Bước 1. Identity provider

Identity Provider using SAML.

Why

• To control access to your resources, Cloudflare Access needs to verify the identity of users requesting access.

• However, Cloudflare Access does not directly manage user accounts, it relies on Identity Providers (IdPs) to do so.

• By integrating Access with one or more IdPs, you can provide a list of authorized users for Access to verify against.

Steps

As part of this lab, we created a SAML-based IdP named TS² (Trusted SAML Server). TS² is designed to mock a small organization.

Let’s integrate Cloudflare Access with this IdP.

1. Log in

Login to Cloudflare & navigate to the Zero Trust dashboard

2. Verify your Team domain prefix

In your Zero Trust dashboard, navigate to Settings ‣ Custom Pages and verify that your Team domain is set to <LAB_SLUG>.cloudflareaccess.com.

Example:

LAB_SLUG: ancient-uncle

Domain: ancient-uncle.cloudflareaccess.com

3. Create a SAML provider

Open this URL: https://lab.cfiq.io/en/registration/d669fe246bad551500469b17ff6a244a8dfae83a/saml

Here, create an identity provider that you will use throughout the rest of this lab by pasting in your LAB_SLUG.

Download the SAML metadata file by clicking on the provided link:

4. Add a new SAML IdP to your account

Return to the Zero Trust Dashboard, then open Settings ‣ Authentication. In the Login methods card, click Add new and select SAML.

Drag and drop the metadata file you created in step #3 into the Import box on the callout:

5. Test

Press Save, then Test.

ℹ️ It may take up to 60 seconds for the new SAML provider to be provisioned. If you receive an error indicating SAML provider was not found, please wait a while and retry.

When prompted to log in, use the following credentials:

Email: [email protected]

Password: #Savetheinternet

Press Continue

You should see your user’s identity successfully retrieved via the SAML callback

Identity Provider using One-Time PIN (OTP)

Why

• To control access to your resources, Cloudflare Access needs to verify the identity of users requesting access.

• Unlike traditional methods where user accounts are managed directly by Identity Providers (IdPs), One-Time PIN (OTP) offers a simpler way to authenticate users without complex IdP integration.

• Using OTP as the authentication method allow sending a one-time code to the user's email. This can be useful for smaller organizations or cases where setting up a full SAML-based IdP is not necessary.

Steps

1. Log in

2. Verify your Team domain prefix:

3. Enable One-Time PIN Authentication

open Settings ‣ Authentication. In the Login methods card, click Add new and select One-time Pin.

4. Set Up Access Policies to Use OTP (Test)

• Navigate to Access > Applications, and create a new application or edit an existing one.

• Under the Policies tab, create a new policy to define who can access the application.

• Add Policy name , Action and Configure rules in this case i use configure by email

• In the Identity Providers section, select Add an IdP, and choose One-Time PIN as the authentication method.

5. How It Works

I not enable zero trust WARP

when i try to access URL Public : https://zerotrust.tanle.io.vn/ and ZT Cloudflare will redirect me to page authenication : https://hatan.cloudflareaccess.com/

If you access success you will enjoy my URL public : https://zerotrust.tanle.io.vn/ and it's connect during 24 hours .

Best practive:

Hầu hết các doanh nghiệp sử dụng single identity provider làm nguồn thông tin chính xác cho danh mục người dùng của họ. Bạn nên sử dụng nguồn thông tin chính xác này để đưa người dùng công ty của mình vào Zero Trust, chẳng hạn như bằng cách yêu cầu địa chỉ email của công ty đăng nhập bằng nhà cung cấp danh tính chính của bạn. Sau này, bạn có thể thêm các phương thức đăng nhập hoặc nhà cung cấp danh tính khác nếu cần cho bất kỳ nhà thầu, nhà cung cấp hoặc công ty được mua lại nào có thể cần quyền truy cập vào mạng của bạn.