Configure AWS SSO with Access for SaaS
In this tutorial we will configure AWS SSO with Access for SaaS. Cloudflare Access for SaaS allows you to layer additional network and device posture policies on top of existing identity authentication from your identity provider. In this example, we are using Okta as an identity provider, but any supported identity provider can be leveraged.
⏲️ Time to complete:
In the AWS admin panel, search for
Add AWS Single Sign on to your AWS account.
Click Choose an identity source.
Change the identity source to External Identity provider.
Click Show individual metadata values. These will be the fields that are added to the Cloudflare Access for SaaS app.
Copy the AWS SSO ACS URL.
Select SaaS as the application type to begin creating a SaaS application.
Copy the following fields from your AWS account and input them in the Cloudflare for Teams application configuration:
AWS value Cloudflare value AWS SSO ACS URL Assertion Consumer Service URL AWS SSO Issuer URL Entity ID
The Name ID Format must be set to: Email.
Copy the Cloudflare IdP metadata values and save them for the Final AWS configuration:
Save your policy and return to the AWS SSO dashboard.
Complete the AWS configuration
Paste the Cloudflare IdP metadata into your AWS account with these mappings:
Cloudflare value AWS value SSO Endpoint IdP Sign-in URL Access Entity ID IdP Issuer URL Public Key IdP Certificate
Click Next: Review.
Set Provisioning to Manual.
Test your connection
User should now be able to successfully log in. To test your connection, open the user portal URL.