I tried configuring group rules in my application. I only see option to add Groups to applications via Identity > “User Group Names” or “User Group IDs”. I’m not sure why but the dropdown is not populated with existing “User Group Names” to choose from to prevent miss-typing.
Gateway is not Access. The applications and access methods in Gateway don’t use Cloudflare Access, they use Gateway (and the Warp client) for allow/deny decisions.
Because Group Name or Group ID from an IdP is evaluated at authentication time based on the display name or ID of the group being used. Cloudflare has no knowledge of the groups in the IdP, it’s data provided by the IdP at the time of authentication.
In an Access policy the groups are displayed at the top
This is only true with SaaS apps Access policy. Assign a group prompt doesn’t show up for self-hosted apps. That is where some of my confusion is.
That makes sense.
The applications and access methods in Gateway don’t use Cloudflare Access, they use Gateway (and the Warp client)
This is confusing. The applications in gateway doesn’t use Cloudflare Access, but they use Gateway, which includes Network policies that after being created can be found in Access > Applications > [Self-Hosted App Name] > Configure > [Policy].
The warp client is aware of the user (email) trying to authenticate to use the Self-Hosted app. But I don’t see a way to create a Group that includes all emails and then apply that Group to a Policy for Self-Hosted apps. This is strange considering Gateway and Warp are aware of the authenticated user Id and email via My Team > Users.
I need to be able to control access using the Cloudflare configured user data instead of giving all users access to all self-hosted apps. Currently I only see one way to control access (by user email for example) to applications (Self-Hosted) that depend on the warp client : Manually enter the email address of each user in each apps policy.
via Access > Applications > [Self-Hosted App Name] > Configure
via Gateway > Firewall policies > Network > Add a policy > [Self-Hosted App Policy Name] > Configure.
If I already have Groups configured that have all those email addresses, it seems like it would be more logical to simply assign an existing group to an apps policy. What am I missing in available configuration?