Do not require AssertionConsumerServiceURL in SAML AuthnRequest for Cloudflare Access SaaS applications

I am currently moving configuring SaaS applications we use as Cloudflare Access applications to control who and when the applications can be accessed.

It seems that Cloudflare’s implementation expects the AssertionConsumerServiceURL attribute in the AuthnRequest issued by the SP (service provider / SaaS app) to be present. Otherwise, Cloudflare Access returns this error:

Failed to validate your SAML Request
The SAML Request consumer service url does not match the expected value

According to the SAML spec the AssertionConsumerServiceURL attribute is optional and may not always be present.

I encountered this problem when trying to set up the following SaaS apps:

  • HashiCorp Cloud portal
  • Oracle Cloud Infrastructure portal

There are still a few more apps I haven’t integrated, but I suspect they don’t included the AssertionConsumerServiceURL attribute as it is not required by the spec.

It would be great if Access’ implementation can be updated so that it treats AssertionConsumerServiceURL as option. With the current implementation, it is not possible to integrate Cloudflare Access with a lot of SaaS apps.