🎯 Purpose & Use Cases
Primary Purpose
Replace individual email-based authentication with centralized AWS IAM Identity Center SAML SSO, enabling enterprise-grade identity management across all Cloudflare Zero Trust applications.
Top 3 Use Cases
- Single Sign-On (SSO) Across Multiple Applications
Enable users to authenticate once and access all three Cloudflare Zero Trust applications seamlessly - Enterprise Identity Management
Centralized user management, group memberships, and authentication policies from AWS console - Enhanced Security and Compliance
Enterprise-grade SAML authentication with better audit trails and security controls
Key Benefits
- Centralized identity management
- Eliminates email-based OTP codes
- Enterprise-grade security controls
- Standardized authentication flow
- Better audit trails and compliance
📋 Prerequisites
Required Accounts & Services
- AWS Account with administrative access
- AWS IAM Identity Center enabled
- Cloudflare Account with Zero Trust subscription
- Domain registered with Cloudflare (ztn.*****.com)
- Existing Cloudflare Zero Trust applications
Tools Required
- AWS CLI (for programmatic access, optional)
- Web browser with access to AWS Console
- Cloudflare Zero Trust dashboard access
- SSH client (for testing SSH Infrastructure)
- WARP client (for SSH Infrastructure testing)
Setup Requirements
- Cloudflare Tunnels already configured and running
- Zero Trust Access applications already created
- SSH server configured with Cloudflare SSH certificates
- User email (ubuntu@*****.com) with access to AWS console
🏗️ Architecture Overview
SAML Authentication Flow
┌─────────────────────────────────────────────────────────────────────────────────┐
│ USER AUTHENTICATION FLOW │
└─────────────────────────────────────────────────────────────────────────────────┘
│
┌──────────────▼──────────────┐
│ User Access │
│ webapp.ztn.*****.com │
│ ssh.ztn.*****.com │
│ ssh ubuntu@172.31.***.*** │
└──────────────┬──────────────┘
│
┌─────────────────────────────────────▼─────────────────────────────────────┐
│ CLOUDFLARE ZERO TRUST │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────────────────┐ │
│ │ Self-hosted │ │ Self-hosted │ │ Infrastructure │ │
│ │ Access App │ │ Access App │ │ Access App │ │
│ │ (Web App) │ │ (SSH Browser) │ │ (SSH Infrastructure) │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────────────────┘ │
│ │ │ │ │
│ └─────────────────────┼───────────────────────────┘ │
│ │ │
│ ┌─────────────────────────────▼─────────────────────────────┐ │
│ │ SAML Identity Provider │ │
│ │ AWS IAM Identity Center │ │
│ │ SSO URL: /saml/assertion │ │
│ │ Entity ID: AWS Identity Center URL │ │
│ └─────────────────────────────┬─────────────────────────────┘ │
└─────────────────────────────────┼─────────────────────────────────────────────┘
│
┌─────────────────────────────────▼─────────────────────────────────────────────┐
│ AWS IAM IDENTITY CENTER │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ SAML Application: cf-tunnel │ │
│ │ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────────────┐ │ │
│ │ │ Application │ │ Attribute │ │ User Assignment │ │ │
│ │ │ Metadata │ │ Mappings │ │ │ │ │
│ │ │ ACS URL │ │ Subject: email │ │ User: ubuntu │ │ │
│ │ │ SAML Audience │ │ email: email │ │ Email: ubuntu@*****.com │ │ │
│ │ └─────────────────┘ └─────────────────┘ └─────────────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────────┘
SAML Authentication Components
| Component | Description | Status |
|---|---|---|
| AWS IAM Identity Center | SAML Identity Provider | Required |
| Cloudflare Zero Trust | SAML Service Provider | Required |
| SAML Application | cf-tunnel application in AWS | Active |
| Access Policies | Updated to use SAML authentication | Active |
🚦 Detailed SAML Authentication Flow
Complete SAML SSO Flow
Step 1: User Access Request
- User opens browser
- Navigates to https://webapp.ztn.*****.com
- DNS resolves to Cloudflare edge
Step 2: Cloudflare Access Policy Evaluation
- Cloudflare identifies self-hosted Access application
- Checks authentication requirements
- No valid session found
- Policy requires SAML authentication
Step 3: SAML Authentication Initiation
- Cloudflare generates SAML AuthnRequest
- Redirects user to AWS IAM Identity Center
- URL: https://portal.sso.region.amazonaws.com/saml/assertion
- Request includes RelayState and SAMLRequest parameters
Step 4: AWS IAM Identity Center Authentication
- User presented with AWS login page
- User enters credentials (ubuntu@*****.com)
- AWS validates user credentials
- AWS checks user assignment to cf-tunnel application
- Authentication successful
Step 5: SAML Response Generation
- AWS generates SAML assertion
- Assertion includes user email and attributes
- Digital signature with AWS certificate
- POST response to Cloudflare callback URL
Step 6: Cloudflare SAML Response Processing
- Cloudflare receives SAML response at callback URL
- Validates SAML signature against AWS certificate
- Extracts user email from email attribute
- Creates Cloudflare Access session
- Issues JWT token for application access
Step 7: Application Access Grant
- User redirected to original application URL
- Cloudflare validates JWT token
- Request forwarded through tunnel to application
- User gains access to web application
Timeline: ~2-4 seconds for complete SAML flow
⚙️ AWS IAM Identity Center Configuration
SAML Application Configuration
Application Details:
Application Name: cf-tunnel
Application Type: Custom SAML 2.0 application
Application Metadata:
├── Application ACS URL: https://*****.cloudflareaccess.com/cdn-cgi/access/callback
├── Application SAML audience: https://*****.cloudflareaccess.com/cdn-cgi/access/callback
└── Name ID format: emailAddress
Attribute Mappings:
├── Subject: ${user:email} (Format: emailAddress)
└── email: ${user:email} (Format: unspecified)
User Configuration
User Details:
User Details:
├── Username: ubuntu
├── Email: ubuntu@*****.com
├── First name: Ubuntu
├── Last name: User
├── Display name: Ubuntu User
└── Status: Enabled
User Assignment:
└── User: ubuntu (ubuntu@*****.com)
AWS Metadata Export
Generated URLs (from AWS):
├── SSO URL: https://portal.sso.region.amazonaws.com/saml/assertion/[unique-id]
├── Entity ID: https://portal.sso.region.amazonaws.com/saml/assertion/[unique-id]
└── X.509 Certificate: (PEM format certificate)
🔧 Cloudflare Zero Trust Configuration
SAML Identity Provider Settings
Provider Configuration:
Provider Configuration:
├── Name: AWS-IAM-Identity-Center
├── Type: SAML
├── SSO Target URL: [AWS SSO URL from metadata]
├── IdP Entity ID: [AWS Entity ID from metadata]
├── Signing certificate: [AWS X.509 Certificate]
└── Email attribute name: email
SAML Attributes:
├── email: Mapped from SAML assertion
└── Custom attributes: (none for basic setup)
Access Policy Updates
Web Application Policy:
Policy Name: Web-App-SAML-Access
Authentication Requirements:
├── Include Rules:
│ ├── Login Method: AWS-IAM-Identity-Center
│ └── Email: ubuntu@*****.com (fallback)
├── Require Rules: (none for basic setup)
└── Exclude Rules: (none)
Session Configuration:
├── Session duration: Same as application
├── Idle timeout: 24 hours
└── Refresh frequency: Weekly
SSH Policies
SSH Browser Policy:
Policy Name: SSH-Browser-SAML-Access
Authentication Requirements:
├── Include Rules:
│ ├── Login Method: AWS-IAM-Identity-Center
│ └── Email: ubuntu@*****.com (fallback)
Connection Rules:
├── SSH users: [ubuntu]
├── SSH certificate: Browser SSH CA
└── Session recording: Enabled
📁 File Structure
Cloudflare Tunnel Files
/home/ubuntu/.cloudflared/ # Cloudflare Tunnel files
├── logs/
│ ├── web-app.log # Web application tunnel logs
│ ├── ssh-browser.log # SSH browser tunnel logs
│ └── ssh-infra.log # SSH infrastructure tunnel logs
├── tunnels/
│ ├── web-app/config.yml # Web tunnel configuration
│ ├── ssh-browser/config.yml # SSH browser tunnel configuration
│ └── ssh-infra/config.yml # SSH infrastructure tunnel configuration
└── *.json # Tunnel credential files
SSH Server Configuration
/etc/ssh/ # SSH server configuration
├── sshd_config # SSH daemon configuration with SAML support
├── ca.pub # Infrastructure SSH CA public key
└── ca-browser.pub # Browser SSH CA public key
Management Scripts
/home/ubuntu/ # Management scripts
├── test-saml-sso.sh # SAML testing script
├── check-auth-logs.sh # Authentication log checker
└── tunnel-system-status.sh # Overall system status
📈 Scaling & Management
Add Additional Users to SAML Authentication
Step 1: Create User in AWS IAM Identity Center
AWS Console Steps:
├── IAM Identity Center > Users > Add user
├── Enter user details (email, name)
├── Send email invitation
└── User completes registration
Step 2: Assign User to SAML Application
AWS Console Steps:
├── IAM Identity Center > Applications > cf-tunnel
├── Assigned users tab > Assign users
├── Select new user
└── Save assignment
Step 3: Update Cloudflare Access Policies
Zero Trust Dashboard:
├── Access > Applications > [Select Application]
├── Policies > Edit policy
├── Include rules > Add email condition
└── Add: Email = newuser@*****.com
Add Additional AWS SAML Applications
For Different Environments:
Application Configuration:
├── Name: cf-tunnel-staging
├── ACS URL: https://staging-team.cloudflareaccess.com/cdn-cgi/access/callback
├── SAML audience: https://staging-team.cloudflareaccess.com/cdn-cgi/access/callback
└── Same attribute mappings
IdP Configuration:
├── Name: AWS-IAM-Identity-Center-Staging
├── Use staging application metadata from AWS
└── Configure separate policies
🔧 Common Issues & Solutions
Issue 1: "Invalid login session" Error
Problem:
User successfully authenticates with AWS but receives "Invalid login session" error on Cloudflare callback.
Solution:
Fix AWS Application Metadata:
├── Ensure ACS URL matches: https://[team].cloudflareaccess.com/cdn-cgi/access/callback
├── Ensure SAML audience matches ACS URL exactly
├── Verify attribute mapping: Subject = ${user:email} (emailAddress format)
└── Add additional attribute: email = ${user:email}
Cloudflare IdP Configuration:
├── Use correct SSO Target URL from AWS metadata
├── Use correct Entity ID from AWS metadata
├── Import complete X.509 certificate with BEGIN/END lines
└── Set email attribute name: email
Issue 2: SAML Attribute Mapping Not Working
Problem:
User authenticates successfully but Cloudflare cannot extract email address from SAML assertion.
Solution:
AWS Attribute Mapping (Required):
├── Subject: ${user:email} with Format: emailAddress
└── email: ${user:email} with Format: unspecified
Cloudflare SAML IdP:
└── Email attribute name: email (matches AWS attribute name)
Issue 3: Access Policy Not Recognizing SAML
Problem:
User completes SAML authentication but Access policy denies access.
Solution:
Update Access Policy Include Rules:
├── Add: Login Method = AWS-IAM-Identity-Center
├── Keep: Email = ubuntu@*****.com (as fallback)
└── Remove: Any email-only authentication rules
Policy Logic:
└── Include: (SAML Login Method OR Email OTP) AND Email Match
🚀 Future Plans
Phase 1: Enhanced SAML Features
Group-Based Access Control
Implement centralized group management in AWS with dynamic access based on group membership.
Implementation Plan
- AWS Groups: Create IAM Identity Center groups (Administrators, Developers, Support)
- SAML Mapping: Configure SAML group attribute mapping
- Policy Updates: Update Cloudflare policies to use SAML groups
- SSH Permissions: Implement role-based SSH user permissions
Timeline: 6 weeks with centralized group management
Phase 2: Multi-Environment SAML Integration
Development/Staging/Production Separation
Create separate AWS SAML applications per environment with environment-specific access controls.
Implementation Plan
- Environment Isolation: Separate AWS SAML applications per environment
- Team Domains: Environment-specific Cloudflare team domains
- User Groups: Different user groups per environment
- Automated Deployment: Automated deployment across environments
Timeline: 8 weeks with environment isolation
Phase 3: Advanced Security Features
Risk-Based Authentication
Implement dynamic security based on context with device posture checking and behavioral analytics.
Features to Implement
- Device Posture: Device posture checking and compliance
- Location-Based: Location-based access policies
- Behavioral Analytics: Anomaly detection and risk scoring
- Adaptive Authentication: Dynamic security based on risk score
📚 References
Primary Documentation
- Cloudflare AWS SAML Integration Guide
- AWS IAM Identity Center User Guide
- Cloudflare Zero Trust Access Policies
- SSH with Access for Infrastructure