Skip to content

[CF1] sso limitations update #19754

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Feb 6, 2025
Merged

[CF1] sso limitations update #19754

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
889ea6d
[CF1] sso limitations update
deadlypants1973 Feb 5, 2025
b1d9cba
update
deadlypants1973 Feb 5, 2025
08f0d40
final edit
deadlypants1973 Feb 5, 2025
ee97fa0
Apply suggestions from code review
deadlypants1973 Feb 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 17 additions & 16 deletions src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,19 @@ pcx_content_type: how-to
title: Cloudflare dashboard SSO application
sidebar:
order: 4

---

import { FeatureTable } from "~/components"
import { FeatureTable } from "~/components";

By adding a Dashboard SSO application to your Cloudflare Zero Trust account, you can enforce single sign-on (SSO) to the Cloudflare dashboard with the identity provider (IdP) of your choice. SSO will be enforced for every user in your email domain.
By adding a Cloudflare Dashboard SSO application to your Cloudflare Zero Trust account, you can enforce single sign-on (SSO) to the Cloudflare dashboard with the identity provider (IdP) of your choice. SSO will be enforced for every user in your email domain.

## Availability

<FeatureTable id="account.single_sign_on" />

## Prerequisites

All users in your email domain must exist as a member in your Cloudflare account and IdP. To add users to your Cloudflare account, refer to [Manage Cloudflare account access](/fundamentals/setup/manage-members/).
All users in your email domain must exist as a member in your Cloudflare account and IdP. To add users to your Cloudflare account, refer to [Manage Cloudflare account access](/fundamentals/setup/manage-members/).

## 1. Set up an IdP

Expand All @@ -32,15 +31,15 @@ Once your SSO domain is approved, a new **SSO App** application will appear unde

### SSO domain requirements

* The email domain must belong to your organization. Public email providers such as `@gmail.com` are not allowed.
* Every user with that email domain must be an employee in your organization. For example, university domains such as `@harvard.edu` are not allowed because they include student emails.
* Your SSO domain can include multiple email domains.
- The email domain must belong to your organization. Public email providers such as `@gmail.com` are not allowed.
- Every user with that email domain must be an employee in your organization. For example, university domains such as `@harvard.edu` are not allowed because they include student emails.
- Your SSO domain can include multiple email domains.

## 3. Enable dashboard SSO

:::note

We recommend noting down your [Global API key](/fundamentals/api/get-started/keys/) in case you need to [disable SSO](#option-2-disable-dashboard-sso) later.
Cloudflare recommends carefully storing your [Global API key](/fundamentals/api/get-started/keys/) to access when necessary. You will need your Global API key when you [disable SSO](#option-2-disable-dashboard-sso).
:::

1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.
Expand All @@ -58,8 +57,10 @@ We recommend noting down your [Global API key](/fundamentals/api/get-started/key

Cloudflare dashboard SSO does not support:

* Users with plus-addressed emails, such as `[email protected]`. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO.
* IdP initiated logins (such as a tile in Okta). All login attempts must originate from `https://dash.cloudflare.com`. You can create a bookmark for this URL in your IdP to assist users.
- Users with plus-addressed emails, such as `[email protected]`. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO.
- IdP-initiated logins (such as a tile in Okta). All login attempts must originate from `https://dash.cloudflare.com`. You can create a bookmark for this URL in your IdP to assist users.
- Adding a separate email-based policy to the SSO application that does not match your SSO domain policy. As your account team must [approve and create your SSO domain](/cloudflare-one/applications/configure-apps/dash-sso-apps/#2-contact-your-account-team) based on the [SSO domain requirements](/cloudflare-one/applications/configure-apps/dash-sso-apps/#sso-domain-requirements), adding a new domain policy on your own will not work.
- Deleting the auto-generated `allow email domain` policy. If this policy was deleted, your organization's administrators would not be able to access the Cloudflare dashboard.

## Bypass dashboard SSO

Expand Down Expand Up @@ -163,12 +164,12 @@ curl --request PATCH \

```json title="Response"
{
"result": {
"id": "2828"
},
"success": true,
"errors": [],
"messages": []
"result": {
"id": "2828"
},
"success": true,
"errors": [],
"messages": []
}
```

Expand Down