Enabling CloudFlare for Teams for OKTA SAML and effects on production systems on CloudFlare side

Hello Community.

I am new to all of this and have to integrate CloudFlare with OKTA.

Wondering what others have experienced with Enabling CloudFlare for Teams for OKTA SAML .

How would enabling CloudFlare for Teams - configuring Callback: https://.cloudflareaccess.com/cdn-cgi/access/callback for OKTA OpenID Connect and OKTA SAML….

…effect any changes on our current functionality in anyway, as we are integrating the OKTA platform. We have production systems on CloudFlare side and we need to be very careful not to make any changes that could be impactful.

Currently the option of SWA is available, yet we are more interested in integration of SAML function.

What have others experienced/feedback?

Thank you for your time and expertise Gang!

Hi There!

Personally, I haven’t come across any production issues due to integrating Okta SAML or ODIC with Cloudflare, we have done it a few times for customers who are evaluating us.

Having said that, I will open this up for discussions to other members of this community who may have faced any sort of issues that I haven’t come across yet while integrating.

Also, I assume you would have already seen our articles that guides you with the Okta Integration, pasting the links below for your reference,
SAML: https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/saml-okta
OIDC: https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/okta

1 Like

Hi Sheril_Nagoor -

Thank you for responding, much appreciated.

For the articles that guides me through Okta Integration, yes I have reviewed them.

So to be clear - Cloud Flare for Teams as the only solution for accessing SAML…

…As this need is what prompted my Managers to ask how “effect any changes on our current functionality in anyway – as we have production systems on Cloud Flare side”.

One of the main questions is “what does Cloud Flare for Teams actually “do”….outside of our current subscription…

…even with the explanation of “replaces legacy security perimeters with our global edge, making the Internet faster and safer for teams around the world.”

Observation - the only way for us to enable SAML with OKTA would be to subscribe to Cloud Flare for Teams and configure Team Domain with Callback.

From my end I will get together with my team to go over what product we currently have with Cloud Flare and to figure what added benefits Cloud for Teams gives* outside of our current package….

….besides it being a necessary for SAML.

Any clarity would be greatly appreciates and I am new to this aspect.

Cheers.

–RoDevia

Sorry can you explain what this means in your use case specifically? Is this for SSO into Cloudflare’s dashboard or to protect applications or some other use case?

Hello cscharff - Cloudflare Team

This is for SSO on OKTA dashboard with OKTA being source of truth for Cloudflare, not SSO into Cloudflare’s dashboard. ( might not be saying that right )

I also have a support ticket in for these questions.

Let me know what you think and I appreciate your time.

Hi Sheril_Nagoor -

My Manager is asking me “What does it means to turn CloudFlare for Teams on”?

I have no Idea what CloudFlare for Teams does outside of it needing to be purchased for SAML to work and what is written on the website and general internet.

Can you give me some insight on what happens when CloudFlare for Teams is turn on?

-RoDevia

Hi cscharff -

(below repeated with another team member of yours also)

My Manager is asking me “What does it means to turn CloudFlare for Teams on”?

I have no Idea what CloudFlare for Teams does outside of it needing to be purchased for SAML to work and what is written on the website and general internet.

Can you give me some insight on what happens when CloudFlare for Teams is turn on?

-RoDevia

Cloudflare Access is a way to protect your hosts/urls behind a Zero Trust security layer. That security layer can use your IdP as the authentication source. I’m not sure what this means however:

Does this mean you want to log into Cloudflare’s dashboard using your Okta credentials? If that is the case then a. you need to be an enterprise customer and b. your account team will walk you through the steps required for configuration.

1 Like

Hi cscharff -

Yes - I want to have users log into Cloudflare’s dashboard using Okta credentials with SAML enabled.

Can’t do that without CloudFlair for Teams.

Do you know what CloudFlair for Teams actually is and and does?

Heh… yes it’s pretty much all I do all day long. In reference specifically to Cloudflare SSO (which again requires an enterprise plan and has a specific set of steps for configuration which your Enterprise account team would provide) it allows you to configure your Okta IdP as a SAML provider for Cloudflare to authenticate users. Once tested and validated it can be set to enforced for the organization replacing local passwords in Cloudflare with the IdP based login.

3 Likes

Hello cscharff –

Thank you for your insight.

Since my request is for SSO on OKTA dashboard with OKTA being source of truth for Cloudflare, not SSO into Cloudflare’s dashboard, you are saying that SSO requires an enterprise plan I will need to inquire with my CTO on next steps.

You are stating that the Enterprise account allows us to configure our Okta IdP as a SAML provider for Cloudflare to authenticate users, depending on the options for the Enterprise Plan – I will need to know what levels of support we will be provided concerning documentation.

I will also need to review what plan we are on now.

Once tested and validated OKTA/CloudFlare integration can be set to enforce the organization replacing local passwords in Cloudflare with the IdP based login.

Per Sheril_Nagoor – they stated Cloudflare has not come across any production issues due to integrating Okta SAML or ODIC with Cloudflare when it comes to CloudFlare for Teams

I will review all information that has been given to me with my team and circle back.

1 Like