Cloudflare SAML SSO in HCP Configuration

Avatar
Mahima Sharma
  • Updated

This article provides step-by-step instructions on how to configure Cloudflare SAML Single Sign-On (SSO) for the HashiCorp Cloud Platform (HCP). The process is similar to other SSO providers, but this guide specifically details the steps for Cloudflare.

1. Configure SSO

Follow these steps to configure SSO for your HCP account:

  1. Log in to your HCP account.
  2. Navigate to Settings > Identity & Access Management (IAM) > SSO.
  3. Click Configure SSO for your Organization. The Setup SAML SSO page appears, where you will enter the required information for Cloudflare.
  4. Assign a default organization role.

2. Verify Your Domain

You need a DNS record (secret value to set as TXT) to prove ownership of a domain. HCP uses the domain to match the email addresses for SSO. You must use different SSO domains for each HCP organization. If you try to reuse a domain name, the DNS connection request will fail.

To verify your domain:

  1. Copy the verification TXT record from the HCP SSO configuration to the DNS records of any email domains your organization uses.
  2. Return to the HCP Settings page and add your email address domains.
  3. Click Verify Domains.

If the verification is successful, you can continue configuring SSO. If the request fails, your changes to the DNS records may not have propagated yet. It can take up to 72 hours.

3. Configure the Application in Cloudflare

Now that your domain is verified and HCP SSO settings are ready, you can proceed with configuring Cloudflare as the Identity Provider (IdP). In the Cloudflare Zero Trust dashboard, follow these steps to configure the SAML application:

  • Go to Zero Trust > Access > Applications.
  • Click Add an Application and select SAML as the application type.
  • Configure the Application with the following Settings:
    • Paste the Entity ID you copied from the HCP SSO configuration page into the Entity ID field in Cloudflare.
    • ACS URL: Enter the following URL in this field: https://auth.hashicorp.com/login/callback 
      Please note: Do not use any other ACS URL here.
  • SAML Attribute Statements (Optional): Add the following details:
    Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    Name Format: unspecified
    IdP Attribute: name-id
  • Add a Policy and Authentication Method:
    • Configure rules based on your access requirements and the users you want to grant access to the HCP application.
    • Under Zero Trust > Settings > Authentication Method, configure your desired Authentication Method (e.g., One Time Password, GitHub, Azure AD etc.)

4.  Verify SSO Application

After saving the Cloudflare application, test the SSO integration by following these steps:

  • Open a browser and navigate to: https://portal.cloud.hashicorp.com/
  • Enter your email address associated with your HCP account (make sure to use the domain verified in Step 2).
  • If the SSO integration is correctly configured, you will be redirected to Cloudflare for authentication. After successful authentication, you will be logged into your HCP account.

Troubleshooting:

  • SSO Not Working: If you are not redirected to Cloudflare for authentication, double-check the configuration, especially the ACS URL and Entity ID.
  • Cloudflare Authentication Issues: Ensure that the correct Authentication Method is set under the Zero Trust Overview settings.
  • If you encounter further issues, please contact HashiCorp Support for assistance.

References:

Configuring SAML Applications in Cloudflare

Managing Access Policies in Cloudflare

HCP SSO Overview

 

 

Articles in this section

Related articles