Users can log into Cloudflare Access by visiting xyz-org.cloudflareaccess.com and authenticating through a linked Identity Provider e.g. OKTA, Google Workspace, Jumpcloud.
If the user attempts to login to access from their identity provider, e.g. through OKTA portal, Jumpcloud console, they are redirected to https://xyz-org.cloudflareaccess.com/cdn-cgi/access/callback and the following error is displayed
Invalid login session. Please try going to the URL of your application.
Unfortunately many IdPs do not support removing an application shortcut from the user console whilst maintaining the SSO ability - meaning end users will always be presented with a shortcut for Cloudflare that doesn’t work.
If Cloudflare Access could support IdP-initated login, this would make it easier for end-users to sign in without having to leave their IdP.