Add web applications
Cloudflare Access allows you to secure your web applications by acting as an identity aggregator, or proxy. You can use signals from your existing identity providers (IdPs), device posture providers, and other rules to control who can log in to the application.
You can protect the following types of web applications:
-
SaaS applications consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration.
-
Self-hosted applications consist of internal applications that you host in your own environment. These can be the data center versions of tools like the Atlassian suite or applications created by your own team. Setup requirements for a self-hosted application depend on whether the application is publicly accessible on the Internet or restricted to users on a private network.
- Public hostname applications are web applications that have public DNS records. Anyone on the Internet can access the application by entering the URL in their browser and authenticating through Cloudflare Access. Securing access to a public website requires a Cloudflare DNS full setup or partial CNAME setup.
- Private network applications do not have public DNS records, meaning they are not reachable from the public Internet. To connect using a private IP or private hostname, the user's traffic must route through Cloudflare Gateway. The preferred method is to install the WARP client on the user's device, but you could also forward device traffic from a network location or use an agentless option such as PAC files or Clientless Web Isolation.
-
Cloudflare Dashboard SSO is a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits.