Trustbuilder MFA by inWebo
Trustbuilder MFA by inWebo
Breadcrumbs

CloudFlare - SAML integration

The following page refers to a SAML integration between Cloudflare and TrustBuilder MFA. 

Prerequisites

  • A Cloudflare console with administrator rights

  • A TrustBuilder MFA service with administrator rights

Configuration

The configuration consists of an exchange of metadata between the SP (Cloudflare) and the IdP (TrustBuilder): each provides its metadata to the other. Then, it is necessary to make sure that TrustBuilder provides attributes that match with the attributes requires by Cloudflare.

Step 1: Create TrustBuilder SAML connector

  1. Login to your TrustBuilder MFA administration console.

  2. Go to the Secure Sites tab.

  3. In the "connectors” section, click on Add a connector of type… and select SAML 2.0.

    image-20240111-091614.png

  4. Name your connector.

  5. Click on Add to create the connector.
    This will bring up the TrustBuilder (the Identity Provider) metadata.

  6. Click on ”Download the Idp SAML 2.0 metadata in XML format” to save TrustBuilder metadata. You will need it later in Cloudflare configuration.

    j-tCDQPVMvKA0RO23EeU3f3VOjD1sjszbp-CS0lQc9GI0H-KbTGQX6lBuzG-G43qZa4i6wXx9ZlUVGiYzUQKUNHer60oCtzeI08JBbhUM3U51Di60nkLt6Ns25ClmzczDOvGJAbfddBvHcdCupLY4w

  7. Keep this connector window open. You will need to copy/paste the Issuer URL and Single Sign On URL to Cloudflare later in the configuration.

Step 2: Cloudflare configuration

  1. In Zero Trust, go to Settings > Authentication

    8jddJu8Xpcz4tvqYc_RVDeJ8r63VBUqbaIn6DhO2lshxFxQAJaDq_ZBMbEzs0Irxed4_WC9TNtYP4GkB8H0rOVJl_cetUBbDdiLl0TTEOYlo-7celdTeW9X7XRv-doDIzhX-9JhijdAnE8JyBvcK4Q


  2. In Login methods section, click on Add new and select SAML.

    Une image contenant texte, Police, nombre, ligne Description générée automatiquement

  3. Choose a descriptive name for TrustBuilder.

  4. Drop the TrustBuilder metadata (the XML file previously downloaded) to upload them.
    The Single sign-on URL, the Entity ID or Issuer URL, and the Signing certificate parameters are filled out automatically.

    YaccwtVT22_a1OLtY_4s2KK_bHLvJ8F9yRfoy6oZhuh1B9UXvwcAlS0b6AoMXU_Gv2rx_U9sJNvA2B2qVcdE30-THK7GCJDRg_sPtdj5ZeHtH8fqYojmSe12tQuNwynxwp0GnqCpmA1upp4USaPXzg

  5. Click Save.

Step 3: Generate Cloudflare metadata

To allow Cloudflare and TrustBuilder to communicate, you should generate Cloudflare (the SP) metadata and provide them to TrustBuilder (the IdP).

Use the following Cloudflare endpoint to download its metadata: https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/saml-metadata

You can find your team’s name in Zero Trust under Settings > Custom Page

2ya7mf4flG9qsiIOMAgmtJ-YCsqExM3_gq2hWQiD6wU6kJ1-DCd8A-2I0NoRKP4RnpUvsus2-_bbSsYzWL8_m1PXKukSw4IT3bqFLHMJ8_LCMfOosju9--AwuNquHivX0YTPtqgSfGsVVku-0OmHTA

Step 4: Finalize TrustBuilder SAML connector

  1. In TrustBuilder SAML 2.0 connector, paste the Cloudflare (SP) metadata.

    https://docs.trustbuilder.com/__attachments/3986587723/image-20231030-102554.png?inst-v=a69ebb72-13f0-44ed-a8ec-e8ec47099a80

  2. Click on Update to save the configuration and unlock the remaining parameters.

  3. Configure SAML Attributes to match with the attributes in Cloudflare.
    In this integration, Cloudflare uses the Name ID attribute set to Email format with the value of emailAddress. 

    Set TrustBuilder Connector as below.

    image-20240111-094028.png

  4. Click on Update to save the configuration.

  5. If not automatically created, add the Secure Site associated to the connector (Secure Sites tab > Add a Secure Site of type … > Select your connector’s name).

    7Gu7lzbYnnMPLaDHkLiOsRoCliUdIAm-fLqHkrhkLHX5_KOrGYKcIC0ZbsxrgHOcOk0FW1n31Ng87IvIPebkiR_lUKgCiUMxvjX8iBwppR5liC1e88lyMWoLxA4ryAxm6iEuoWfJgbI6mr1kQUCQ7Q


Test the integration

To apply TrustBuilder MFA during the enrolment process of Cloudflare WARP agent:

  1. Go to Zero Trust > Settings > Warp Client 

  2. Under Device enrollment, click on Manage.

  3. Navigate to Authentication and select SAML TrustBuilder identity provider.

    Une image contenant texte, logiciel, Police, nombre Description générée automatiquement

  4. Test the integration: