Set up Cloudflare dashboard SSO
By adding a Dashboard SSO application to your Cloudflare Zero Trust account, you can enforce single sign-on (SSO) to the Cloudflare dashboard with the identity provider (IdP) of your choice. SSO will be enforced for every user in your email domain.
Availability
Free | Pro | Business | Enterprise | |
Availability | No | No | No | Yes (with Standard or Premium Success plans) |
Prerequisites
All users in your email domain must exist as a member in your Cloudflare account and IdP. To add users to your Cloudflare account, refer to Manage Cloudflare account access.
1. Set up an IdP
Add an IdP to Cloudflare Zero Trust by following our detailed instructions.
Once you configure your IdP, make sure you also test your IdP.
2. Contact your account team
Ask your account team to approve and create your SSO domain. An SSO domain is the email domain associated with the members in your Cloudflare account. For example, if your SSO domain is configured for emails ending in @yourcompany.com
, a member with email @test.com
would not see the Log in with SSO option and would have to enter their username and password.
Once your SSO domain is approved, a new SSO App application will appear under Access > Applications. The application is pre-configured with allow email domain
as the default rule and your IdP as the authentication providers.
SSO domain requirements
- The email domain must belong to your organization. Public email providers such as
@gmail.com
are not allowed. - Every user with that email domain must be an employee in your organization. For example, university domains such as
@harvard.edu
are not allowed because they include student emails. - Your SSO domain can include multiple email domains.
3. Enable dashboard SSO
In Zero Trust, go to Settings > Authentication.
In the Cloudflare dashboard SSO card, set your email domain to Enabled. This action can only be performed by Super Administrators.
Do not log out or close your browser window. Instead, open a different browser or an incognito window.
In the Cloudflare dashboard, log in with your email address from your SSO domain.
If you can log in successfully, you have successfully set up your dashboard SSO application.
If you cannot log in successfully:
- Return to Zero Trust and go to Settings > Authentication.
- For Cloudflare dashboard SSO, set your email domain to Disabled.
- Re-configure your IdP.
Limitations
Cloudflare dashboard SSO does not support:
- Users with plus-addressed emails, such as
example+2@domain.com
. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO. - IdP initiated logins (such as a tile in Okta). All login attempts must originate from
https://dash.cloudflare.com
. You can create a bookmark for this URL in your IdP to assist users.
Bypass dashboard SSO
This section describes how to restore access to the Cloudflare dashboard in case you are unable to login with SSO.
Option 1: Add a backup IdP
If there is an issue with your SSO IdP provider, you can add an alternate IdP using the API. The following example shows how to add Cloudflare One-time PIN as a login method:
- Add one-time PIN login:
cURL commandcurl 'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers' \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{ "type": "onetimepin", "config": {}}'
- Get the
id
of thedash_sso
Access application. You can usejq
to quickly find the correct application:
cURL commandcurl 'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps' \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
| jq '.result[] | select(.type == "dash_sso")'
Response{ "id": "3537a672-e4d8-4d89-aab9-26cb622918a1", "uid": "3537a672-e4d8-4d89-aab9-26cb622918a1", "type": "dash_sso", "name": "SSO App" ...}
- Using the
id
obtained above, update SSO App to accept all identity providers:
cURL commandcurl --request PUT \
'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/3537a672-e4d8-4d89-aab9-26cb622918a1' \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{ "id": "3537a672-e4d8-4d89-aab9-26cb622918a1", ... "allowed_idps": [], ...}'
Users will now have the option to log in using a one-time PIN.
Option 2: Disable dashboard SSO
The following API calls will disable SSO enforcement for an account. This action can only be performed by Super Administrators.
- Get your SSO
connector_id
:
cURL commandcurl https://api.cloudflare.com/client/v4/accounts/{account_id}/sso/v2/connectors \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>"
Response{ "result": [ { "connector_id": "2828", "connector_tag": "d616ac82cc7f87153112d75a711c5c3c", "email_domain": "yourdomain.com", "connector_status": "V", ... } ], "success": true, "errors": [], "messages": []
}
- Disable the SSO connector:
cURL commandcurl --request PATCH \
'https://api.cloudflare.com/client/v4/accounts/{account_id}/sso/v2/connectors/2828' \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{ "sso_connector_status": "DIS"}'
Response{ "result": { "id": "2828" }, "success": true, "errors": [], "messages": []
}
Users can now log in using their Cloudflare account email and password. To re-enable SSO, send a PATCH
request with "sso_connector_status" : "V"
.