> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuring a SAML application on Cloudflare

> Instructions on how to configure a SAML SSO application with Cloudflare.

## 1. Get SaaS Application URLs

<Steps>
  <Step title="Obtain the following URLs from your SaaS application account:">
    * **Entity ID**: A unique URL issued for your SaaS application.

    * **Assertion Consumer Service URL:** The service provider’s endpoint for receiving and parsing SAML assertions.

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/ZeD68GD0apWa12JT/img/IdentityProviders/cloudflare-saml.png?fit=max&auto=format&n=ZeD68GD0apWa12JT&q=85&s=d8cb1e8add41e51b65c72425c80f991e" width="1722" height="1076" data-path="img/IdentityProviders/cloudflare-saml.png" />
    </Frame>

    <Note>
      **NOTE**

      Please note that the **Identifier (Entity ID)** value, along with the **Assertion Consumer Service URL**, can be located within the SAML tab under the Account Management Settings section within the Blink Platform. Please note the value of the **Assertion Consumer Service URL (ACS URL)** can be either the **Service Provider Login URL (SSO URL)** or **IdP-Initiated Login URL**.

      **The Entity ID** : `urn:amazon:cognito:sp:eu-west-1_NEemCMO1L`

      **Assertion Consumer Service URL:** [https://cognito.blinkops.com/saml2/idpresponse](https://cognito.blinkops.com/saml2/idpresponse).

      <Frame>
        <img src="https://mintcdn.com/blinkops-2/VXKzhvwYkcutAgt0/img/IdentityProviders/saml.png?fit=max&auto=format&n=VXKzhvwYkcutAgt0&q=85&s=278df00dec265b8a2c9c63742b79d17d" width="1372" height="458" data-path="img/IdentityProviders/saml.png" />
      </Frame>
    </Note>
  </Step>
</Steps>

***

## ​​2. Add your Application to Access

<Steps>
  <Step title="Navigate to Zero Trust Dashboard">
    Navigate to the **Zero Trust** option in the sidebar.

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/ZeD68GD0apWa12JT/img/IdentityProviders/cloudflare-1.png?fit=max&auto=format&n=ZeD68GD0apWa12JT&q=85&s=65b809cfe81d89adfba9e28239d25ce6" width="3578" height="1982" data-path="img/IdentityProviders/cloudflare-1.png" />
    </Frame>
  </Step>

  <Step title="Go to Applications Section">
    Navigate to **application**.

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/ZeD68GD0apWa12JT/img/IdentityProviders/cloudflare-2.png?fit=max&auto=format&n=ZeD68GD0apWa12JT&q=85&s=7e1a8f0dda7513afaa9f2db0baa652a4" width="3582" height="1984" data-path="img/IdentityProviders/cloudflare-2.png" />
    </Frame>
  </Step>

  <Step title="Add a New Application">
    Select **Add an application**.

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/ZeD68GD0apWa12JT/img/IdentityProviders/cloudflare-3.png?fit=max&auto=format&n=ZeD68GD0apWa12JT&q=85&s=d5e73b7f827fd7185c090f549141efe7" width="3584" height="1992" data-path="img/IdentityProviders/cloudflare-3.png" />
    </Frame>
  </Step>

  <Step title="Select SaaS Application Type">
    Select SaaS.

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/ZeD68GD0apWa12JT/img/IdentityProviders/cloudflare-4.png?fit=max&auto=format&n=ZeD68GD0apWa12JT&q=85&s=4993c7c32465de1002a087787ba05340" width="3580" height="1998" data-path="img/IdentityProviders/cloudflare-4.png" />
    </Frame>
  </Step>

  <Step title="Name the Application">
    Enter a unique name in the Application field, like `BlinkOps`, and hit **Enter** since the `BlinkOps` application might not be included.

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/ZeD68GD0apWa12JT/img/IdentityProviders/cloudflare-5.png?fit=max&auto=format&n=ZeD68GD0apWa12JT&q=85&s=8d93a61af3c3dc5c4c57e6f05491e954" width="3580" height="1984" data-path="img/IdentityProviders/cloudflare-5.png" />
    </Frame>
  </Step>

  <Step title="Enter SAML Settings">
    Enter the **Entity ID** and **Assertion Consumer Service URL** obtained from your SaaS application account.

    <Note>
      **INFO**

      **The Entity ID** : `urn:amazon:cognito:sp:eu-west-1_NEemCMO1L`

      **Assertion Consumer Service URL**: [https://cognito.blinkops.com/saml2/idpresponse](https://cognito.blinkops.com/saml2/idpresponse).
    </Note>

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/ZeD68GD0apWa12JT/img/IdentityProviders/cloudflare-6.png?fit=max&auto=format&n=ZeD68GD0apWa12JT&q=85&s=e6456599d767cb277efd7ded16349585" width="3580" height="1998" data-path="img/IdentityProviders/cloudflare-6.png" />
    </Frame>
  </Step>

  <Step title="Select Name ID Format">
    Select the **Name ID** Format expected by your SaaS application (usually Email).

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/ZeD68GD0apWa12JT/img/IdentityProviders/cloudflare-00.png?fit=max&auto=format&n=ZeD68GD0apWa12JT&q=85&s=3481a3df8c998f1e7d6acff79d785fa4" width="3582" height="1984" data-path="img/IdentityProviders/cloudflare-00.png" />
    </Frame>
  </Step>

  <Step title="Add SAML Attribute Statements">
    Scroll down to the **SAML attribute statements** section and add the following **key-value pairs**, and then click Next.

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/ZeD68GD0apWa12JT/img/IdentityProviders/cloudflare-001.png?fit=max&auto=format&n=ZeD68GD0apWa12JT&q=85&s=d76cda7c3574073d7f59dcc4207ba5f3" width="3584" height="2004" data-path="img/IdentityProviders/cloudflare-001.png" />
    </Frame>

    <Note>
      **INFO**

      **IdP groups**\
      If you are using Okta, AzureAD, Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled groups with all of the user’s associated groups as attribute values.
    </Note>
  </Step>

  <Step title="Configure Optional App Launcher Settings">
    Configure **App Launcher settings** for the application — **this is an optional step.**
  </Step>

  <Step title="Set Block Page Behavior">
    Under **Block pages**, choose what end users will see when they are denied access to the application:

    * **Cloudflare default**: Reload the login page and display a block message below the Cloudflare Access logo. The default message is "That account does not have access", or you can enter a custom message.

    * **Redirect URL**: Redirect to the specified website.

    * **Custom page template**: Display a custom block page hosted in Zero Trust.

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/ZeD68GD0apWa12JT/img/IdentityProviders/cloudflare-7.png?fit=max&auto=format&n=ZeD68GD0apWa12JT&q=85&s=7943134d54ba840b6d0665c43d5caf19" width="3566" height="1988" data-path="img/IdentityProviders/cloudflare-7.png" />
    </Frame>
  </Step>

  <Step title="Configure Identity Provider Settings">
    Next, configure how users will authenticate:

    * Select the Identity providers you want to enable for your application.

    * (Optional) Turn on Instant Auth if you selected only one IdP and want users to skip the identity provider selection step.

    * (Optional) Under WARP authentication identity, allow users to authenticate to the application using their WARP session identity.

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/ZeD68GD0apWa12JT/img/IdentityProviders/cloudflare-8.png?fit=max&auto=format&n=ZeD68GD0apWa12JT&q=85&s=6e596e939e4e557db327b2f6f858bc29" width="3582" height="1984" data-path="img/IdentityProviders/cloudflare-8.png" />
    </Frame>
  </Step>

  <Step title="Proceed to Next Step">
    Select Next.
  </Step>
</Steps>

***

## Add an Access Policy

<Steps>
  <Step title="Create a New Access Policy">
    To control who can access your application, create an **Access policy**.

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/ZeD68GD0apWa12JT/img/IdentityProviders/cloudflare-9.png?fit=max&auto=format&n=ZeD68GD0apWa12JT&q=85&s=c3643f7503eb546f6aee6afa392f00fe" width="3584" height="1992" data-path="img/IdentityProviders/cloudflare-9.png" />
    </Frame>
  </Step>

  <Step title="Assign a Group to the Policy">
    Then navigate to the **Assign a group** section and fill out the following fields.

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/ZeD68GD0apWa12JT/img/IdentityProviders/cloudflare-002.png?fit=max&auto=format&n=ZeD68GD0apWa12JT&q=85&s=fdaab77e003076fe4782388fd07b16e0" width="3578" height="1998" data-path="img/IdentityProviders/cloudflare-002.png" />
    </Frame>
  </Step>

  <Step title="Configure Role Mapping in Blink">
    Then head to the **SAML** tab under the **Account Management Settings** section within the Blink Platform and click the **Role Mapping** section and select the applicable values.

    <Note>**Note:** Please note that within the **mapping** section, it's necessary to designate at least one **mapping role** as an **admin** with administrative privileges. Otherwise, you will not have the ability to operate within your account as an **administrator**.</Note>

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/ZeD68GD0apWa12JT/img/IdentityProviders/okta-12.png?fit=max&auto=format&n=ZeD68GD0apWa12JT&q=85&s=b5669312112cb3942744339938dfa0d9" width="1247" height="805" data-path="img/IdentityProviders/okta-12.png" />
    </Frame>
  </Step>
</Steps>

***

## 4. Configure SSO in your SaaS application

Finally, you will need to configure your SaaS application to require users to log in through Cloudflare Access.

<Steps>
  <Step title="Provide SAML Settings to SaaS Application">
    Configure the following fields with your SAML SSO-compliant application:

    * SSO endpoint
    * Access Entity ID or Issuer
    * Public key

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/ZeD68GD0apWa12JT/img/IdentityProviders/cloudflare-10.png?fit=max&auto=format&n=ZeD68GD0apWa12JT&q=85&s=b41d1eeb39ed9e57277855b064ce6e4e" width="3578" height="1982" data-path="img/IdentityProviders/cloudflare-10.png" />
    </Frame>

    <Info>
      **NOTE**\
      The metadata is available at the URL: `<SSO Endpoint>/saml-metadata`
    </Info>
  </Step>

  <Step title="Copy Metadata XML">
    Proceed by copying the contents of that file found at the URL: `<sso-endpoint>/saml-metadata`. Then navigate to the **Metadata File section** found within the **SAML tab** in your **Account Management Settings**
  </Step>

  <Step title="Paste Metadata into Blink">
    Paste the **contents of that file** into the designated text field labeled Metadata File.

    <Frame>
      <img src="https://mintcdn.com/blinkops-2/ZeD68GD0apWa12JT/img/IdentityProviders/custom-saml.png?fit=max&auto=format&n=ZeD68GD0apWa12JT&q=85&s=bb563de597afd26f2972878aabdd005b" width="1722" height="1076" data-path="img/IdentityProviders/custom-saml.png" />
    </Frame>
  </Step>

  <Step title="Save and Complete SSO Configuration">
    Then click **Save Settings** in the bottom-right corner. Your application will appear on the Applications page.
  </Step>
</Steps>

***