You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx
+156-2Lines changed: 156 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -39,9 +39,9 @@ Obtain the following URLs from your SaaS application account:
39
39
40
40
8. Select the **Name ID Format** expected by your SaaS application (usually _Email_).
41
41
42
-
9.Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**.
42
+
9.(Optional) Configure any additional [SAML attribute statements](#saml-attributes) required by your SaaS application.
43
43
44
-
10.If your SaaS application requires additional **SAML attribute statements**, add the mapping of your IdP's attributes you would like to include in the SAML statement sent to the SaaS application.
44
+
10.Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**.
45
45
46
46
:::note[IdP groups]
47
47
@@ -77,3 +77,157 @@ When acting as a SAML identity provider, Cloudflare will sign both the SAML Resp
77
77
## 4. Test the integration
78
78
79
79
Open an incognito browser window and go to the SaaS application's login URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider.
80
+
81
+
## SAML attributes
82
+
83
+
[SAML attributes](/cloudflare-one/identity/idp-integration/generic-saml/#saml-headers-and-attributes) refer to the user identity characteristics that Cloudflare Access shares with your SAML SaaS application upon successful authentication. By default, Cloudflare Access passes the following attributes (if available) to the SaaS application:
84
+
-`id` - UUID of the user's Access identity
85
+
-`name` - Full name of the user (for example, `John Doe`)
86
+
-`email` - User's email address
87
+
-`groups` - Identity provider group membership
88
+
89
+
In Access for SaaS, you can add additional SAML attributes and customize the SAML statement sent to the SaaS application. This allows you to integrate SaaS applications which have specific SAML attribute requirements.
90
+
91
+
### SAML attribute statements
92
+
93
+
To send additional SAML attributes to your SaaS application, configure the following fields for each attribute:
94
+
95
+
-**Name**: SAML attribute name
96
+
-**SAML friendly name**: (Optional) A human readable name for the SAML attribute
97
+
-**Name format**: Specify the **Name** format expected by the SaaS application:
98
+
-`Unspecified`: (default) No specific format required.
99
+
-`URI`: Name is in a format such as `urn:ietf:params:scim:schemas:core:2.0:User:userName` or `urn:oid:2.5.4.42`.
100
+
-`Basic`: Name is a normal string such as `userName`.
101
+
-**IdP claim**: The identity provider value that should map to this SAML attribute. You can select any [SAML attribute](/cloudflare-one/identity/idp-integration/generic-saml/#saml-headers-and-attributes) or [OIDC claim](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that was configured in a Zero Trust IdP integration.
102
+
-**Required**: If a claim is marked as required but is not provided by an IdP, Cloudflare will fail the authentication request and show an error page.
103
+
-**Add per IdP claim**: (Optional) If you turned on multiple identity providers for the SaaS application, you can choose different attribute mappings for each IdP. These values will override the parent **IdP claim**.
104
+
105
+
### Transformation
106
+
107
+
In **Advanced settings** > **Transformation**, you can enter a [JSONata](https://jsonata.org/) script that modifies SAML attributes before they are sent to the SaaS application. This is useful for setting defaults, excluding email addresses, or ensuring usernames meet arbitrary criteria.
108
+
109
+
For example, the following JSONata script modifies the `groups` attribute:
110
+
111
+
```jsonata title="JSONata expression"
112
+
{
113
+
"account_id": account_id,
114
+
"amr": amr,
115
+
"auth_status": auth_status,
116
+
"common_name": common_name,
117
+
"devicePosture": devicePosture,
118
+
"device_id": device_id,
119
+
"device_sessions": device_sessions,
120
+
"email": email,
121
+
"gateway_account_id": gateway_account_id,
122
+
"geo": geo,
123
+
"groups": $map($.groups, function($group) {
124
+
{"group_name": $group.name, "id": $group.id}
125
+
}),
126
+
"iat": iat,
127
+
"id": id,
128
+
"idp": idp
129
+
}
130
+
```
131
+
132
+
Here is an example of an Access for SaaS payload before applying the transform:
In this example, the JSONata transform changed the `group.name` field from `name` to `group_name`. Additionally, we changed the value of `group.id` from ___ to ____.
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/index.mdx
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,4 +10,6 @@ import { DirectoryListing } from "~/components"
10
10
11
11
Cloudflare Access allows you to add an additional authentication layer to your SaaS applications. When you integrate a SaaS application with Access, users log in to the application with Cloudflare as the Single Sign-On provider. The user is then redirected to the configured identity providers for that application and are only granted access if they pass your Access policies.
12
12
13
+
Cloudflare integrates with the majority of SaaS applications that support the SAML or OIDC authentication protocol. If you do not see your application listed below, refer to our generic SAML or generic OIDC guide and consult your SaaS application's documentation.
0 commit comments