Skip to content

[CF1] identity-based selectors #24154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 7, 2025
Merged

[CF1] identity-based selectors #24154

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
687fee4
[CF1] identity-based selectors
deadlypants1973 Aug 4, 2025
7ffc1d0
final updates
deadlypants1973 Aug 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 23 additions & 23 deletions src/content/docs/cloudflare-one/policies/access/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ For example, this configuration blocks every request to the application, except

Bypass does not enforce any Access security controls and requests are not logged. Bypass policies should be tested before deploying to production. Consider using [Service Auth](/cloudflare-one/policies/access/#service-auth) if you would like to enforce policies and maintain logging without requiring user authentication.

As Bypass does not enforce Access security controls, Bypass policies do not support identity-based [rule types](/cloudflare-one/policies/access/#rule-types). When making Bypass policies, you will not be able to apply certain identity-based [selectors](/cloudflare-one/policies/access/#selectors) (such as email, or IP).
As Bypass does not enforce Access security controls, Bypass policies do not support identity-based [rule types](/cloudflare-one/policies/access/#rule-types). When making Bypass policies, you will not be able to apply certain identity-based [selectors](/cloudflare-one/policies/access/#selectors) (such as email).

:::

Expand Down Expand Up @@ -133,28 +133,28 @@ To require only one country and one email ending:

When you add a rule to your policy, you will be asked to specify the criteria/attributes you want users to meet. These attributes are available for all Access application types, including [SaaS](/cloudflare-one/applications/configure-apps/saas-apps/), [self-hosted](/cloudflare-one/applications/configure-apps/self-hosted-public-app/), and [non-HTTP](/cloudflare-one/applications/non-http/) applications.

Identity-based attributes are only checked when a user authenticates to Access. Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/identity/users/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/identity/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.

| Selector | Description | Checked at login | Checked continuously<sup>1</sup> |
| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- |
| Emails | `[email protected]` | ✅ | ❌ |
| Emails ending in | `@company.com` | ✅ | ❌ |
| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/policies/access/external-evaluation/) in an external API. | ✅ | ❌ |
| IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) | ✅ | ✅ |
| Country | Uses the IP address to determine country. | ✅ | ✅ |
| Everyone | Allows, denies, or bypasses access to everyone. | ✅ | ❌ |
| Common Name | The request will need to present a valid certificate with an expected common name. | ✅ | ✅ |
| Valid Certificate | The request will need to present any valid client certificate. | ✅ | ✅ |
| Service Token | The request will need to present the correct service token headers configured for the specific application. | ✅ | ✅ |
| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/identity/service-tokens/) created for this account. | ✅ | ✅ |
| Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ |
| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/policies/access/mfa-requirements/) method used by the user, if supported by the identity provider. | ✅ | ❌ |
| Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/identity/users/scim/). | ✅ | ❌ |
| SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/identity/idp-integration/generic-saml/) identity provider. | ✅ | ❌ |
| OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/) identity provider. | ✅ | ❌ |
| Device posture | Checks [device posture signals](/cloudflare-one/identity/devices/) from the WARP client or a third-party service provider. | ✅ | ✅ |
| Warp | Checks that the device is connected to WARP, including the consumer version. | ✅ | ✅ |
| Gateway | Checks that the device is connected to your Zero Trust instance through the [WARP client](/cloudflare-one/connections/connect-devices/warp/). | ✅ | ✅ |
Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/identity/users/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/identity/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.

| Selector | Description | Checked at login | Checked continuously<sup>1</sup> | Identity-based selector? |
| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- | ------------------------ |
| Emails | `[email protected]` | ✅ | ❌ | ✅ |
| Emails ending in | `@company.com` | ✅ | ❌ | ✅ |
| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/policies/access/external-evaluation/) in an external API. | ✅ | ❌ | ✅ |
| IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) | ✅ | ✅ | ❌ |
| Country | Uses the IP address to determine country. | ✅ | ✅ | ❌ |
| Everyone | Allows, denies, or bypasses access to everyone. | ✅ | ❌ | ❌ |
| Common Name | The request will need to present a valid certificate with an expected common name. | ✅ | ✅ | ❌ |
| Valid Certificate | The request will need to present any valid client certificate. | ✅ | ✅ | ❌ |
| Service Token | The request will need to present the correct service token headers configured for the specific application. | ✅ | ✅ | ❌ |
| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/identity/service-tokens/) created for this account. | ✅ | ✅ | ❌ |
| Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ | ✅ |
| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/policies/access/mfa-requirements/) method used by the user, if supported by the identity provider. | ✅ | ❌ | ✅ |
| Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/identity/users/scim/). | ✅ | ❌ | ✅ |
| SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/identity/idp-integration/generic-saml/) identity provider. | ✅ | ❌ | ✅ |
| OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/) identity provider. | ✅ | ❌ | ✅ |
| Device posture | Checks [device posture signals](/cloudflare-one/identity/devices/) from the WARP client or a third-party service provider. | ✅ | ✅ | ❌ |
| Warp | Checks that the device is connected to WARP, including the consumer version. | ✅ | ✅ | ❌ |
| Gateway | Checks that the device is connected to your Zero Trust instance through the [WARP client](/cloudflare-one/connections/connect-devices/warp/). | ✅ | ✅ | ❌ |

<sup>1</sup> For SaaS applications, Access can only enforce policies at the time
of initial sign on and when reissuing the SaaS session. Once the user has
Expand Down