Passing SAML attributes to SaaS Applications from Google Workspace


  1. How do I pass custom attributes to external SaaS applications in the SAML assertion?
  2. Can this be done through the OAuth App rather than a custom SAML IdP?

I’m testing Cloudflare Access with some of our SaaS applications and I’m particularly interested in evaluating the JIT provisioning capabilities.

Some of the SaaS Applications requires extra attributes in the SAML assertions to enable JIT provisioning. As an example:

We’re using Google Workspace as our IdP and it seems there are two ways to configure it:

1. as an OAuth App

As per the documentation, with an OAuth app. This allows to pull group membership information but I couldn’t figure out how to add more fields.

2. as a custom SAML IdP

This allows me to specify a mapping for SAML attributes in Google Workspace:

And specify them in Cloudflare access:

Then they show up in Cloudflare Access:

"custom": {
    "teams": "3f3cb4....b6a7/member",
    "admin": "false",
    "department": "Test"

But they are not passed to the SaaS app, which means I can only use these attributes for Cloudflare Access rules but not for JIT provisioning in the SaaS app.

I’m also not getting the group membership out of the box when using SAML which is a bit inconvenient.


I have this same issue. SAML attributes are not passed through to the SaaS application, only the email adress

This is the answer I got from support:

I’m afraid at the moment only email , name and id attributes can be used, we hope we can support customer-defined attributes in the future, but i don’t have any ETA to provide at the moment.

Has there been any update on this?

I haven’t tested it yet but it looks like they now support it. See item 7 on this page: SaaS applications · Cloudflare Zero Trust docs

If your SaaS application requires additional SAML statements, add the mapping of your IdP’s attributes you would like to include in the SAML statement sent to the SaaS application.