Configuring a SAML application on Cloudflare

Obtain the following URLs from your SaaS application account:

• Entity ID: A unique URL issued for your SaaS application.
• Assertion Consumer Service URL: The service provider’s endpoint for receiving and parsing SAML assertions.

NOTEPlease note that the Identifier (Entity ID) value, along with the Assertion Consumer Service URL, can be located within the SAML tab under the Account Management Settings section within the Blink Platform. Please note the value of the Assertion Consumer Service URL (ACS URL) can be either the Service Provider Login URL (SSO URL) or IdP-Initiated Login URL.The Entity ID : urn:amazon:cognito:sp:eu-west-1_NEemCMO1LAssertion Consumer Service URL: : https://cognito.blinkops.com/saml2/idpresponse.

Navigate to Zero Trust Dashboard

Navigate to the Zero Trust option in the sidebar.

Go to Applications Section

Navigate to application.

Add a New Application

Select Add an applications.

Select SaaS Application Type

Select SaaS.

Name the Application

Enter a unique name in the Application field, like BlinkOps, and hit Enter since the BlinkOps application might not be included.

Enter SAML Settings

Enter the Entity ID and Assertion Consumer Service URL obtained from your SaaS application account.

INFOThe Entity ID : urn:amazon:cognito:sp:eu-west-1_NEemCMO1LAssertion Consumer Service URL : https://cognito.blinkops.com/saml2/idpresponse.

Select Name ID Format

Select the Name ID Format expected by your SaaS application (usually Email).

Add SAML Attribute Statements

Scroll down to the SAML attribute statements section and add the following key-value pairs, and then click Next.

INFOIdP groups
If you are using Okta, AzureAD, Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled groups with all of the user’s associated groups as attribute values.

Configure Optional App Launcher Settings

Set Block Page Behavior

Under Block pages, choose what end users will see when they are denied access to the application:

• Cloudflare default: Reload the login page and display a block message below the Cloudflare Access logo. The default message is “That account does not have access”, or you can enter a custom message.
• Redirect URL: Redirect to the specified website.
• Custom page template: Display a custom block page hosted in Zero Trust.

Configure Identity Provider Settings

Next, configure how users will authenticate:

• Select the Identity providers you want to enable for your application.
• (Optional) Turn on Instant Auth if you selected only one IdP and want users to skip the identity provider selection step.
• (Optional) Under WARP authentication identity, allow users to authenticate to the application using their WARP session identity.

Proceed to Next Step

Create a New Access Policy

To control who can access your application, create an Access policy.

Assign a Group to the Policy

Then navigate to the Assign a group section and fill out the following fields.

Configure Role Mapping in Blink

Then head to the SAML tab under the Account Management Settings section within the Blink Platform and click the Role Mapping section and select the applicable values.

**Note:**Please note that within the mapping section, it’s necessary to designate at least one mapping role as an admin with administrative privileges. Otherwise, you will not have the ability to operate within your account as an administrator.

Provide SAML Settings to SaaS Application

Configure the following fields with your SAML SSO-compliant application:

• SSO endpoint
• Access Entity ID or Issuer
• Public key

NOTE
The metadata is available at the URL: <SSO Endpoint>/saml-metadata

Copy Metadata XML

Paste Metadata into Blink

Paste the contents of that file into the designated text field labeled Metadata File.

Save and Complete SSO Configuration