Cloudflare Access + Okta SAML groups

I’m having trouble understanding how to connect Cloudflare Access Access Groups with SAML groups for use in policies.

I have connected Okta to Cloudflare using SAML, and I can confirm that I can provision access to Okta users, and that they can log into Cloudflare Access (and the WARP client) via Okta.

I’d like to restrict access to a tunnel to only two SAML groups, “Data Team” and “Platform Team”.

First, I go to Access → Access Groups and create a new “Platform Team”. The include selector is “Login Methods” with a value of “SAML - Okta”. The required selector is “SAML Groups” with an attribute name of “groups” and an attribute value of “Platform Squad”. (Note: in Okta the group name is “Platform Squad”, but in Cloudflare I’m naming it “Platform Team”.)

My user is a member of the Platform Squad Okta group, as confirmed by testing the SAML connection in Cloudflare:

{
  "email": "[email protected]",
  "name": "",
  "givenName": "",
  "surName": "",
  "saml_attributes": {
    "email": "[email protected]",
    "groups": [
      "Engineering",
      "Everyone",
      "Engineering Admin",
      "Platform Squad",
      "Departments - Engineering",
      "Office Locations - Remote",
      "Engineering Leads"
    ]
  },
  "headers": {}
}

I go to Gateway → Policies → Network and create a new policy. I build and expression that says “User Group Names” “in” “Data Team Platform Team”. I defined the destination IP and port (here, an AWS RDS instance running in our VPC, a private 10.x.y.z IP address and port 5432), and assign the Allow action. I enabled this policy. I also created a generic Deny policy, and placed it after the above allow policy.

On my computer, I disconnected from WARP, and then re-connected. I am unable to make a psql connection to the target IP address. If I disable all the policies, and reconnect to WARP, I am able to make a psql connection to the IP address.

I have tried removing the Data Team from the policy so that only one team, of which I am a member, is permitted to use the network; but this still fails.

I’m sure I’m missing something obvious here, and I’m asking for guidance on what that might be! How do I get Okta groups connected to Cloudflare Access Groups for use in policies?

Thanks!

Note:
I’ve read both of these developer doc pages:
/cloudflare-one/identity/idp-integration/okta-saml/
/cloudflare-one/identity/idp-integration/generic-saml

Try logging out of Warp and logging back in (and ensure you’re using Okta as the login method), the group information caching in the client was not dynamically updated last I checked.

1 Like

Thanks for that suggestion. I thought toggling the WARP status was enough.

Alas, I logged out of WARP, logged in again, and still no luck.

Access Groups can’t be used in Gateway Policies today.

Well that explains it! Thanks.

What, then, is the User Group Names option in the drop-down selector on the policy builder? It’s not the SAML group, and not an Access group?

User Group Names
Use this selector to create identity-based DNS rules based on an IdP group name of which the user is configured as a member in the IdP.

UI name	API example
User Group Email	identity.groups.name == "\"finance\""

See also: Identity-based policies · Cloudflare Zero Trust docs

Thanks! I read that to say that I can use SAML groups in access policies? I do not have SAML attributes in the selector drop-down, though.

I also don’t have a Groups option under the “My Team” sidebar section. Have I misconfigured Okta / SAML? Or is this a paid feature I didn’t notice?