cloudflare · ranbel · Jan 23, 2025 · Jan 23, 2025
@@ -44,9 +44,8 @@ This guide covers how to configure [Adobe Acrobat Sign](https://helpx.adobe.com/
    * **Entity ID**: Entity ID/SAML Audience from Adobe Acrobat Sign SAML SSO configuration.
    * **Assertion Consumer Service URL**: Assertion Consumer URL from Adobe Acrobat Sign SAML SSO configuration.
    * **Name ID format**: *Email*
-2. Select **Save configuration**.
-3. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
-4. Select **Done**.
+2. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
+3. Save the application.
 
 ## 4. Test the integration and finalize configuration
 

@@ -32,21 +32,11 @@ sidebar:
    | **Assertion Consumer Service URL** | `https://horizon.area1security.com/api/users/saml` |
    | **Name ID Format**                 | *Email*                                            |
 
-6. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application.
+6. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
 
-7. Choose the **Identity providers** you want to enable for your application.
+7. Save the application.
 
-8. Turn on **Instant Auth** if you are selecting only one login method for your application, and would like your end users to skip the identity provider selection step.
-
-9. Select **Next**.
-
-## 2. Add an Access policy
-
-1. To control who can access your application, [create an Access policy](/cloudflare-one/policies/access/).
-
-2. Select **Next**.
-
-## 3. Configure SSO for Area 1
+## 2. Configure SSO for Area 1
 
 Finally, you will need to configure Area 1 to allow users to log in through Cloudflare Access.
 
@@ -74,6 +64,4 @@ Finally, you will need to configure Area 1 to allow users to log in through Clou
 
 7. Select **Update Settings**.
 
-8. In Zero Trust, select **Done**.
-
-Your application will appear on the **Applications** page. If you added the application to your App Launcher, you can test the integration by going to `<your-team-name>.cloudflareaccess.com`.
+If you added the application to your App Launcher, you can test the integration by going to `<your-team-name>.cloudflareaccess.com`.
@@ -26,9 +26,8 @@ This guide covers how to configure [Asana](https://help.asana.com/hc/en-us/artic
    * **Assertion Consumer Service URL**: `https://app.asana.com/-/saml/consume`
    * **Name ID format**: *Email*
 7. Copy the **SSO endpoint** and **Public key**.
-8. Select **Save configuration**.
-9. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
-10. Select **Done**.
+8. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
+9. Save the application.
 
 ## 2. Add a SAML SSO provider to Asana
 

@@ -24,7 +24,7 @@ This guide covers how to configure [Atlassian Cloud](https://support.atlassian.c
 4. For the authentication protocol, select **SAML**.
 5. Select **Add application**.
 6. Copy the **Access Entity ID or Issuer**, **Public key**, and **SSO endpoint**.
-7. Keep this window open without selecting **Select configuration**. You will finish this configuration in step [4. Finish adding a SaaS application to Cloudflare Zero Trust](#4-finish-adding-a-saas-application-to-cloudflare-zero-trust).
+7. Keep this window open. You will finish this configuration in step [4. Finish adding a SaaS application to Cloudflare Zero Trust](#4-finish-adding-a-saas-application-to-cloudflare-zero-trust).
 
 ## 2. Create a x.509 certificate
 
@@ -38,13 +38,9 @@ This guide covers how to configure [Atlassian Cloud](https://support.atlassian.c
 3. For **Directory name**, enter your desired name. For example, you could enter `Cloudflare Access`.
 4. Select **Add** > **Set up SAML single sign-on** > **Next**.
 
-:::note
-
-
-This screen will advise you to create an authentication policy before proceeding. You will do this in step [5. Create an application policy to test integration](#5-create-an-authentication-policy-to-test-integration).
-
-
-:::
+		:::note
+		This screen will advise you to create an authentication policy before proceeding. You will do this in step [5. Create an application policy to test integration](#5-create-an-authentication-policy-to-test-integration).
+		:::
 
 5. Fill in the following fields:
    * **Identity provider Entity ID**: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust.
@@ -62,9 +58,8 @@ This screen will advise you to create an authentication policy before proceeding
    * **Entity ID**: Service provider entity URL from Atlassian Cloud SAML SSO set-up.
    * **Assertion Consumer Service URL**: Service provider assertion comsumer service URL from Atlassian Cloud SAML SSO set-up.
    * **Name ID format**: *Email*
-2. Select **Save configuration**.
-3. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
-4. Select **Done**.
+2. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
+3. Save the application.
 
 ## 5. Create an authentication policy to test integration
 

@@ -40,9 +40,8 @@ Next, we will obtain **Identity provider metadata** from Zero Trust.
    1. Copy the **SAML Metadata endpoint**.
    2. In a separate browser window, go to the SAML Metadata endpoint (`https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/sso/saml/xxx/saml-metadata`).
    3. Save the page as `access_saml_metadata.xml`.
-9. Save your SaaS application configuration.
-10. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
-11. Select **Done**.
+9. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
+10. Save the application.
 
 ## 3. Complete AWS configuration
 
@@ -60,7 +59,7 @@ Access for SaaS does not currently support [SCIM provisioning](/cloudflare-one/i
 
 1. Users are created in both your identity provider and AWS.
 2. Users have matching usernames in your identity provider and AWS.
-3. Usernames are email addresses. This is the only format AWS supports with third-party SSO providers. 
+3. Usernames are email addresses. This is the only format AWS supports with third-party SSO providers.
    :::
 
 ## 4. Test the integration

@@ -26,9 +26,8 @@ This guide covers how to configure [Braintree](https://developer.paypal.com/brai
    * **Assertion Consumer Service URL**: `https://www.placeholder.com`
    * **Name ID format**: *Email*
 7. Copy the **SSO endpoint** and **Public key**.
-8. Select **Save configuration**.
-9. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
-10. Select **Done**.
+8. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
+9. Save the application.
 
 ## 2. Enable SSO Configuration in Braintree
 

@@ -28,9 +28,8 @@ This guide covers how to configure [Coupa](https://compass.coupa.com/en-us/produ
    * **Name ID format**: *Email*
 7. Copy the **Access Entity ID or Issuer** and **SAML Metadata Endpoint**.
 8. In **Default relay state**, enter `https://<your-subdomain>.coupahost.com/sessions/saml_post`.
-9. Select **Save configuration**.
-10. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
-11. Select **Done**.
+9. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
+10. Save the application.
 
 ## 2. Download the metadata file
 

@@ -27,9 +27,8 @@ This guide covers how to configure [Digicert](https://docs.digicert.com/en/certc
    * **Assertion Consumer Service URL**: `https://www.digicert.com/account/sso/`
    * **Name ID format**: *Email*
 7. Copy the **SAML Metadata endpoint**.
-8. Select **Save configuration**.
-9. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
-10. Select **Done**.
+8. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
+9. Save the application.
 
 ## 2. Add a SAML SSO provider in Digicert
 

@@ -45,20 +45,17 @@ This guide covers how to configure [Docusign](https://support.docusign.com/s/doc
 
 7. Set an Access policy (for example, create a policy based on _Emails ending in @example.com_).
 
-8. Copy and save SSO Endpoint, Entity ID and Public Key.
+8. Copy and save the **SSO Endpoint**, **Entity ID** and **Public Key**.
 
-   :::note
+9. Transform the **Public Key** into a fingerprint:
 
-   The Public key must be transformed into a fingerprint. To do that:
+		1. Copy the **Public Key** Value.
 
-9. Copy the Public Key Value.
+		2. Paste the **Public Key** into VIM or another code editor.
 
-10. Paste the Public Key into VIM or another code editor.
+		3. Wrap the value in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`.
 
-11. Wrap the value in `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`.
-
-12. Set the file extension to `.crt` and save.
-    :::
+		4. Set the file extension to `.crt` and save.
 
 ## 2. Configure your DocuSign SSO instance
 

@@ -26,9 +26,8 @@ This guide covers how to configure [Dropbox](https://help.dropbox.com/security/s
    * **Assertion Consumer Service URL**: `https://www.dropbox.com/saml_login`
    * **Name ID format**: *Email*
 7. Copy the **SSO endpoint** and **Public key**.
-8. Select **Save configuration**.
-9. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
-10. Select **Done**.
+8. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
+9. Save the application.
 
 ## 2. Create a certificate file
 

@@ -62,24 +62,22 @@ Some SaaS applications provide the Redirect URL after you [configure the SSO pro
     | Key endpoint           | Returns the current public keys used to [verify the Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) <br/> `https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/sso/oidc/<client-id>/jwks`                                   |
     | User info endpoint     | Returns all user claims in JSON format <br/> `https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/sso/oidc/<client-id>/userinfo`                                                                                                                        |
 
-11. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering the URL that users should be sent to when they select the tile.
+11. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access.
 
-12. <Render file="access/access-block-page" />
+12. <Render file="access/access-choose-idps" product="cloudflare-one" />
 
-13. <Render file="access/access-choose-idps" />
+13. Select **Next**.
 
-14. Select **Save configuration**.
+14. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application.
 
-## 3. Add an Access policy
+15. <Render file="access/access-block-page" product="cloudflare-one" />
 
-1. To control who can access the SaaS application, [create an Access policy](/cloudflare-one/policies/access/).
+16. Select **Save application**.
 
-2. Select **Done**.
-
-## 4. Configure SSO in your SaaS application
+## 3. Configure SSO in your SaaS application
 
 Next, configure your SaaS application to require users to log in through Cloudflare Access. Refer to your SaaS application documentation for instructions on how to configure a third-party OIDC SSO provider.
 
-## 5. Test the integration
+## 4. Test the integration
 
 Open an incognito browser window and go to the SaaS application's login URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider.
@@ -48,19 +48,17 @@ Obtain the following URLs from your SaaS application account:
 If you are using Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled `groups` with all of the user's associated groups as attribute values.
 :::
 
-11. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application.
+11. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access.
 
-12. <Render file="access/access-block-page" />
+12. <Render file="access/access-choose-idps" product="cloudflare-one" />
 
-13. <Render file="access/access-choose-idps" />
+13. Select **Next**.
 
-14. Select **Save configuration**.
+14. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application.
 
-## 2. Add an Access policy
+15. <Render file="access/access-block-page" product="cloudflare-one" />
 
-1. To control who can access the SaaS application, [create an Access policy](/cloudflare-one/policies/access/).
-
-2. Select **Done**.
+16. Select **Save application**.
 
 ## 3. Configure SSO in your SaaS application
 

@@ -27,9 +27,8 @@ This guide covers how to configure [GitHub Enterprise Cloud](https://docs.github
    * **Assertion Consumer Service URL**: `https://github.com/orgs/<your-organization>/saml/consume`
    * **Name ID format**: *Email*
 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**.
-8. Select **Save configuration**.
-9. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
-10. Select **Done**.
+8. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
+9. Save the application.
 
 ## 2. Create a x.509 certificate
 

@@ -37,9 +37,8 @@ When configuring Google Cloud with Access, the following limitations apply:
    - **Assertion Consumer Service URL**: `https://www.google.com/a/<your_domain.com>/acs`
    - **Name ID format**: _Email_
 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**.
-8. Select **Save configuration**.
-9. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
-10. Select **Done**.
+8. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
+9. Save the application.
 
 ## 2. Create a x.509 certificate
 

@@ -38,9 +38,11 @@ The integration of Access as a single sign-on provider for your Google Workspace
 When you put your Google Workspace behind Access, users will not be able to log in using [Google](/cloudflare-one/identity/idp-integration/google/) or [Google Workspace](/cloudflare-one/identity/idp-integration/gsuite/) as an identity provider.
 :::
 
-4. On the next page, [create an Access policy](/cloudflare-one/policies/access/) for your application. For example, you could allow users with an `@your_domain.com` email address.
+4. [Create an Access policy](/cloudflare-one/policies/access/) for your application. For example, you could allow users with an `@your_domain.com` email address.
 
-5. On the next page, you will see your **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. These values will be used to configure Google Workspace.
+5. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. These values will be used to configure Google Workspace.
+
+6. Save the application.
 
 ## 2. Create a certificate from your public key
 

@@ -25,10 +25,9 @@ This guide covers how to configure [Grafana Cloud](https://grafana.com/docs/graf
 7. In **Redirect URLs**, enter `https://<your-grafana-domain>/login/generic_oauth`.
 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
 9. Copy the **Client secret**, **Client ID**, **Token endpoint**, and **Authorization endpoint**.
-10. Select **Save configuration**.
-11. (Optional) configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-grafana-domain>/login`.
-12. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
-13. Select **Done**.
+10. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
+11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-grafana-domain>/login`.
+12. Save the application.
 
 ## 2. Add a SSO provider to Grafana Cloud
 

@@ -15,11 +15,7 @@ This guide covers how to configure [Grafana](https://grafana.com/docs/grafana/la
 * Admin access to a Grafana account
 
 :::note
-
-
 You can also configure OIDC SSO for Grafana using a [configuration file](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/#configure-generic-oauth-authentication-client-using-the-grafana-configuration-file) instead of using Grafana's user interface (UI), as documented in this guide.
-
-
 :::
 
 ## 1. Add a SaaS application to Cloudflare Zero Trust
@@ -33,10 +29,9 @@ You can also configure OIDC SSO for Grafana using a [configuration file](https:/
 7. In **Redirect URLs**, enter `https://<your-grafana-domain>/login/generic_oauth`.
 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
 9. Copy the **Client secret**, **Client ID**, **Token endpoint**, and **Authorization endpoint**.
-10. Select **Save configuration**.
-11. (Optional) configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-grafana-domain>/login`.
-12. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
-13. Select **Done**.
+10. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
+11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-grafana-domain>/login`.
+12. Save the application.
 
 ## 2. Add a SSO provider to Grafana
 

@@ -22,7 +22,7 @@ This guide covers how to configure [Greenhouse Recruiting](https://support.green
 4. For the authentication protocol, select **SAML**.
 5. Select **Add application**.
 6. Copy the **SAML Metadata endpoint**.
-7. Keep this window open without selecting **Select configuration**. You will finish this configuration in step [4. Finish adding a SaaS application to Cloudflare Zero Trust](#4-finish-adding-a-saas-application-to-cloudflare-zero-trust).
+7. Keep this window open. You will finish this configuration in step [4. Finish adding a SaaS application to Cloudflare Zero Trust](#4-finish-adding-a-saas-application-to-cloudflare-zero-trust).
 
 ## 2. Download the metadata file
 
@@ -43,9 +43,8 @@ This guide covers how to configure [Greenhouse Recruiting](https://support.green
    * **Entity ID**: `greenhouse.io`
    * **Assertion Consumer Service URL**: SSO Assertion Consumer URL from SSO configuration in Greenhouse Recruiting.
    * **Name ID format**: *Email*
-2. Select **Save configuration**.
-3. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
-4. Select **Done**.
+2. Configure [Access policies](/cloudflare-one/policies/access/) for the application.
+3. Save the application.
 
 ## 5. Test the integration and finalize configuration