Create an Access application
Cloudflare Access allows you to securely publish internal tools and applications to the Internet by providing an authentication layer between the end user and your origin server. You can use signals from your existing identity providers (IdPs), device posture providers, and other rules to control who can access your application.
Each application can have multiple policies with different constraints depending on what user group is accessing the application. For example, you can create one policy that requires corporate users to present specific device posture checks or mutual TLS authentication events, and a second policy for contractors which does not require these attributes.
Add your application to Access
-
In Zero Trust ↗, go to Access > Applications.
-
Select Add an application.
-
Select Self-hosted.
-
Enter any name for the application.
-
In Session Duration, choose how often the user’s application token should expire.
Cloudflare checks every HTTP request to your application for a valid application token. If the user’s application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to Session management.
-
In Application domain, enter the domains that will represent the application.
- Domains must belong to an active zone in your Cloudflare account. You can either select a domain from the dropdown or enter a custom domain that you control.
- You can use wildcards to protect multiple parts of an application that share a root path.
-
(Optional) Configure App Launcher settings for the application.
-
Under Block pages, choose what end users will see when they are denied access to the application:
- Cloudflare default: Reload the login page and display a block message below the Cloudflare Access logo. The default message is
That account does not have access
, or you can enter a custom message. - Redirect URL: Redirect to the specified website.
- Custom page template: Display a custom block page hosted in Zero Trust.
- Cloudflare default: Reload the login page and display a block message below the Cloudflare Access logo. The default message is
-
Next, configure how users will authenticate:
-
Select the Identity providers you want to enable for your application.
-
(Recommended) If you plan to only allow access via a single IdP, turn on Instant Auth. End users will not be shown the Cloudflare Access login page. Instead, Cloudflare will redirect users directly to your SSO login event.
-
(Optional) Under WARP authentication identity, allow users to authenticate to the application using their WARP session identity.
-
-
Select Next.
Add an Access policy
You can now configure an Access policy to control who can connect to your application.
-
Enter any name for your policy.
-
Specify a policy action.
-
Assign Access groups to reuse existing rules, or create new rules. You can add as many include, exception, or require statements as needed.
-
(Optional) Customize the login experience for users who match this policy:
-
Select Next.
(Optional) Configure advanced settings
You can configure the following advanced settings for your application:
- Cross-Origin Resource Sharing (CORS)
- Cookie settings
- Automatic
cloudflared
authentication - Browser rendering
To finish configuring the application, select Add application.
When users go to the application, they will be prompted to login with your identity provider.