Cloudflare Zero Trust SSO Implementation
This article contains Cloudflare Zero Trust-specific help for configuring login with SSO. Cloudflare Zero Trust is a cloud-based identity and access management platform that can integrate with multiple identity providers (IdPs). You can also configure gateways and tunneling for secure access to the platform.
Cloudflare Zero Trust can be configured with any IdP that operates using SAML 2.0 or OIDC SSO configurations. If you are not familiar with these configurations, refer to these articles:
Cloudflare Zero Trust is a cloud-based proxy identity and access management platform that can integrate with multiple identity providers (IdPs). The benefit of using Cloudflare Zero Trust in addition to your standard IdP is its ability to configure multiple IdPs for login. Cloudflare Zero Trust can provide SSO access to Bitwarden from multiple separate organizations, or sets of users within an organization.
Navigate to your organization's Settings → Single sign-on screen:
Cloudflare will only support SAML via the Access Application Gateway. This means that the SAML 2.0 must be selected in the Bitwarden configuration. OIDC authentication this can still be configured from the IdP and Cloudflare.
If you haven't already, create a unique SSO identifier for your organization. Otherwise, you don't need to edit anything on this screen yet, but keep it open for easy reference.
To create a Cloufdlare Zero Trust login method:
Navigate to Cloudflare Zero Trust and log in or create an account.
Configure a domain, which will act as the URL used by your users to access your applications or App Launcher, for example
https://my-business.cloudflareaccess.com/. From the Cloudflare Zero Trust menu , select Settings → General → Team domain:
Begin configuring the first login method by navigating to Settings → Authentication → Add new.
Select the login method to connect to Cloudflare Zero Trust. If the IdP you are using is not present on the IdP list, use the SAML or OIDC generic options. In this article, Okta will be used as an example:
After selecting your chosen IdP login method, follow the in-product guide provided by Cloudflare for integrating your IdP.
If the IdP you are using has a support groups feature, this option must be disabled. Bitwarden does not support group based claims, enabling this option will result in an XML element error on the Bitwarden end.
After an IdP has been configured, you'll have to create a Cloudflare Zero Trust application for Bitwarden. In this example we'll create a SAML application:
1. Navigate to Access → Applications → Add an application.
2. Select the type SaaS.
3. In the Bitwarden web vault, open your organization and navigate to the Settings → Single Sign-On screen. Use information from the web vault to fill-in information on the Configure app screen:
Copy the SP entity ID from the Bitwarden Single Sign-On page into this field.
Assertion Consumer Service URL
Copy the Assertion consumer service (ACS) URL from the Bitwarden Single Sign-On page into this field.
Name ID Format
Select Email from the dropdown menu.
For the generic OIDC configuration, the Auth URL, Token URL, and Certificate URL can be located with the well-known URL.
4. Scroll down to the Identity providers menu. Select the IdP(s) that you configured in the previous section, scroll back to the top, and select Next.
5. Next, create access policies for user access to the application. Complete the Policy name, Action, and Session duration fields for each policy.
6. You can choose to assign a group policy (Access → Groups) or explicit user policy rules (such as emails, "emails ending in", "country", or "everyone"). In the following example, the group "Anon Users" has been included in the policy. An additional rule has been added as well to include emails ending in the chosen domain:
You can also apply user access through the App Launcher for access to the Bitwarden login with SSO shortcut. This can be managed by navigating to Authentication → App Launcher → Manage. The application policies in the above example can be duplicated or generated here.
7. Once access policies have been configured, scroll to the top and select Next.
8. While on the Setup screen, copy the following values and input them into their respective fields on the Bitwarden Single Sign-On page:
The SSO endpoint directs where your SaaS application will send login requests.
This value will be entered into the Single Sign On Service URL field in Bitwarden.
Access Entity ID or Issuer
The Access Entity ID or Issuer is the unique identifier of your SaaS application.
This will value will be entered into the Entity ID field on Bitwarden.
The Public key is the access public certificate that will be used to verify your identity.
This value will be entered into the X509 Public Certificate field on Bitwarden.
9. After the values have been entered into Bitwarden, select Save on the Bitwarden Single Sign-On screen and select Done on the Cloudflare page to save the application.
10. To create a bookmark to the Bitwarden login with SSO screen, select Add an application → Bookmark. Check that the Bookmark is visible in the App launcher.
Once your configuration is complete, test it by navigating to https://vault.bitwarden.com, entering your email address, selecting Continue and selecting the Enterprise single sign-on button.
Enter the configured organization identifier and select Log In. If your implementation is successfully configured, you will be redirected to a Cloudflare Access screen, where you can select the IdP to login with:
After selecting your IdP, you will be directed to your IdP login page. Enter in the information used to login via your IdP:
After you authenticate with your IdP credentials, enter your Bitwarden master password to decrypt your vault!