How to have a user authenticate under a site in one domain and be able to visit links or download content in sites on another domain
Hi! This is possible. With Cloudflare Access, users login with their upstream identity provider once and can reach multiple applications behind Access without logging in again.
Then how do you stop someone from logging into one domain’s Access portal then bypassing the Access portals in your other Access apps?
You still technically go through Access each time, but the IdP handshake it’s happening without any action from the user, especially if there is only one IdP configured with the automatic IdP redirect option.
There are two tokens issued: one to
your-auth-domain.cloudflareaccess.com and the other to your site. When you request the Site A, we look at the one present on Site A to determine if you should be allowed to proceed.
If you request Site B, which is part of the same auth domain account, but do not have it yet, then we check for the auth-domain token to issue you a token for Site B.