Allow Cloudflare Teams Application Access While Connected to Teams WARP


I have a self-hosted application setup with a cloudlfared Argo tunnel and has been working really well. I’ve recently explored leveraging Cloudflare teams and access to restrict access depending on certain situations. This is my goal:

When a user is authenticated and connected through WARP Teams (which means the user has authenticated through SSO in order to connect WARP Teams), I’d like to be able to bypass the Cloudflare authentication page and access the application. However, when not authenticated through WARP, I’d like users to be prompted with the Access authentication page.

Right now, I’ve mimicked this with an allow rule for SSO and a bypass rule with my site’s IP. However, we don’t have a static IP, and we’d like for team members to be able to bypass anywhere they’re located as long as they’re authenticated with WARP.

Anyone know how I could implement this with Teams?

To follow up on this, I realized I completely missed that device postures is an al la carte upgrade with access if you’re on the free plan. Now that I have that setup, I added a device posture for gateway and then i’ve tried this: set gateway as a bypass, set gateway as an allow rule, or both. However, even with each of these I get a forbidden cloudflare access page even though I am connected through the WARP gateway. Any advice?

I’m gonna try and venture out a guess, as I want to reach something similar, but haven’t yet had a time to tinker with it.

Gateway (the Teams version, which is required, not the general consumer free one) can be set as a requirement to connect, is this the case in you set-up?

Yes, when connected to gateway (aka while at a physical location or on WARP in Teams mode), I would like users to be able to access the application directly without needing to login with cloudflare access.

Here’s a screenshot of the rule. However, even with this and I’m connected through gateway, I see the forbidden screen when accessing the application.

I believe it would be an allow rule, not a bypass. Let me do a couple tests…

It seems to require at least an SSO login, which you can’t remove.

So this exact thing works if you set WARP (instead of gateway) as the bypass. But that means anyone on warp, not just people signed in to my organization, can access the application directly. Gateway is supposed to be only those who are either at a physical location or signed in to WARP in Teams mode, but it does not seem to work. I agree, as you’re pointing out, SSO seems to be a requirement which I want to bypass if someone is already authenticated through gateway.

Might be a bug, if that works as expected. But it may also be that a SSO login is required to track access to the application.

Let’s see if @SamRhea can shed some light.

I do wish they could authenticate you from the Gateway session on the app.

1 Like

Thank you @Cadish

The following policy works:

And again, it would be great to change the WARP bypass to Gateway bypass so that instead of the bypass being anyone connected to WARP, only users configured on team could do so.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.