Has anyone done an integration with Cloudflare Access

Darren Boss darren.boss at computecanada.ca
Fri Oct 23 16:00:28 UTC 2020


Cloudflare access is their VPN alternative that requires
authentication before the request gets proxied over the CloudFlare
network.

https://www.cloudflare.com/teams/access/

I've tried integration with both SAML (version 4.0.1) and OIDC with
the 2.0.0 extension and can't get either to work. They allow for
upload of your IdP metadata but when I do that it chooses the
HTTP-POST url but does a get request. After loading the metadata or if
you ignore the metadata upload feature you can just fill in the fields
directly so I switch to the redirect url, waited for the change to
propagate and then I got an error because the entityid was set to the
entityid of the IdP and not the SP? Very odd.

I gave up and tried OIDC but my email claim is not available after
auth. I watched the logs on the IdP from a known working OIDC client
and it looks like Cloudflare is not using the userinfo endpoint. They
only have three fields when entering OIDC info, auth, token and
certificate and they don't seem to support discovery. Only the sub
claim was available to Cloudflare but I did get release consent for
email. I have "openid email profile" configured in the scope in the
cloudflare metadata.

I can provide more information (logs and configuration) but I was
hoping that maybe someone has done this integration and knows how to
get this working with Shibboleth using either SAML or OIDC.
-- 
Darren Boss
Senior Programmer/Analyst
Programmeur-analyste principal
darren.boss at computecanada.ca


More information about the users mailing list