cloudflare · maxvp · Feb 5, 2025 · Feb 5, 2025 · Feb 5, 2025 · Feb 5, 2025
@@ -3,10 +3,9 @@ pcx_content_type: how-to
 title: Cloudflare dashboard SSO application
 sidebar:
   order: 4
-
 ---
 
-import { FeatureTable } from "~/components"
+import { FeatureTable } from "~/components";
 
 By adding a Dashboard SSO application to your Cloudflare Zero Trust account, you can enforce single sign-on (SSO) to the Cloudflare dashboard with the identity provider (IdP) of your choice. SSO will be enforced for every user in your email domain.
 
@@ -16,7 +15,7 @@ By adding a Dashboard SSO application to your Cloudflare Zero Trust account, you
 
 ## Prerequisites
 
-All users in your email domain must exist as a member in your Cloudflare account and IdP.  To add users to your Cloudflare account, refer to [Manage Cloudflare account access](/fundamentals/setup/manage-members/).
+All users in your email domain must exist as a member in your Cloudflare account and IdP. To add users to your Cloudflare account, refer to [Manage Cloudflare account access](/fundamentals/setup/manage-members/).
 
 ## 1. Set up an IdP
 
@@ -32,9 +31,9 @@ Once your SSO domain is approved, a new **SSO App** application will appear unde
 
 ### SSO domain requirements
 
-* The email domain must belong to your organization. Public email providers such as `@gmail.com` are not allowed.
-* Every user with that email domain must be an employee in your organization. For example, university domains such as `@harvard.edu` are not allowed because they include student emails.
-* Your SSO domain can include multiple email domains.
+- The email domain must belong to your organization. Public email providers such as `@gmail.com` are not allowed.
+- Every user with that email domain must be an employee in your organization. For example, university domains such as `@harvard.edu` are not allowed because they include student emails.
+- Your SSO domain can include multiple email domains.
 
 ## 3. Enable dashboard SSO
 
@@ -58,8 +57,8 @@ We recommend noting down your [Global API key](/fundamentals/api/get-started/key
 
 Cloudflare dashboard SSO does not support:
 
-* Users with plus-addressed emails, such as `[email protected]`. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO.
-* IdP initiated logins (such as a tile in Okta). All login attempts must originate from `https://dash.cloudflare.com`. You can create a bookmark for this URL in your IdP to assist users.
+- Users with plus-addressed emails, such as `[email protected]`. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO.
+- IdP initiated logins (such as a tile in Okta). All login attempts must originate from `https://dash.cloudflare.com`. You can create a bookmark for this URL in your IdP to assist users.
 
 ## Bypass dashboard SSO
 
@@ -72,9 +71,8 @@ If there is an issue with your SSO IdP provider, you can add an alternate IdP us
 1. [Add](/api/resources/zero_trust/subresources/identity_providers/methods/create/) one-time PIN login:
 
 ```bash title="cURL command"
-curl 'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers' \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>" \
+curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{
   "type": "onetimepin",
@@ -85,9 +83,8 @@ curl 'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity
 2. [Get](/api/resources/zero_trust/subresources/access/subresources/applications/methods/list/) the `id` of the `dash_sso` Access application. You can use [`jq`](https://jqlang.github.io/jq/download/) to quickly find the correct application:
 
 ```bash title="cURL command"
-curl 'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps' \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>" \
+curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 | jq '.result[] | select(.type == "dash_sso")'
 ```
 
@@ -105,9 +102,8 @@ curl 'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps' \
 
 ```bash title="cURL command"
 curl --request PUT \
-'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/3537a672-e4d8-4d89-aab9-26cb622918a1' \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>" \
+"https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/3537a672-e4d8-4d89-aab9-26cb622918a1" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{
   "id": "3537a672-e4d8-4d89-aab9-26cb622918a1",
@@ -126,9 +122,8 @@ The following API calls will disable SSO enforcement for an account. This action
 1. Get your SSO `connector_id`:
 
 ```bash title="cURL command"
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/sso/v2/connectors \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>"
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/sso/v2/connectors \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
 ```
 
 ```json title="Response"
@@ -152,9 +147,8 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/sso/v2/connector
 
 ```bash title="cURL command"
 curl --request PATCH \
-'https://api.cloudflare.com/client/v4/accounts/{account_id}/sso/v2/connectors/2828' \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>" \
+"https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/sso/v2/connectors/2828" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{
   "sso_connector_status": "DIS"
@@ -163,12 +157,12 @@ curl --request PATCH \
 
 ```json title="Response"
 {
-  "result": {
-    "id": "2828"
-  },
-  "success": true,
-  "errors": [],
-  "messages": []
+	"result": {
+		"id": "2828"
+	},
+	"success": true,
+	"errors": [],
+	"messages": []
 }
 ```
 

@@ -114,9 +114,8 @@ Currently, authentication tokens can only be generated through the API. You can
 ### 1. Create a service token for the account
 
 ```bash
-curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/service_tokens" \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>" \
+curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/service_tokens" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{"name":"ACME Corporation service token"}'
 ```
@@ -148,12 +147,11 @@ Save the service token's `client_id`, `client_secret`, and `id`.
 
 ```bash
 curl --request PUT \
-"https://api.cloudflare.com/client/v4/accounts/{account_id}/access/organizations/doh/{service_token_id}" \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>"
+"https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations/doh/$SERVICE_TOKEN_ID" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
 ```
 
-If you get an `access.api.error.service_token_not_found` error, check that `{service_token_id}` is the value of `id` and not `client_id`.
+If you get an `access.api.error.service_token_not_found` error, check that `$SERVICE_TOKEN_ID` is the value of `id` and not `client_id`.
 
 <Details header="Example response">
 
@@ -181,9 +179,8 @@ If you get an `access.api.error.service_token_not_found` error, check that `{ser
 Create a new user and optionally add them to a group.
 
 ```bash
-curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/users" \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>" \
+curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{
   "name": "John Doe",
@@ -234,9 +231,9 @@ Steps 1-3 above only need to be completed once, while Steps 4-5 below would occu
 Request a DoH token for the user, using your service token to authenticate into your <GlossaryTooltip term="team domain">team domain</GlossaryTooltip>.
 
 ```bash
-curl "https://<TEAM_NAME>.cloudflareaccess.com/cdn-cgi/access/doh-token?account-id=<ACCOUNT_ID>&user-id=<USER_ID>&auth-domain=<TEAM_NAME>.cloudflareaccess.com" \
---header "Cf-Access-Client-Id: <CLIENT_ID>" \
---header "Cf-Access-Client-Secret: <CLIENT_SECRET>"
+curl "https://$TEAM_NAME.cloudflareaccess.com/cdn-cgi/access/doh-token?account-id=$ACCOUNT_ID&user-id=$USER_ID&auth-domain=$TEAM_NAME.cloudflareaccess.com" \
+--header "Cf-Access-Client-Id: $CLOUDFLARE_CLIENT_ID" \
+--header "Cf-Access-Client-Secret: $CLOUDFLARE_CLIENT_SECRET"
 ```
 
 The response contains a unique DoH token associated with the user. This token expires in 24 hours. We recommend setting up a refresh flow for the DoH token instead of generating a new one for every DoH query.
@@ -253,12 +250,12 @@ The response contains a unique DoH token associated with the user. This token ex
 
 ### 5. Send an authenticated DoH query
 
-Send DoH queries to the resolver at `https://<ACCOUNT_ID>.cloudflare-gateway.com/dns-query`, making sure to include the user's DoH token in the `CF-Authorization` header.
+Send DoH queries to the resolver at `https://$ACCOUNT_ID.cloudflare-gateway.com/dns-query`, making sure to include the user's DoH token in the `CF-Authorization` header.
 
 ```bash
-curl --silent "https://<ACCOUNT_ID>.cloudflare-gateway.com/dns-query?name=example.com" \
+curl --silent "https://$ACCOUNT_ID.cloudflare-gateway.com/dns-query?name=example.com" \
 --header "accept: application/dns-json" \
---header "CF-Authorization: <USER_DOH_TOKEN>" | jq
+--header "CF-Authorization: $USER_DOH_TOKEN" | jq
 ```
 
 If the site is blocked and you have enabled [**Display block page**](/cloudflare-one/policies/gateway/block-page/#turn-on-the-block-page) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`.

@@ -63,7 +63,7 @@ https://<SUBDOMAIN>.proxy.cloudflare-gateway.com
 1. [Create a proxy endpoint](/api/resources/zero_trust/subresources/gateway/subresources/proxy_endpoints/methods/create/) with the following call:
 
    ```bash
-   curl https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/gateway/proxy_endpoints \
+   curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/proxy_endpoints \
    --header "Authorization: Bearer <API_TOKEN>" \
    --header "Content-Type: application/json" \
    --data '{"name": "any_name", "ips": ["<PUBLIC_IP>", "<PUBLIC_IP2>", "<PUBLIC_IP3>"]}'
@@ -211,7 +211,7 @@ To get the domain of a proxy endpoint:
 1. Use the [List proxy endpoints](/api/resources/zero_trust/subresources/gateway/subresources/proxy_endpoints/methods/list/) operation to get a list of your proxy endpoints and their details. For example:
 
    ```bash
-   curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/proxy_endpoints \
+   curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/proxy_endpoints \
    --header "Authorization: Bearer <API_TOKEN>"
    ```
 

@@ -112,7 +112,7 @@ Send a `PUT` request to the [Update Zero Trust account configuration](/api/resou
 
 ```sh
 curl --request PUT \
-'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration' \
+"https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration" \
 --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{

@@ -35,9 +35,8 @@ Your profile will appear in the **Profile settings** list. You can rearrange the
 Send a `POST` request to the [Devices endpoint](/api/resources/zero_trust/subresources/devices/subresources/policies/subresources/custom/methods/create/):
 
 ```bash
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/policy \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>" \
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{
   "allow_mode_switch": false,

@@ -3,10 +3,9 @@ pcx_content_type: how-to
 title: Enable Device Information Only
 sidebar:
   order: 2
-
 ---
 
-import { TabItem, Tabs } from "~/components"
+import { TabItem, Tabs } from "~/components";
 
 Device Information Only mode allows you to enforce device posture rules when a user connects to your [self-hosted Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/). This mode relies on a client certificate generated from your account to establish trust between the Access application and the device.
 
@@ -16,9 +15,8 @@ To set up Device Information Only mode:
 
    ```bash
    curl --request PATCH \
-   "https://api.cloudflare.com/client/v4/zones/{zone_id}/devices/policy/certificates" \
-   --header "X-Auth-Email: <EMAIL>" \
-   --header "X-Auth-Key: <API_KEY>" \
+   "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/devices/policy/certificates" \
+   --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
    --header "Content-Type: application/json" \
    --data '{"enabled": true}'
    ```
@@ -68,7 +66,7 @@ The certificate name should match the **Device ID** in your WARP client **Prefer
    4. Change the **URI path** field to **Hostname**, and enter the domain you want to protect.
    5. Select **Deploy**. This creates a WAF custom rule that checks all requests to your domain for a valid client certificate.
 
-Device Information Only mode is now enabled on the device. To start enforcing device posture, set up a [WARP client check](/cloudflare-one/identity/devices/warp-client-checks/) and add a *Require* device posture rule to your [Access policy](/cloudflare-one/policies/access/). When the device connects to the Access application for the first time, the browser will ask to use the client certificate installed by WARP.
+Device Information Only mode is now enabled on the device. To start enforcing device posture, set up a [WARP client check](/cloudflare-one/identity/devices/warp-client-checks/) and add a _Require_ device posture rule to your [Access policy](/cloudflare-one/policies/access/). When the device connects to the Access application for the first time, the browser will ask to use the client certificate installed by WARP.
 
 <div class="large-img">