Cloudflare Access for SaaS, which guides should we build next?

We recently put together Access for SaaS guides for:

Are there additional tools you would like us to build guides for? Let us know!

3 Likes

I was implementing this for one of our clients few weeks ago and it seems to work well, however in order to configure AWS SSO, your account must be the management account in the AWS Organizations.

An alternative to AWS SSO would be the identity provider integration inside AWS IAM - which doesn’t have the above limitation. However, IAM requires role attributes to be included in the SAML response - which is currently unsupported by Cloudflare Access. If Cloudflare Access can include role attributes support + the ability to assign different role attributes to different users/groups, then definitely I will go for IAM instead of AWS SSO.

Hope this can help someone who is currently implementing SSO Integration in AWS.

1 Like

Speaking of additional tools, perhaps you can try to create a tutorial to integrate WordPress wp-admin with Cloudflare Access for SaaS.

2 Likes

Hey Eric! Thank you for calling this out, I will have a go at configuring IAM myself and documenting this.

I’m not sure if this would help but the Attribute Statements in the Cloudflare for SaaS configuration may allow you to send the role attribute required?

Example:

Hey @kjohnson1,

I did notice this few days ago and yes I believe this can definitely help with some applications require additional SAML attributes to be included in the SAML response.

But for the AWS IAM use case, I would say that this only addresses part of the issue. While you can add the role attribute in the SAML response, not all users are having the same IAM role. Since different user will have different role, and each role will require different role attribute, having a fixed role attribute configured in one Access application would cause an issue.

A workaround would be creating multiple Access applications - each representing different role with different users configured in the Access policy. But I think this is not an ideal solution and would create a mess over time - I don’t think I’m going to create 20 Access application which connects to the same AWS account but with 20 different roles.

An ideal situation would be having a feature in Cloudflare Access to actually assign different SAML attributes to different users or groups, so that once the user authenticates, an SAML response with his corresponding SAML attribute will be returned back to AWS IAM.

Oh anyway, when I tested out the “SAML Attribute Statements” option in Cloudflare Access few days ago, somehow it doesn’t work properly. I can’t see the SAML attribute being included in the SAML response when I was inspecting the network traffic.

This is a good point, I agree on creating multiple apps being too onerous. I wonder if it would be possible to push the different roles via a single attribute statement? or if they require an individual one each.

I’ll send you a DM about troubleshooting the Attribute Statements.

1 Like

Yes. Different roles are given to different users based on their job scope.