Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Configure AWS SSO with Access for SaaS

In this tutorial we will configure AWS SSO with Access for SaaS. Cloudflare Access for SaaS allows you to layer additional network and device posture policies on top of existing identity authentication from your identity provider. In this example, we are using Okta as an identity provider, but any supported identity provider can be leveraged.

Time to complete:

20 minutes

​​ Configure AWS

  1. In the AWS admin panel, search for SSO.

  2. Add AWS Single Sign on to your AWS account.

  3. Click Choose an identity source.

  4. Change the identity source to External Identity provider.

  5. Click Show individual metadata values. These will be the fields that are added to the Cloudflare Access for SaaS app.

  6. Copy the AWS SSO ACS URL.

​​ Configure Cloudflare

  1. In a separate tab or window, open Zero Trust and navigate to Access > Applications.

  2. Select SaaS as the application type to begin creating a SaaS application.

  3. Copy the following fields from your AWS account and input them in the Zero Trust application configuration:

    AWS valueCloudflare value
    AWS SSO ACS URLAssertion Consumer Service URL
    AWS SSO Issuer URLEntity ID

    The Name ID Format must be set to: Email.

    Fields configured using information copied from an AWS account.

  4. (Optional) Additional Attribute Statements can be passed from your IdP to AWS SSO. More information about AWS Attribute mapping can be found at Attribute mappings - AWS Single Sign-On.

  5. Copy the Cloudflare IdP metadata values and save them for the Final AWS configuration.

  6. Click Next.

  7. Now create an Access policy to determine who has access to your application.

  8. Save your policy and return to the AWS SSO dashboard.

​​ Complete the AWS configuration

  1. Paste the Cloudflare IdP metadata into your AWS account with these mappings:

    Cloudflare valueAWS value
    SSO EndpointIdP Sign-in URL
    Access Entity IDIdP Issuer URL
    Public KeyIdP Certificate
  2. Click Next: Review.

  3. Set Provisioning to Manual.

    AWS settings panel demonstrating correct settings for manual provisioning.

​​ Test your connection

User should now be able to successfully log in. To test your connection, open the user portal URL.