|
| 1 | +--- |
| 2 | +pcx_content_type: how-to |
| 3 | +title: Authenticate to MCP servers with Cloudflare Access |
| 4 | +sidebar: |
| 5 | + order: 3 |
| 6 | + label: MCP servers |
| 7 | +--- |
| 8 | + |
| 9 | +import { Render, GlossaryTooltip } from "~/components" |
| 10 | + |
| 11 | +You can secure <GlossaryTooltip term="MCP server">Model Context Protocol (MCP) servers</GlossaryTooltip> by using Cloudflare Access as the Single Sign-On (SSO) provider. When users connect to the remote MCP server using an <GlossaryTooltip term="MCP client">MCP client</GlossaryTooltip>, they will be prompted to log in to your [identity provider](/cloudflare-one/identity/idp-integration/) and are only granted access if they pass your [Access policies](/cloudflare-one/policies/access/#selectors). |
| 12 | + |
| 13 | +Cloudflare Access can also delegate access from any [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to the MCP server via <GlossaryTooltip term="OAuth">OAuth</GlossaryTooltip>. The OAuth grant authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes. For example, your organization may wish to deploy an MCP server that helps employees interact with internal Atlassian applications. You can configure Access policies to ensure that only authorized users can access those applications, either directly or by using AI. |
| 14 | + |
| 15 | +```mermaid |
| 16 | +flowchart LR |
| 17 | +accTitle: Link MCP servers and self-hosted applications in Access |
| 18 | + subgraph SaaS["Access for SaaS <br> OIDC app"] |
| 19 | + mcp["MCP server <br> for Atlassian"] |
| 20 | + end |
| 21 | +
|
| 22 | + subgraph "Access self-hosted app" |
| 23 | + app1[Jira instance] |
| 24 | + end |
| 25 | +
|
| 26 | + subgraph "Access self-hosted app" |
| 27 | + app2[Confluence instance] |
| 28 | + end |
| 29 | +
|
| 30 | + User --> client["MCP client"] |
| 31 | + client --> mcp |
| 32 | + mcp -- Access token --> app1 |
| 33 | + mcp -- Access token --> app2 |
| 34 | + idp[Identity provider] <--> SaaS |
| 35 | +``` |
| 36 | + |
| 37 | +## Prerequisites |
| 38 | + |
| 39 | +- An [identity provider](/cloudflare-one/identity/idp-integration/) configured in Cloudflare Zero Trust |
| 40 | + |
| 41 | + |
| 42 | +## 1. Add a SaaS application to Cloudflare Zero Trust |
| 43 | + |
| 44 | +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. |
| 45 | +2. Select **SaaS**. |
| 46 | +3. For **Application**, select *Salesforce*. |
| 47 | +4. For the authentication protocol, select **OIDC**. |
| 48 | +5. Select **Add application**. |
| 49 | +6. In **Scopes**, select the attributes that you want Access to send in the ID token. |
| 50 | +7. In **Redirect URLs**, enter the callback URL obtained from Salesforce (`https://<your-domain>.my.salesforce.com/services/authcallback/<URL Suffix>`). Refer to [Add a SSO provider to Salesforce](#2-add-a-sso-provider-to-salesforce) for instructions on obtaining this value. |
| 51 | +8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts. |
| 52 | +9. Copy the following values: |
| 53 | + * **Client ID** |
| 54 | + * **Client Secret** |
| 55 | + * **Authorization endpoint** |
| 56 | + * **Token endpoint** |
| 57 | + * **User info endpoint** |
| 58 | +10. Configure [Access policies](/cloudflare-one/policies/access/) for the application. |
| 59 | +11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-domain>.my.salesforce.com`. |
| 60 | +12. Save the application. |
| 61 | + |
| 62 | +## 2. |
0 commit comments