Cloudflare Zero Trust SSO Implementation

This article contains Cloudflare Zero Trust-specific help for configuring login with SSO. Cloudflare Zero Trust is a cloud-based identity and access management platform that can integrate with multiple identity providers (IdPs). You can also configure gateways and tunneling for secure access to the platform.

note

Cloudflare Zero Trust can be configured with any IdP that operates using SAML 2.0 or OIDC SSO configurations. If you are not familiar with these configurations, refer to these articles:

Why use Cloudflare Zero Trust with SSO?

Cloudflare Zero Trust is a cloud-based proxy identity and access management platform that can integrate with multiple identity providers (IdPs). The benefit of using Cloudflare Zero Trust in addition to your standard IdP is its ability to configure multiple IdPs for login. Cloudflare Zero Trust can provide SSO access to Bitwarden from multiple separate organizations, or sets of users within an organization.

Open SSO in the web vault

Navigate to your organization's Settings Single Sign-On screen:

SAML 2.0 Configuration  |
SAML 2.0 Configuration

If you haven't already, create a unique SSO Identifier for your organization. Otherwise, you don't need to edit anything on this screen yet, but keep it open for easy reference.

tip

If you are self-hosting Bitwarden, you can use alternative Member Decryption Options. This feature is disabled by default, so continue with Master Password decryption for now and learn how to get started using Key Connector once your configuration is complete and successfully working.

Create a Cloudflare Zero Trust login method

To create a Cloufdlare Zero Trust login method:

  1. Navigate to Cloudflare Zero Trust and log in or create an account.

  2. Configure a domain, which will act as the URL used by your users to access your applications or App Launcher, for example https://my-business.cloudflareaccess.com/. From the Cloudflare Zero Trust menu , select Settings General Team domain:

    Team domain setting |
    Team domain setting
  3. Begin configuring the first login method by navigating to Settings Authentication Add new.

  4. Select the login method to connect to Cloudflare Zero Trust. If the IdP you are using is not present on the IdP list, use the SAML or OIDC generic options. In this article, Okta will be used as an example:

    Cloudflare Zero Trust IdP list  |
    Cloudflare Zero Trust IdP list

  5. After selecting your chosen IdP login method, follow the in-product guide provided by Cloudflare for integrating your IdP.

Create a Cloudflare Zero Trust application

After an IdP has been configured, you'll have to create a Cloudflare Zero Trust application for Bitwarden. In this example we'll create a SAML application:

1. Navigate to Access Applications Add an application.

CFZT add an application |
CFZT add an application

2. Select the type SaaS.

3. In the Bitwarden web vault, open your organization and navigate to the Settings Single Sign-On screen. Use information from the web vault to fill-in information on the Configure app screen:

Key

Description

Application

Enter Bitwarden.

Entity ID

Copy the SP entity ID from the Bitwarden Single Sign-On page into this field.

Assertion Consumer Service URL

Copy the Assertion consumer service (ACS) URL from the Bitwarden Single Sign-On page into this field.

Name ID Format

Select Email from the dropdown menu.

4. Scroll down to the Identity providers menu. Select the IdP(s) that you configured in the previous section, scroll back to the top, and select Next.

5. Next, create access policies for user access to the application. Complete the Policy name, Action, and Session duration fields for each policy.

6. You can choose to assign a group policy (Access Groups) or explicit user policy rules (such as emails, "emails ending in", "country", or "everyone"). In the following example, the group "Anon Users" has been included in the policy. An additional rule has been added as well to include emails ending in the chosen domain:

CFZT app policy |
CFZT app policy
note

You can also apply user access through the App Launcher for access to the Bitwarden login with SSO shortcut. This can be managed by navigating to Authentication App Launcher Manage. The application policies in the above example can be duplicated or generated here.

7. Once access policies have been configured, scroll to the top and select Next.

8. While on the Setup screen, copy the following values and input them into their respective fields on the Bitwarden Single Sign-On page:

Key

Description

SSO endpoint

The SSO endpoint directs where your SaaS application will send login requests.

This value will be entered into the Single Sign On Service URL field in Bitwarden.

Access Entity ID or Issuer

The Access Entity ID or Issuer is the unique identifier of your SaaS application.

This will value will be entered into the Entity ID field on Bitwarden.

Public key

The Public key is the access public certificate that will be used to verify your identity.

This value will be entered into the X509 Public Certificate field on Bitwarden.

9. After the values have been entered into Bitwarden, select Save on the Bitwarden Single Sign-On screen and select Done on the Cloudflare page to save the application.

10. To create a bookmark to the Bitwarden login with SSO screen, select Add an application Bookmark. Check that the Bookmark is visible in the App launcher.

Test the configuration

Once your configuration is complete, test it by navigating to https://vault.bitwarden.com, entering your email address, selecting Continue and selecting the Enterprise single sign-on button.

Enterprise single sign on and master password  |
Enterprise single sign on and master password

Enter the configured organization identifier and select Log In. If your implementation is successfully configured, you will be redirected to a Cloudflare Access screen, where you can select the IdP to login with:

Cloudflare IdP selection |
Cloudflare IdP selection

After selecting your IdP, you will be directed to your IdP login page. Enter in the information used to login via your IdP:

CFZT IdP login |
CFZT IdP login

After you authenticate with your IdP credentials, enter your Bitwarden master password to decrypt your vault!


Language
© 2023 Bitwarden, Inc.
TermsPrivacySitemap