Cloudflare as identity provider
Cloudflare Access can use Cloudflare itself as an identity provider, allowing you to build Access policies that match on Cloudflare account membership. This is useful for scenarios where you want to restrict access to users who are members of a specific Cloudflare account, without requiring a third-party identity provider.
When a user authenticates through the Cloudflare identity provider, Access verifies their Cloudflare account membership and grants or denies access based on your policy configuration.
- In the Cloudflare dashboard ↗, go to Zero Trust > Integrations > Identity providers.
- Under Your identity providers, select Add new identity provider.
- Select Cloudflare.
- (Optional) Enable Restrict to account members if you want to limit authentication to users who are members of your Cloudflare account. When disabled, any user with a Cloudflare account can authenticate.
- Select Save.
Make a POST request to the Identity Providers endpoint:
Required API token permissions
At least one of the following token permissions
is required:
Access: Organizations, Identity Providers, and Groups Write
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Cloudflare", "type": "cloudflare", "config": { "restrict_to_account_members": true } }'| Option | Description | Default |
|---|---|---|
| Restrict to account members | When enabled, only users who are members of your Cloudflare account can authenticate. When disabled, any Cloudflare user can authenticate (subject to your Access policies). | Disabled |
After configuring Cloudflare as an identity provider, you can use the Cloudflare Account Member selector in your Access policies. This selector matches users based on their membership in a Cloudflare account.
- If you omit the account ID, the selector matches members of the current account (the account where the Access policy is configured).
- If you specify an account ID, the selector matches members of that specific account.
This is useful for cross-account access scenarios where you need to grant access to users from a different Cloudflare account.