Cloudflare Docs
Cloudflare Zero Trust
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Connect to AWS through Access

This guide covers how to configure AWS SSO with Access for SaaS. Cloudflare Access for SaaS allows you to layer additional network and device posture policies on top of existing identity authentication from your identity provider.

​​ Prerequisites

  • Admin access to an AWS account

​​ 1. Get AWS URLs

  1. In the AWS admin panel, search for IAM Identity Center.
  2. Go to IAM Identity Center > Settings.
  3. In the Identity source tab, select the Actions dropdown and select Change identity source.
  4. Change the identity source to External identity provider.
  5. Copy the values shown in Service provider metadata. You will need these values when configuring the SaaS application in Zero Trust.

Next, we will obtain Identity provider metadata from Zero Trust.

​​ 2. Add a SaaS application to Cloudflare Zero Trust

  1. In a separate tab or window, open Zero Trust and go to Access > Applications.
  2. Select SaaS.
  3. For Application, select Amazon AWS.
  4. For the authentication protocol, select SAML.
  5. Select Add application.
  6. Fill in the following fields:
    • Entity ID: IAM Identity Center issuer URL
    • Assertion Consumer Service URL: IAM Identity Center Assertion Consumer Service (ACS) URL
    • Name ID format: Email
  7. (Optional) Additional SAML attribute statements can be passed from your IdP to AWS SSO. To learn more about AWS Attribute mapping, refer to Attribute mappings - AWS Single Sign-On.
  8. AWS supports uploading a metadata XML file. To download your SAML metadata from Access:
    1. Copy the SAML Metadata endpoint.
    2. In a separate browser window, go to the SAML Metadata endpoint (https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/sso/saml/xxx/saml-metadata).
    3. Save the page as access_saml_metadata.xml.
  9. Save your SaaS application configuration.
  10. Configure Access policies for the application.
  11. Select Done.

​​ 3. Complete AWS configuration

  1. Return to the IAM Identity Center > Settings > Change identity source tab.

  2. Under IdP SAML metadata, upload your access_saml_metadata.xml file.

  3. Select Next to review settings, type ACCEPT and select Change identity source to confirm changes.

  4. Confirm that Provisioning is set to Manual.

​​ 4. Test the integration

To test the connection, go to your AWS access portal URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider.