SSO for Secure area of website using Access

I’m new to Cloudflare and just in the process of prepping the account and zone before changing the name servers.

I need to protect 2 folders on our website and would like to use Azure AD SSO to authenticate. /admin and /login

From what I’ve read i need to use “Access” to do this.

I’ve configured and used the “test” button for Azure AD and it looks good.

I’m not sure what to do next as it doesn’t seem like i can test further without activating my site.

Now you need to create an Application, and add an access Policy. The documentation here is a good place to start.

You will need to create two Applications, one for each path you want to protect. You do this in step 5 of the above guide.

Before you make this live, you could create an application on a dummy path. Then when you visit the dummy path you will be able to confirm that you cannot get to the dummy path (even if it just returns 404) until you have completed the authentication and authorisation.

2 Likes

Thanks for the info. That’s what i’ve been trying to do. The “self hosted” button is greyed out so i don’t seem to be able to proceed.

Quite happy for it to return a 404 error as long as i can see a login page and authenticate.

Our current site is being protected by another product and just need a quiet window to transition once i’ve done the preparation.

Do you have any domains on your account that have been activated? (domains where you have completed the initial Nameservers setup)

No. We only have one domain and it is not activated yet.

I’m guessing that you will have to activate the DNS for a domain before you can try it out, but that is not a scenario I have come across before. Even using a $1 domain from name cheap will let you test. If you plan on being on a Business plan, you could activate the domain as a partial/CNAME setup.

great idea - i do have some domains registered that have no sites associated so will do one of those. thanks

If i want to use a test domain it looks like i have to start all the configuration from scratch and also select a new subscription for that domain. Does that seem correct?

The Azure AD config and policies are account level settings, and will not need to be done again. Just the Application, which is a few moments work.

Yes, each domain needs a subscription. But the Free tier will be fine for your needs.

So i have the redirect working on a dummy account. I get presented with the “Cloudflare Access” login pages.

There is an option to click on Azure AD to login. When I authenticate with SSO I go back to the “Cloudflare Access” page

There is an error at the top saying “this account does not have access”

I’m trying this on a separate device.

I’ve checked the relevant account is an assigned users in the Azure AD Enterprise Application

How’s your Access policy configured?

Its set to Permit an Access Group which is tied to an Azure Group

When you “test” the Azure AD connection, are you able to see yourself inside an Azure Group?

no i i just ran the test again and i can see all the other groups except the cloudflare

I was not able to replicate the issue from my side.

Can you check the following:

  1. Ensure that you’ve selected “Support Groups” in your Cloudflare - Azure AD configuration:
    image
  2. Ensure that you’ve included the Azure Group ID inside the Access Group (NOT the Azure Group name):

I’m using the Azure Object ID From Azure AD > Enterprise Applications > “app name” > Properities and using it in the CloudFlare Azure Group ID

i’ve copied and pasted again and still not working

Can you try authenticate yourself in incognito mode or another browser?

I got it working by creating an Azure AD security group and adding that ObjectD to to the Cloudflare Group ID.

I added myself to that group and can now see myself in the test.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.