can access this application. Our example application name is samlapp.
Click People or Groups.
The Assign application name to Groups card displays, where you grant users or groups permission to access your application.
Click Done.
The assignments display on the Application page.
Choose the Sign On tab to retrieve the identity provider information.
Copy and paste the following information into the Cloudflare Access Edit a SAML identity provider card.
- Provider Name: Name your IdP.
- Single Sign On URL: Enter the IdP Single-Sign-On URL.
- IdP Entity ID: Enter the IdP issuer.
- Signing Certificate: Copy the certificate from Okta in X.509 Certificate between Begin Certificate and End Certificate.
After completing the information, enter the name “email” as your email attribute for the SAML assertion field.
Click Save.
To test that your connection is working, navigate to Authentication > Login methods and click Test next to the login method you want to test.
Download SP metadata (optional)
Some IdPs allow administrators to upload metadata files from their SP (service provider).
To get your Cloudflare metadata file:
Download your unique SAML metadata file at the following URL:
https://your-team-name.cloudflareaccess.com/cdn-cgi/access/saml-metadata
Replace
your-team-name
with your team name.Save the file in XML format.
Upload the XML document to your Okta account.
Example API configuration
{ "config": { "issuer_url": "http://www.okta.com/exkbhqj29iGxT7GwT0h7", "sso_target_url": "https://dev-abc123.oktapreview.com/app/myapp/exkbhqj29iGxT7GwT0h7/sso/saml", "attributes": [ "email", "group", "email_attribute_name": "", "sign_request": false, "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" ] }, "type": "saml", "name": "okta saml example"}