Before today, you could setup Access if you used GSuite, Okta or Azure AD to manage your employee accounts. Today we would like to announce support for two more Identity Providers with Cloudflare Access: Centrify and OneLogin.

We launched Cloudflare Access earlier this year and have been overwhelmed by the response from our customers and community. Customers tell us they love the simplicity of setting up Access to secure applications and integrate with their existing identity provider solution. Access helps customers implement a holistic solution for both corporate and remote employees without having to use a VPN.

If you are using Centrify or OneLogin as your identity provider you can now easily integrate them with Cloudflare Access and have your team members login with their accounts to securely reach your internal tools.

Oh and one last thing, We have a new generic connector which allows you to integrate any OIDC based identity provider with Cloudflare Access. OpenID Connect (OIDC) is supported by many identity providers (some popular OIDC based Identity Providers are Ping Identity and Forgerock)

If you’re eager to get started, steps are below for configuring OneLogin, Centrify and a custom OIDC provider. Each take about 3-5 minutes. Hope you enjoy!

Login to your Centrify admin portal and click on apps.

Click on Add Web Apps and navigate to custom tab. Scroll down and click Add on OpenID Connect.

Click Yes on the Application modal to create an OpenID Connect app.

Enter an Application ID and click save.

Navigate to the trust tab and enter a strong application secret. Under the Service Provider configuration enter your application's authentication domain as the Resource application URL. Click Add on Authorized redirect URIs and put your authentication domain/cdn-cgi/access/callback. Click Save.

Now copy your Client ID, Client Secret, OpenID Connect Issuer URL without the forward slash and Application ID from Settings tab in the Centrify dashboard and then paste them into the Cloudflare dashboard.

Login to your Onelogin admin portal and click on custom connectors.

Click on New Connector

Name the connector and select OpenID Connect as the sign on method.In the redirect URI field, put your authentication domain/cdn-cgi/access/callback. Click Save.

Click on More Actions and select Add App to Connector.

Name the app and click save.

Navigate to the SSO tab and click on show client secret.

Now copy your Client ID and Client Secret from the Onelogin dashboard and then paste them into the Cloudflare dashboard.

The following are the information you would need from your identity provider into the Cloudflare Dashboard.

• Client ID and Client Secret: IdPs let you create a client or an app for each custom integration. You can create one for Access and grab the client id and secret.

• Auth URL: This is the authorization_endpoint URL of your IdP.

• Token URL: This is the token_endpoint URL of your IdP.

• Certificate URL: The jwks_uri endpoint of your IdP is where you get the keys used by the IdP to sign the tokens.

All the above endpoint values can be obtained from your IdP's OIDC discovery endpoint which is also called as the well-known URL. For example if you use Ping as your identity the URL would be <hostname>/.well-known/openid-configuration

Give your IdP connector a name of your choice by entering it in the Name field.

In your IdP's Authorized redirect URI field, put your authentication domain/cdn-cgi/access/callback URL.

CC BY-SA 2.0 image by William Warby

There’s a second problem with the traditional security perimeter model. It either requires employees to be on the corporate network (i.e. physically in the office) or using a VPN, which slows down work because every page load makes extra round trips to the VPN server. After all this hassle, users on the VPN are still highly susceptible to phishing, on-path and SQL injection attacks.

A few years ago, Google pioneered a solution for their own employees called BeyondCorp. Instead of keeping their internal applications on the intranet, they made them accessible on the internet. There became no concept of in or outside the network. The network wasn’t some fortified citadel, everything was on the internet, and no connections were trusted. Everyone had to prove they are who they say they are.

Cloudflare’s mission has always been to democratize the tools of the internet giants. Today we are launching Cloudflare Access: a perimeter-less access control solution for cloud and on-premise applications. It’s like BeyondCorp, but you don’t have to be a Google employee to use it.

Access acts as an unified reverse proxy to enforce access control by making sure every request is:

Authenticated: Access integrates out of the box with most of the major identity providers like Google, Azure Active Directory and Okta meaning you can quickly connect your existing identity provider to Cloudflare and use the groups and users already created to gate access to your web applications. You can additionally use TLS with Client Authentication and limit connections only to devices with a unique client certificate. Cloudflare will ensure the connecting device has a valid client certificate signed by the corporate CA, then Cloudflare will authenticate user credentials to grant access to an internal application.

Authorized: The solution lets you easily protect application resources by configuring access policies for groups and individual users that you already created with your identity providers. For example, you could ensure with Access that only your company employees can get to your internal kanban board, or lock down the wp-admin of your wordpress site.

Encrypted: As Cloudflare makes all connections secure with HTTPS there is no need for a VPN.

To all the IT administrators who’ve been chastised by a globetrotting executive about how slow the VPN makes the Internet, Access is the perfect solution. It enables you to control and monitor access to applications by providing the following features via the dashboard and APIs:

• Easily change access policies

• Modify session durations

• Revoke existing user sessions

• Centralized logging for audit and change logs

Want an even faster connection to replace your VPN? Try pairing Access with Argo. If you want to use Access in front of an internal application but don’t want to open up that application to the whole internet, you can combine Access with Argo Tunnel. Argo Tunnel will make Cloudflare your application’s internet connection so you don’t even need a public IP. If you want to use Access in front of a legacy application and protect that application from unpatched vulnerabilities in legacy software, you can just click to enable the Web Application Firewall and Cloudflare will inspect packets and block those with exploits.

Cloudflare Access allows employees to connect to corporate applications from any device, any place and on any kind of network. Access is powered by Cloudflare’s global network of 120+ data centers offering adequate redundancy and DDoS protection and proximity to wherever your employees or corporate office might be.

Access takes 5-10 minutes to setup and is free to try for up to one user (beyond that it’s $3 per seat per month, and you can contact sales for bulk discounts). Cloudflare Access is fully available for our enterprise customers today and in open beta for our Free, Pro and Business plan customers. To get started, go to the Access tab of the Cloudflare dashboard.