IdP-initiated login

Users can log into Cloudflare Access by visiting xyz-org.cloudflareaccess.com and authenticating through a linked Identity Provider e.g. OKTA, Google Workspace, Jumpcloud.

If the user attempts to login to access from their identity provider, e.g. through OKTA portal, Jumpcloud console, they are redirected to https://xyz-org.cloudflareaccess.com/cdn-cgi/access/callback and the following error is displayed

Invalid login session. Please try going to the URL of your application.

Unfortunately many IdPs do not support removing an application shortcut from the user console whilst maintaining the SSO ability - meaning end users will always be presented with a shortcut for Cloudflare that doesn’t work.

If Cloudflare Access could support IdP-initated login, this would make it easier for end-users to sign in without having to leave their IdP.

As a workaround you can bookmark the IdP-initiated login with a bookmark at your IdP for your company-specific cloudflare login page (e.g. .cloudflaresso.com), for example: Simulate an IdP-initiated flow using the Bookmark App | Okta

Thanks for this :slight_smile:

Yes, we have implemented this solution with JumpCloud, but as we’re unable to remove the entry they automatically added, users are presented with the automatically added ‘CloudFlare’, and then ‘Bookmark App 1 via Cloudflare’, ‘Bookmark App 2 via Cloudflare’ etc. which for some is too confusing…!