• Configure PingFederate to authenticate against an identity provider (IdP) or datastore containing the users requiring application access.
  • PingFederate’s X.509 certificate should be exchanged to verify the signature in SAML assertions.
  • An Email Attribute is required in the assertion, either the SAML Subject or another SAML attribute per the SAML configuration. The value of the Email Attribute must be a valid email address. It is used to uniquely identify the user in the organization.
  • Populate Cloudflare with at least one user to test access.
  1. Create a PingFederate service provider (SP) connection for Cloudflare:
    1. Sign on to the PingFederate administrative console.
    2. Create an SP connection for Cloudflare in PingFederate:
      1. Configure using Browser SSO profile SAML 2.0.
      2. Set Partner’s Entity ID to https://<team name>.cloudflareaccess.com/cdn-cgi/access/callback.
      3. Enable the IDP-Initiated SSO and SP-Initiated SSO SAML profiles.
      4. In Assertion Creation: Attribute Contract, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress for SAML_SUBJECT.
      5. In Assertion Creation: Authentication Source Mapping: Authentication Source Mapping, map a new Adapter Instance to HTML Form.
      6. In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfillment, map SAML_SUBJECT.
      7. In Protocol Settings: Assertion Consumer Service URL, set Binding to POST and set Endpoint URL to /cdn-cgi/access/callback.

        This value is received and updated from Cloudflare.

      8. In Protocol Settings: Allowable SAML Bindings, enable POST.
      9. In Signature Policy, disable Always Sign Assertion and leave Sign Response As Required enabled.
      10. In Credentials: Digital Signature Settings, select the PingFederate Signing Certificate, the Include the Certificate in the Signature <KEY INFO> Element, and the Include the Raw Key in the Signature <KEY INFO> Element check boxes.
    3. Save the configuration.
    4. Export the signing certificate.
    5. Export and then open the metadata file, and copy the value of:
      • The entityID
      • The Location entry (https://<your value>/idp/SSO.saml2)
  2. Add the PingFederate IdP connection to Cloudflare
    1. Sign on to the Cloudflare application and click pingfed.com at the top of the page.
      Screen capture of Cloudflare application with pingfed.com as a search result.
    2. Go to Access > Access App Launch > Setup Access App Launch.
      Screen capture of Setup Access App Launch page in Cloudflare.
    3. Click Save.
    4. Go to Access > Login Methods > Add > SAML.
      Screen capture of Cloudflare Add a SAML identity provider section.
    5. Click Drop or select IdP metadata file to upload to upload the IdP metadata file and enter the Provider Name value.
      Screen capture of Cloudflare Add a SAML identity provider section with metadata uploaded.
    6. Click Save and close the Login Method page.
    7. On the Teams dashboard, go to Settings > Authentication.
    8. In the Login methods section, select SAML + Pingfed.
      Screen capture of Cloudflare for Teams Authentication page.

      The Cloudflare connection configuration is now complete.

    9. Click Test.
    10. After the Cloudflare application redirects to PingFederate, enter the credentials.
      Screen capture of PingFederate sign on page.Screen capture of Cloudflare Access successful connection page.
  3. Test the PingFederate SP-initiated SSO integration:
    1. Go to your Cloudflare Authentication Request URL (for example, https://pingfed.cloudflareaccess.com/) and click Login.
      Screen capture of Cloudflare login page.
    2. Click SAML– PingFed.