← Barbican Identity Demo
SAML

SAML 2.0

Entra ID as identity provider via SAML federation. XML-based assertion flow — no client secret.

Your Identity

CF Access — /cdn-cgi/access/get-identity
Loading...

How This Works

SAML uses a redirect-based flow. Cloudflare (the Service Provider / SP) redirects the user to Entra ID (the Identity Provider / IdP) with a SAML AuthnRequest. Entra authenticates the user and posts a signed XML assertion back to Cloudflare's Assertion Consumer Service (ACS) URL. Cloudflare validates the signature using the IdP's certificate, applies the Access policy, and issues its JWT cookie.

Unlike OIDC, there is no client secret. Trust is established through X.509 certificate signing. The SP and IdP exchange metadata to configure each other.

OIDC vs SAML: OIDC is JSON/JWT-based and generally simpler to configure. SAML is XML-based and more common in enterprise environments. Both achieve the same end result with Cloudflare Access — user identity in a JWT cookie. Choose SAML if your organisation mandates it or if you're integrating with a system that only supports SAML.

Entra Configuration

1. Enterprise Application

  1. Entra ID → Enterprise Applications → New application → Create your own application
  2. Name: Cloudflare Access — SAML Demo, select "Integrate any other application you don't find in the gallery"
  3. Go to Single sign-on → SAML

2. Basic SAML Configuration

  1. Entity ID (Identifier): https://<your-team>.cloudflareaccess.com/cdn-cgi/access/callback
  2. Reply URL (ACS URL): https://<your-team>.cloudflareaccess.com/cdn-cgi/access/callback
  3. Leave Sign-on URL blank for IdP-initiated flows

3. Attributes & Claims

Cloudflare Access requires the user's email address. Ensure the claim emailaddress maps to user.mail or user.userprincipalname.

4. Download Certificate

Download the Certificate (Base64) from the SAML Signing Certificate section. You will upload this to Cloudflare.

5. Note IdP Values

Copy the Login URL and Azure AD Identifier (Entity ID) from the Set up section.

Cloudflare Configuration

1. Add Identity Provider

  1. Zero Trust → Settings → Authentication → Add new → SAML
  2. SSO URL: the Login URL from Entra
  3. IdP Entity ID / Issuer: the Azure AD Identifier from Entra
  4. Signing certificate: paste the Base64 certificate content from Entra
  5. Add attribute: emailhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  6. Test the connection before saving

2. Add Access Application

  1. Zero Trust → Access → Applications → Add an Application → Self-hosted
  2. Domain: barbicancloud.co.uk/saml/* (path) or saml.barbicancloud.co.uk (subdomain)
  3. Select the SAML identity provider (deselect One-time PIN)
  4. Add a policy: Action = Allow, Selector = Emails

Routing

Path-based
barbicancloud.co.uk/saml/
Subdomain
saml.barbicancloud.co.uk