Add a SaaS application to Access
Cloudflare Access allows you to add an additional authentication layer to your SaaS applications. When you integrate a SaaS application with Access, users log in using your existing identity providers and are only granted access if they pass your Access policies.
This page provides generic instructions for setting up a SaaS application in Zero Trust.
1. Get SaaS application URLs
Obtain the following URLs from your SaaS application account:
- Entity ID: A unique URL issued for your SaaS application, for example
https://<your-domain>.my.salesforce.com
. - Assertion Consumer Service URL: The service provider’s endpoint for receiving and parsing SAML assertions.
2. Add your application to Access
In Zero Trust, go to Access > Applications.
Select Add an application.
Select SaaS.
Select your Application from the drop-down menu. If your application is not listed, enter a custom name in the Application field and select the textbox that appears below.
Enter the Entity ID and Assertion Consumer Service URL obtained from your SaaS application account.
Select the Name ID Format expected by your SaaS application (usually Email).
If your SaaS application requires additional SAML attribute statements, add the mapping of your IdP’s attributes you would like to include in the SAML statement sent to the SaaS application.
(Optional) Under Application Appearance, configure App Launcher settings for the application.
Under Block pages, choose what end users will see when they are denied access to the application:
- Cloudflare default: Reload the login page and display a block message below the Cloudflare Access logo. The default message is
That account does not have access
, or you can enter a custom message. - Redirect URL: Redirect to the specified website.
- Custom page template: Display a custom block page hosted in Zero Trust.
- Cloudflare default: Reload the login page and display a block message below the Cloudflare Access logo. The default message is
Next, choose the Identity providers you want to enable for your application.
Turn on Instant Auth if you are selecting only one login method for your application, and would like your end users to skip the identity provider selection step.
Select Next.
2. Add an Access policy
To control who can access your application, create an Access policy.
Select Next.
3. Configure SSO in your SaaS application
Finally, you will need to configure your SaaS application to require users to log in through Cloudflare Access.
Configure the following fields with your SAML SSO-compliant application:
- SSO endpoint
- Access Entity ID or Issuer
- Public key
You can either manually enter this data into your SaaS application or upload a metadata XML file. The metadata is available at the URL:
<SSO Endpoint>/saml-metadata
. The SSO Endpoint can be copied out of the dashboard.Select Done.
Your application will appear on the Applications page.
Related tutorials
The following tutorials provide detailed integration instructions for specific SaaS applications.