Configuring Azure Portal / Entra ID as a Cloudflare Access Application

I am trying to set up the Microsoft Azure portal as a Cloudflare Access Application.

On Cloudflare’s side, I created an application with the following:

  • Entity ID: https://login.microsoftonline.com/<AZURE_AD_TENANT_ID>/
  • Assertion Consumer Service URL: https://login.microsoftonline.com/login.srf

In Azure, under Entra ID/Azure AD, I created an Identity Provider under External Identities:

  • Protocol: SAML
  • Issuer URI: https://company.cloudflareaccess.com
  • Passive authentication endpoint: https://company.cloudflareaccess.com/cdn-cgi/access/sso/saml/REDACTED
  • Certificate: REDACTED

When clicking through to Azure using the Cloudflare Access App Launcher, I receive the following error from Microsoft:

Sorry, but we’re having trouble signing you in.

AADSTS50107: The requested federation realm object ‘https://company.cloudflareaccess.com’ does not exist.

Any suggestions?

Hello,

What is it that you are actually trying to accomplish with this setup? Is it, so your users can authenticate via Azure credentials when they are faced with an ACCESS page? If so this document below details how to get this setup so that can happen.

If you can give more context of the setup you are trying to get done we can break it down into segments.

Hey @eportillo,

I am not looking at adding Azure AD as an SSO provider. I want to add the Azure portal as a Cloudflare Access Application. See here: SaaS applications · Cloudflare Zero Trust docs

I have already done the same for AWS and a few other SaaS apps and they work correctly, it’s just the Azure portal that’s having issues.

What I’d like to do is to set up the Azure portal as an Access Saas application. Once that’s done, it should show up in the Cloudflare App Launcher and I should be able to click its icon, get redirected straight into the Azure portal without having to log in.

I would like to do this so that I can set posture check requirements before users can access the SSO applications within AzureAD/EntraID for our other non-cloudflare SaaS applications that live in AzureAD/EntraID as enterprise applications and app registrations.

I have successfully configured the Azure portal to allow SAML sign-ins. If I intiate the sign in from portal.azure.com/tenant-id, it is able to redirect to Cloudflare to sign in, but after signing in to the IdP on Cloudflare side, the sign-in to the Azure portal fails.

This is the message I receive:
Error message: AADSTS5000819: SAML Assertion is invalid. Email address claim is missing or does not match domain from an external realm. Trace ID: REDACTED Correlation ID: REDACTED Timestamp: 2023-11-29 22:46:25Z

The problem is that it’s not clear how to add the email address as an SAML attribute on Cloudflare side.

The documentation (SaaS applications · Cloudflare Zero Trust docs) is very sparse and does not go into detail at all.

When initiating the sign-in from the Cloudflare App launcher, I receive the following error:

Sorry, but we’re having trouble signing you in.

AADSTS50107: The requested federation realm object 'https://my-organization.cloudflareaccess.com' does not exist.

Not sure if this is related to the error when initiating the sign-in from the Azure portal.

Can someone from Cloudflare please provide some advice or tips?

Hi @f21 , did you find a solution for this issue? I’m having the same error :confused:

@dotansimha Unfortunately, I didn’t and just left it for now. If you’re able to find a solution, please post here as I am very keen to get it working too!

1 Like