Cloudflare SAML Integration Guide

Suggest an edit

Prerequisites

  • Administrator access to Cloudflare Zero Trust dashboard
  • A SplitSecure Identity Provider created and approved
  • A verified domain in Cloudflare (for SSO configuration)
  • A separate browser or browser profile with SplitSecure configured (for testing)

Cloudflare Configuration

1 Add a New Identity Provider

  1. Log in to the Cloudflare Zero Trust dashboard
  2. Navigate to Settings → Authentication → Login methods
  3. Click Add new
  4. Select SAML

2 Configure SAML Settings

Required Configuration

Field Value
Name (e.g., “SplitSecure SAML”)
Populate details with .xml file (Optional) Found in SplitSecure → [Your IdP] → Details → Download Metadata
Single sign-on URL (Auto-filled if using metadata)
IdP Entity ID or Issuer URL (Auto-filled if using metadata)
Signing certificate (Auto-filled if using metadata)
Enable SCIM Off

Optional Configurations

Field Value
Sign SAML authentication request On
Email attribute name email (default)
SAML attributes Leave blank
SAML header attributes Leave blank
  1. Click Save

Dashboard SSO

This section enables SSO for Cloudflare dashboard access. For detailed information, see the Cloudflare Dashboard SSO documentation.

1 Invite Members

  1. Go to Cloudflare dashboard
  2. Navigate to Manage Account → Members
  3. Click Invite members
  4. Enter one or more email addresses
  5. Configure the member scope:
    • Select a scope: Account-level
    • Roles: [Super Administrator - All Privileges]
  6. Click Invite

2 Add and Verify Your Domain

  1. Go to Cloudflare Members Settings
  2. Click Settings
  3. Under Single Sign-On (SSO) for all members, click Add domain
  4. Enter your organization’s domain
  5. Cloudflare will provide DNS verification details:
    • Type: TXT
    • Name: Provided value
    • Value: Provided value
  6. Add the TXT record to your DNS provider
  7. Return to Cloudflare and click Verify

3 Access Policies for IdP Control

Cloudflare Access policies allow you to control which identity providers users can authenticate with and restrict access based on various criteria.

Access policies consist of:

  • Actions: Allow, Block, Bypass, or Service Auth
  • Rule Types: Include (OR logic), Exclude (NOT logic), Require (AND logic)
  • Selectors: Criteria such as email, country, login method, etc.
  1. In Cloudflare Zero Trust, navigate to Settings
  2. Under Admin controls find Manage Cloudflare dashboard SSO applications
  3. Find the domain added in the previous step and click Edit
  4. A policy should already exist for your domain, find it and click the ellipsis menu (⋮)
  1. An existing configuration rule should appear under Configuration Rules → Include. Click Add require, then fill:
Selector Value
Login Method Select your IdP (e.g., “SAML • Your IdP”)

Login Method Options

The Login Methods selector allows you to enable multiple authentication options simultaneously. Each selected method gives users an additional way to access the dashboard.

Selection User Experience Security Level Recovery Option
SAML only Users must authenticate through SplitSecure High No fallback if misconfigured
Both One-time PIN + SAML Users can choose either method at login Medium Email fallback available
  1. Click Save Policy
  2. Review your selected login methods and rule type
  3. Click Save Policy

SplitSecure Configuration

1 Download Cloudflare SAML Metadata

Download your Cloudflare SAML metadata file using one of the following URLs:

Type URL When to Use
Default https://<team-name>.cloudflareaccess.com/cdn-cgi/access/saml-metadata Standard configuration
IdP-specific https://<team-name>.cloudflareaccess.com/cdn-cgi/access/<idp-id>/saml-metadata Multiple IdPs configured, IdP requires non-standard configuration configuration or custom SAML attribute mappings

Finding your values:

  • Team name: Found in Cloudflare Zero Trust under Settings → Team domain
  • IdP ID: Obtain from the Cloudflare API endpoint List Access identity providers

2 Create the Cloudflare Secure Account

  1. In SplitSecure, navigate to Secure AccountsCreate AccountCloudflare
  2. Enter a name for your account
  3. Select the Identity Provider used in the Cloudflare configuration
  4. Upload the metadata file downloaded in Step 1 (filename: access_saml_metadata.xml)
  5. Provide your SSO endpoint which can be found on Cloudflare at Access Controls → Application → SSO App
  6. Click Create Account

Test Authentication

1 Test Authentication (SP-Initiated)

  1. Navigate to dash.cloudflare.com
  2. Enter an email address using your verified organization domain
  3. The login button should change to Log in with SSO
  4. Click Log in with SSO and select your SAML identity provider
  5. You will be redirected to SplitSecure
  6. Enter your email address when prompted
  7. Click Request Access
  8. Complete the authentication flow

Troubleshooting

Issue Possible Cause Solution
“Log in with SSO” button doesn’t appear Domain not verified Complete DNS verification in Cloudflare
Test connection fails Incorrect SSO URL or Entity ID Re-download metadata from SplitSecure and re-upload to Cloudflare
Certificate error Certificate mismatch or expiration Download a fresh certificate from SplitSecure
User cannot authenticate Email domain not added to SSO Add and verify the user’s email domain in Cloudflare
Multiple IdPs shown during login Multiple SAML providers configured Select the IdP corresponding to your SplitSecure account
SAML response signature invalid “Sign SAML authentication request” disabled Enable this option in Cloudflare SAML settings

External Resources