Cloudflare Docs
Cloud Email Security (formerly Area 1)
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

Generic single sign-on integration guide

Below is a generic guide to successfully set up an identity provider based SAML. These options might change depending on your identity provider (IDP). However, make sure you set up the options below or their equivalent.

​​ 1. Identity Provider SAML setup

  1. Log in to your SAML provider and access its setup section.

  2. Enter the following values to configure your IDP provider:

    Single sign on URL
    Audience URI (SP Entity ID)
    Name ID formatEmail Address
    Application usernameEmail
    Assertion signatureUnsigned
    Signature AlgorithmRSA-SHA1
    Digest AlgorithmSHA1
  3. In the Attribute Statements, add your application users. Emails you add here should match emails users already have in the Cloud Email Security dashboard.

  4. After finishing the setup, download the IDP metadata file. Copy and paste it into the METADATA XML field in the SSO section of Cloud Email Security’s dashboard. Refer to step 4 in the guide below for more details.

​​ 2. Cloud Email Security SAML setup

After configuring settings in your SSO provider, log in to the Cloud Email Security dashboard to finish setting up.

  1. Log in to the Cloud Email Security (formerly Area 1) dashboard.

  2. Go to Settings (the gear icon).

  3. In Users and Actions > Users and Permissions add the email addresses of all your authorized administrators.

    Fill out your authorized administrators
  4. Go to SSO, and enable Single Sign on.

    Enable SSO
  5. In SSO Enforcement, choose one of the settings, according to your specific needs:

    • None: This setting allows each user to choose SSO, or username and password plus 2FA (this is the recommended setting while testing SSO).
    • Admin: This setting will force only the administrator account to use SSO. The user that enables this setting will still be able to log in using username and password plus 2FA. This is a backup, so that your organization does not get locked out of the portal in emergencies.
    • Non-Admin Only: This option will require that all Read only and Read & Write users use SSO to access the portal. Admins will still have the option to use either SSO or username and password plus 2FA.
  6. In SAML SSO Domain enter the domain that points to your SSO provider.

  7. In METADATA XML paste the SAML XML metadata settings from your provider. These settings (and even their exact text descriptions) are in different locations depending on your SSO provider.

  8. Select Update Settings to save your configuration.

​​ Troubleshooting

If you have trouble connecting your SAML provider to Cloud Email Security, make sure that:

  • The users you have configured in your SAML provider exist in the Cloud Email Security dashboard.
  • You are using email address as an attribute (in step 2, refer to Name ID format and Application username).
  • You are using the SHA-1 algorithm.
  • Your encryption is set to 2048 bits.

If all else fails, enable Chrome browser debug logs. Then, log your activity when SSO is initiated, and contact Cloudflare support.