You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx
+17-16Lines changed: 17 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,20 +3,19 @@ pcx_content_type: how-to
3
3
title: Cloudflare dashboard SSO application
4
4
sidebar:
5
5
order: 4
6
-
7
6
---
8
7
9
-
import { FeatureTable } from"~/components"
8
+
import { FeatureTable } from"~/components";
10
9
11
-
By adding a Dashboard SSO application to your Cloudflare Zero Trust account, you can enforce single sign-on (SSO) to the Cloudflare dashboard with the identity provider (IdP) of your choice. SSO will be enforced for every user in your email domain.
10
+
By adding a Cloudflare Dashboard SSO application to your Cloudflare Zero Trust account, you can enforce single sign-on (SSO) to the Cloudflare dashboard with the identity provider (IdP) of your choice. SSO will be enforced for every user in your email domain.
12
11
13
12
## Availability
14
13
15
14
<FeatureTableid="account.single_sign_on" />
16
15
17
16
## Prerequisites
18
17
19
-
All users in your email domain must exist as a member in your Cloudflare account and IdP. To add users to your Cloudflare account, refer to [Manage Cloudflare account access](/fundamentals/setup/manage-members/).
18
+
All users in your email domain must exist as a member in your Cloudflare account and IdP. To add users to your Cloudflare account, refer to [Manage Cloudflare account access](/fundamentals/setup/manage-members/).
20
19
21
20
## 1. Set up an IdP
22
21
@@ -32,15 +31,15 @@ Once your SSO domain is approved, a new **SSO App** application will appear unde
32
31
33
32
### SSO domain requirements
34
33
35
-
* The email domain must belong to your organization. Public email providers such as `@gmail.com` are not allowed.
36
-
* Every user with that email domain must be an employee in your organization. For example, university domains such as `@harvard.edu` are not allowed because they include student emails.
37
-
* Your SSO domain can include multiple email domains.
34
+
- The email domain must belong to your organization. Public email providers such as `@gmail.com` are not allowed.
35
+
- Every user with that email domain must be an employee in your organization. For example, university domains such as `@harvard.edu` are not allowed because they include student emails.
36
+
- Your SSO domain can include multiple email domains.
38
37
39
38
## 3. Enable dashboard SSO
40
39
41
40
:::note
42
41
43
-
We recommend noting down your [Global API key](/fundamentals/api/get-started/keys/) in case you need to [disable SSO](#option-2-disable-dashboard-sso) later.
42
+
Cloudflare recommends noting down your [Global API key](/fundamentals/api/get-started/keys/) in case you need to [disable SSO](#option-2-disable-dashboard-sso) later.
44
43
:::
45
44
46
45
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.
@@ -58,8 +57,10 @@ We recommend noting down your [Global API key](/fundamentals/api/get-started/key
58
57
59
58
Cloudflare dashboard SSO does not support:
60
59
61
-
* Users with plus-addressed emails, such as `[email protected]`. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO.
62
-
* IdP initiated logins (such as a tile in Okta). All login attempts must originate from `https://dash.cloudflare.com`. You can create a bookmark for this URL in your IdP to assist users.
60
+
- Users with plus-addressed emails, such as `[email protected]`. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO.
61
+
- IdP initiated logins (such as a tile in Okta). All login attempts must originate from `https://dash.cloudflare.com`. You can create a bookmark for this URL in your IdP to assist users.
62
+
- Adding a separate email-based policy to the SSO application that does not match your organization domain policy.
63
+
- Deleting the auto-generated `allow email domain` policy. Deleting this policy would make the Cloudflare dashboard inaccessible for your organization.
0 commit comments