Configure Access SaaS app when I already have SSO

Hey community,

I’m a newbie in Cloudflare Zero Trust and I’m trying to understand some details about Access - SaaS applications. Let’s bring an example to make it easier I guess:
I have my Zero Trust configured, with a Site, a Group, etc, and with a self-hosted application in place. It’s working properly and I also have the OIDC integration enabled with my SSO IdP, making me able to authenticate myself every time that I want to access this application. Cool! :+1:

But now I want to add a SaaS application (that’s already integrated with the same SSO provider) and to achieve this will be necessary to change my current setup? I mean, I have to remove the tool from my current SSO, configure the integration with Cloudflare, and after I’m going to be able to access the tool via Zero Trust. Am I correct?

Thanks.
Best,

Access for SaaS adds an abstraction layer for policy enforcement features from Cloudflare. If you’ve already configured SSO with your SaaS app and don’t want centralized reporting and/or the additional restriction capabilities available with Access for SaaS there’s no reason to make a change.

If you want to take advantage of an Access for SaaS feature (such as require Warp) you’d add Access for SaaS as a provider in your SaaS app if it supports multiple SSO providers or you’d replace the current SSO config in the SaaS app with the Cloudflare settings allowing Access to act as an identity proxy layer.

For certain definitions of Zero Trust and depending on what you are trying to achieve, yes.

2 Likes

Thank you for the quick response, @cscharff!

I see… forgot to mention that the goal is to protect the apps with Warp.

OK, got it! So, if I want every tool to be protected with Access (WARP mainly), the usage of my current SSO tool will be only for authentication in the Cloudflare console or manage some small things.

There are some other features such as geo-restriction that don’t require the Warp client, that depending on the SSO provider (and plan) may not be available from them out of the box. It’s also useful if you need to support multiple identity providers (you buy another company that uses a different SSO provider) it’s easier (generally) to plug them into Cloudflare and add / modify a policy for those users.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.