Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Add a SaaS application to Access

Cloudflare Access allows you to add an additional authentication layer to your SaaS applications. When you integrate a SaaS application with Access, users log in using your existing identity providers and are only granted access if they pass your Access policies.

This page provides generic instructions for setting up a SaaS application in Zero Trust.

​​ 1. Get SaaS application URLs

Obtain the following URLs from your SaaS application account:

  • Entity ID: A unique URL issued for your SaaS application, for example https://<your-domain>.my.salesforce.com.
  • Assertion Consumer Service URL: The service provider’s endpoint for receiving and parsing SAML assertions.

​​ 2. Add your application to Access

  1. In Zero Trust, go to Access > Applications.

  2. Select Add an application.

  3. Select SaaS.

  4. Select your Application from the drop-down menu. If your application is not listed, enter a custom name in the Application field and select the textbox that appears below.

  5. Enter the Entity ID and Assertion Consumer Service URL obtained from your SaaS application account.

  6. Select the Name ID Format expected by your SaaS application (usually Email).

  7. If your SaaS application requires additional SAML attribute statements, add the mapping of your IdP’s attributes you would like to include in the SAML statement sent to the SaaS application.

  8. (Optional) Turn on App Launcher visibility if you want the application to be visible in the App Launcher.

  9. (Optional) Add a custom logo for your application by selecting Custom and entering a link to your desired image.

  10. Next, choose the Identity providers you want to enable for your application.

  11. Turn on Instant Auth if you are selecting only one login method for your application, and would like your end users to skip the identity provider selection step.

  12. Select Next.

​​ 2. Add an Access policy

  1. To control who can access your application, create an Access policy.

  2. Select Next.

​​ 3. Configure SSO in your SaaS application

Finally, you will need to configure your SaaS application to require users to log in through Cloudflare Access.

  1. Configure the following fields with your SAML SSO-compliant application:

    • SSO endpoint
    • Access Entity ID or Issuer
    • Public key

    Copy SSO settings for a SaaS application from Zero Trust

    You can either manually enter this data into your SaaS application or upload the application’s metadata XML file. The metadata is available at the URL: <your-SSO-endpoint>/saml-metadata

  2. Select Done.

Your application will appear on the Applications page.

The following tutorials provide detailed integration instructions for specific SaaS applications.