Cloudflare dashboard SSO application
By adding a Dashboard SSO application to your Cloudflare Zero Trust account, you can enforce single sign-on (SSO) to the Cloudflare dashboard with the identity provider (IdP) of your choice. SSO will be enforced for every user in your email domain.
| Free | Pro | Business | Enterprise | |
|---|---|---|---|---|
Availability | No | No | No | Yes (with Standard or Premium Success plans) |
All users in your email domain must exist as a member in your Cloudflare account and IdP. To add users to your Cloudflare account, refer to Manage Cloudflare account access.
Add an IdP to Cloudflare Zero Trust by following our detailed instructions.
Once you configure your IdP, make sure you also test your IdP.
Ask your account team to approve and create your SSO domain. An SSO domain is the email domain associated with the members in your Cloudflare account. For example, if your SSO domain is configured for emails ending in @yourcompany.com, a member with email @test.com would not see the Log in with SSO option and would have to enter their username and password.
Once your SSO domain is approved, a new SSO App application will appear under Access > Applications. The application is pre-configured with allow email domain as the default rule and your IdP as the authentication providers.
- The email domain must belong to your organization. Public email providers such as
@gmail.comare not allowed. - Every user with that email domain must be an employee in your organization. For example, university domains such as
@harvard.eduare not allowed because they include student emails. - Your SSO domain can include multiple email domains.
-
In Zero Trust ↗, go to Settings > Authentication.
-
In the Cloudflare dashboard SSO card, set your email domain to Enabled. This action can only be performed by Super Administrators.
-
Do not log out or close your browser window. Instead, open a different browser or an incognito window.
-
In the Cloudflare dashboard ↗, log in with your email address from your SSO domain.
-
If you can log in successfully, you have successfully set up your dashboard SSO application.
-
If you cannot log in successfully:
- Return to Zero Trust and go to Settings > Authentication.
- For Cloudflare dashboard SSO, set your email domain to Disabled.
- Re-configure your IdP.
Cloudflare dashboard SSO does not support:
- Users with plus-addressed emails, such as
example+2@domain.com. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO. - IdP initiated logins (such as a tile in Okta). All login attempts must originate from
https://dash.cloudflare.com. You can create a bookmark for this URL in your IdP to assist users.
This section describes how to restore access to the Cloudflare dashboard in case you are unable to login with SSO.
If there is an issue with your SSO IdP provider, you can add an alternate IdP using the API. The following example shows how to add Cloudflare One-time PIN as a login method:
- Add one-time PIN login:
curl 'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers' \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "type": "onetimepin", "config": {}}'- Get the
idof thedash_ssoAccess application. You can usejq↗ to quickly find the correct application:
curl 'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps' \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \| jq '.result[] | select(.type == "dash_sso")'{ "id": "3537a672-e4d8-4d89-aab9-26cb622918a1", "uid": "3537a672-e4d8-4d89-aab9-26cb622918a1", "type": "dash_sso", "name": "SSO App" ...}- Using the
idobtained above, update SSO App to accept all identity providers:
curl --request PUT \'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/3537a672-e4d8-4d89-aab9-26cb622918a1' \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "id": "3537a672-e4d8-4d89-aab9-26cb622918a1", ... "allowed_idps": [], ...}'Users will now have the option to log in using a one-time PIN.
The following API calls will disable SSO enforcement for an account. This action can only be performed by Super Administrators.
- Get your SSO
connector_id:
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/sso/v2/connectors \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>"{ "result": [ { "connector_id": "2828", "connector_tag": "d616ac82cc7f87153112d75a711c5c3c", "email_domain": "yourdomain.com", "connector_status": "V", ... } ], "success": true, "errors": [], "messages": []}- Disable the SSO connector:
curl --request PATCH \'https://api.cloudflare.com/client/v4/accounts/{account_id}/sso/v2/connectors/2828' \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "sso_connector_status": "DIS"}'{ "result": { "id": "2828" }, "success": true, "errors": [], "messages": []}Users can now log in using their Cloudflare account email and password. To re-enable SSO, send a PATCH request with "sso_connector_status" : "V".