diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx index 3cac01f4328a09..114d8cf49f20e5 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/google-workspace-saas.mdx @@ -35,7 +35,7 @@ The integration of Access as a single sign-on provider for your Google Workspace :::caution -When you put your Google Workspace behind Access, users will not be able to log in using [Google](/cloudflare-one/identity/idp-integration/google/) or [Google Workspace](/cloudflare-one/identity/idp-integration/google-workspace/) as an identity provider. +When you put your Google Workspace behind Access, users will not be able to log in using [Google](/cloudflare-one/identity/idp-integration/google/) or [Google Workspace](/cloudflare-one/identity/idp-integration/google-workspace/) as an identity provider. To secure Google Workspace behind Access and avoid an [authentication loop](/cloudflare-one/faq/troubleshooting/#after-putting-google-workspace-behind-access-i-cant-log-in-it-keeps-redirecting-between-access-and-google-without-ever-completing-authentication), you must configure a different identity provider (not Google or Google Workspace) for authentication. ::: 4. [Create an Access policy](/cloudflare-one/policies/access/) for your application. For example, you could allow users with an `@your_domain.com` email address. diff --git a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx index 6b922ddf06c22e..e506b77da80e07 100644 --- a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx +++ b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx @@ -335,3 +335,9 @@ To resolve this error, review the following options: | `0` (disabled) | **Enabled / Default** | ❌ Blank screen | | `0` (disabled) | **Disabled** | ✅ Works - browser will use local IP address | | `2` (enabled) | **Enabled / Default** | ✅ Works - mDNS resolves successfully | + +## After putting Google Workspace behind Access, I can’t log in. It keeps redirecting between Access and Google without ever completing authentication. + +When you put your Google Workspace behind Access, users will not be able to log in using Google or Google Workspace as an identity provider. + +This configuration creates an authentication loop. Cloudflare Access tries to authenticate the user via Google, but Google itself treats Cloudflare as its identity provider and requires authentication from Cloudflare. Since each system depends on the other to complete login first, the user is caught in an infinite redirect cycle and can never successfully authenticate. \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/google-workspace.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/google-workspace.mdx index 157b88072e20c4..045d9463637bb3 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/google-workspace.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/google-workspace.mdx @@ -7,7 +7,7 @@ import { GlossaryTooltip, Render } from "~/components"; :::note -The Google Workspace IdP integration is not supported if your Google Workspace account is protected by Access. +The Google Workspace IdP integration [is not supported](/cloudflare-one/faq/troubleshooting/#after-putting-google-workspace-behind-access-i-cant-log-in-it-keeps-redirecting-between-access-and-google-without-ever-completing-authentication) if your Google Workspace account is protected by Access. ::: You can integrate a Google Workspace (formerly G Suite) account with Cloudflare Access. Unlike the instructions for [generic Google authentication](/cloudflare-one/identity/idp-integration/google/), the steps below will allow you to pull group membership information from your Google Workspace account.