Cloudflare Docs
Cloudflare Zero Trust
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Identity-based policies

With Cloudflare Zero Trust, you can create Secure Web Gateway policies that filter outbound traffic down to the user identity level. To do that, you can build DNS, HTTP or Network policies using a set of identity-based selectors. These selectors require you to deploy the Zero Trust WARP client in Gateway with WARP mode.

You may also filter outbound traffic based on additional signals from device posture checks.

​​ Gateway identity checks

Gateway checks identity when a user logs in or re-authenticates. To check your users’ identities and require re-authentication at regular intervals, you can enforce a WARP client session duration.

If you add or remove a user from a group in your IdP, Gateway will not detect these changes until the user re-authenticates to your Zero Trust instance. There are two ways a user can re-authenticate:

  • Log out from an Access-protected application and log back in.
  • In their WARP client settings, select Preferences > Account > Re-Authenticate Session. This will open a browser window and prompt the user to log in.

​​ View a user’s identity

To view the identity that Gateway will use when evaluating policies:

  1. In Zero Trust, go to My Team > Users. This page lists the users who have authenticated to the WARP client.
  2. Select a user.
  3. Under User Registry identity, select the user name.

This page shows the information reported by the IdP when the user registered the WARP client.

​​ Extended email addresses

Extended email addresses (also known as plus addresses) are variants of an existing email address with + or . modifiers. Many email providers, such as Gmail and Outlook, deliver emails intended for an extended address to its original address. For example, providers will deliver emails sent to contact+123@example.com or con.tact@example.com to contact@example.com.

By default, Gateway will either filter only exact matches or all extended variants depending on the type of policy and action used:

DNS policies
ActionBehavior
AllowMatch exact address only
BlockMatch exact address and all variants
OverrideMatch exact address and all variants
Safe SearchMatch exact address and all variants
YouTube RestrictedMatch exact address and all variants
Network policies
ActionBehavior
AllowMatch exact address only
Audit SSHMatch exact address and all variants
BlockMatch exact address and all variants
Network OverrideMatch exact address only
HTTP policies
ActionBehavior
AllowMatch exact address only
BlockMatch exact address and all variants
Do Not InspectMatch exact address only
Do Not IsolateMatch exact address only
Do Not ScanMatch exact address only
IsolateMatch exact address and all variants
Other policies
Policy typeBehavior
Egress policyMatch exact address only
Resolver policyMatch exact address only

To force Gateway to match all email address variants, go to Settings > Network > Firewall and turn on Match extended email addresses. This setting applies to all firewall, egress, and resolver policies.

​​ Identity-based selectors

​​ SAML Attributes

Specify a value from the SAML Attribute Assertion.

UI nameAPI example
SAML Attributesidentity.saml_attributes == "\"group=finance\""

​​ User Email

Use this selector to create identity-based Gateway rules based on a user’s email.

UI nameAPI example value
User Emailidentity.email == "user-name@company.com"

​​ User Group IDs

Use this selector to create identity-based Gateway rules based on an IdP group ID of which the user is configured as a member in the IdP.

UI nameAPI example
User Group IDsidentity.groups.id == "12jf495bhjd7893ml09o"

​​ User Group Email

Use this selector to create identity-based Gateway rules based on an IdP group email address of which the user is configured as a member in the IdP.

UI nameAPI example
User Group Emailidentity.groups.id == "contractors@company.com"

​​ User Group Names

Use this selector to create identity-based Gateway rules based on an IdP group name of which the user is configured as a member in the IdP.

UI nameAPI example
User Group Namesidentity.groups.name == "\"finance\""

​​ User Name

Use this selector to create identity-based Gateway rules based on an IdP username for a particular user in the IdP.

UI nameAPI example
User Nameidentity.name == "user-name"

​​ IdP groups in Gateway

Cloudflare Gateway can integrate with your organization’s identity providers (IdPs). Before building a Gateway policy for IdP users or groups, be sure to add the IdP as an authentication method.

Because IdPs expose user groups in different formats, reference the list below to choose the appropriate identity-based selector.

​​ Azure AD

SelectorValue
User Group IDs61503835-b6fe-4630-af88-de551dd59a2

Value is the Object Id for an Azure group.

If you enabled user and group synchronization with SCIM, the synchronized groups will appear under User Group Names:

SelectorValue
User Group NamesSCIM group

​​ GitHub

SelectorValue
User Group NamesMarketing

​​ Google

SelectorValue
User Group NamesMarketing

​​ Okta (OIDC)

If you added Okta as an OIDC provider, use the User Group Names selector:

SelectorValue
User Group NamesMarketing

The Okta OIDC integration supports user and group synchronization with SCIM.

​​ Okta (SAML)

If you added Okta as a SAML provider, use the SAML Attributes selector:

SelectorAttribute nameAttribute value
SAML AttributesgroupsMarketing

​​ Generic SAML IdP

For a generic SAML provider, use the SAML Attribute selector:

SelectorAttribute nameAttribute value
SAML AttributesdepartmentMarketing

​​ Generic OIDC IdP

Custom OIDC claims are not supported in Gateway policies.