From 1369e581cb24493cef994130118ae6b4c2311d03 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 3 Mar 2025 19:32:29 -0500 Subject: [PATCH 1/7] SAML attribute features --- .../saas-apps/generic-saml-saas.mdx | 158 +++++++++++++++++- .../configure-apps/saas-apps/index.mdx | 2 + 2 files changed, 158 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx index 5a207f5178194f7..16fb31b2510e0f9 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx @@ -39,9 +39,9 @@ Obtain the following URLs from your SaaS application account: 8. Select the **Name ID Format** expected by your SaaS application (usually _Email_). -9. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. +9. (Optional) Configure any additional [SAML attribute statements](#saml-attributes) required by your SaaS application. -10. If your SaaS application requires additional **SAML attribute statements**, add the mapping of your IdP's attributes you would like to include in the SAML statement sent to the SaaS application. +10. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. :::note[IdP groups] @@ -77,3 +77,157 @@ When acting as a SAML identity provider, Cloudflare will sign both the SAML Resp ## 4. Test the integration Open an incognito browser window and go to the SaaS application's login URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. + +## SAML attributes + +[SAML attributes](/cloudflare-one/identity/idp-integration/generic-saml/#saml-headers-and-attributes) refer to the user identity characteristics that Cloudflare Access shares with your SAML SaaS application upon successful authentication. By default, Cloudflare Access passes the following attributes (if available) to the SaaS application: +- `id` - UUID of the user's Access identity +- `name` - Full name of the user (for example, `John Doe`) +- `email` - User's email address +- `groups` - Identity provider group membership + +In Access for SaaS, you can add additional SAML attributes and customize the SAML statement sent to the SaaS application. This allows you to integrate SaaS applications which have specific SAML attribute requirements. + +### SAML attribute statements + +To send additional SAML attributes to your SaaS application, configure the following fields for each attribute: + + - **Name**: SAML attribute name + - **SAML friendly name**: (Optional) A human readable name for the SAML attribute + - **Name format**: Specify the **Name** format expected by the SaaS application: + - `Unspecified`: (default) No specific format required. + - `URI`: Name is in a format such as `urn:ietf:params:scim:schemas:core:2.0:User:userName` or `urn:oid:2.5.4.42`. + - `Basic`: Name is a normal string such as `userName`. + - **IdP claim**: The identity provider value that should map to this SAML attribute. You can select any [SAML attribute](/cloudflare-one/identity/idp-integration/generic-saml/#saml-headers-and-attributes) or [OIDC claim](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that was configured in a Zero Trust IdP integration. + - **Required**: If a claim is marked as required but is not provided by an IdP, Cloudflare will fail the authentication request and show an error page. + - **Add per IdP claim**: (Optional) If you turned on multiple identity providers for the SaaS application, you can choose different attribute mappings for each IdP. These values will override the parent **IdP claim**. + +### Transformation + +In **Advanced settings** > **Transformation**, you can enter a [JSONata](https://jsonata.org/) script that modifies SAML attributes before they are sent to the SaaS application. This is useful for setting defaults, excluding email addresses, or ensuring usernames meet arbitrary criteria. + +For example, the following JSONata script modifies the `groups` attribute: + +```jsonata title="JSONata expression" +{ + "account_id": account_id, + "amr": amr, + "auth_status": auth_status, + "common_name": common_name, + "devicePosture": devicePosture, + "device_id": device_id, + "device_sessions": device_sessions, + "email": email, + "gateway_account_id": gateway_account_id, + "geo": geo, + "groups": $map($.groups, function($group) { + {"group_name": $group.name, "id": $group.id} + }), + "iat": iat, + "id": id, + "idp": idp +} +``` + +Here is an example of an Access for SaaS payload before applying the transform: + +```json title= "Before JSONata transform" collapse={2-25, 40-45} +{ + "account_id": "699d98642c564d2e855e9661899b7252", + "amr": [ + "pwd" + ], + "auth_status": "NONE", + "common_name": "", + "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", + "device_sessions": { + "49e653db-991e-11ee-af26-2243bf8c3428": { + "last_authenticated": 1703004275 + } + }, + "devicePosture": { + "8534a230-e85e-4183-8964-a4b7dcf72986": { + "rule_name": "Warp", + "success": true, + "type": "warp" + } + }, + "email": "jdoe@company.com", + "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU", + "geo": { + "country": "US" + }, + "groups": [ + { + "id": "12fdf91a-fb23-41b3-995a-de2f72c61d0e", + "name": "IdentityProtection-RiskyUser-RiskLevel-low" + }, + { + "id": "12348f47-8234-4860-a03f-c2a1513f267b", + "name": "Global Administrator" + }, + { + "id": "11235980-87d7-4917-b0aa-74c01914c40e", + "name": "Application Administrator" + } + ], + "iat": 1659474397, + "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M", + "idp": { + "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47", + "type": "azureAD" + } +``` + +Here is the payload after applying the example JSONata transform: + +```json title="After JSONata transform" collapse={2-25, 40-45} +{ + "account_id": "699d98642c564d2e855e9661899b7252", + "amr": [ + "pwd" + ], + "auth_status": "NONE", + "common_name": "", + "devicePosture": { + "8534a230-e85e-4183-8964-a4b7dcf72986": { + "rule_name": "Warp", + "success": true, + "type": "warp" + } + }, + "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", + "device_sessions": { + "49e653db-991e-11ee-af26-2210bf8c3428": { + "last_authenticated": 1703004275 + } + }, + "email": "jdoe@company.com", + "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU", + "geo": { + "country": "US" + }, + "groups": [ + { + "group_name": "IdentityProtection-RiskyUser-RiskLevel-low", + "id": "62fdf91a-fb4f-41b3-995a-de2f72c61d0e" + }, + { + "group_name": "Global Administrator", + "id": "25928f47-8465-4860-a03f-c2a1513f267b" + }, + { + "group_name": "Application Administrator", + "id": "55225980-87d7-4917-b0aa-74c01914c40e" + } + ], + "iat": 1659474397, + "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M", + "idp": { + "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47", + "type": "azureAD" + } +} +``` + +In this example, the JSONata transform changed the `group.name` field from `name` to `group_name`. Additionally, we changed the value of `group.id` from ___ to ____. \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/index.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/index.mdx index 20650a400321561..aa5b95329cee985 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/index.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/index.mdx @@ -10,4 +10,6 @@ import { DirectoryListing } from "~/components" Cloudflare Access allows you to add an additional authentication layer to your SaaS applications. When you integrate a SaaS application with Access, users log in to the application with Cloudflare as the Single Sign-On provider. The user is then redirected to the configured identity providers for that application and are only granted access if they pass your Access policies. +Cloudflare integrates with the majority of SaaS applications that support the SAML or OIDC authentication protocol. If you do not see your application listed below, refer to our generic SAML or generic OIDC guide and consult your SaaS application's documentation. + From c1af3ace5c9e93d8ca2791d7aba93ac233a776b4 Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Tue, 4 Mar 2025 17:14:49 -0500 Subject: [PATCH 2/7] Update src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx Co-authored-by: Alex Holland --- .../applications/configure-apps/saas-apps/generic-saml-saas.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx index 16fb31b2510e0f9..807f63034a268ec 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx @@ -129,7 +129,7 @@ For example, the following JSONata script modifies the `groups` attribute: } ``` -Here is an example of an Access for SaaS payload before applying the transform: +Here is an example of a user identity before applying the transform: ```json title= "Before JSONata transform" collapse={2-25, 40-45} { From a6b5e1f089b8cf2d750b74df64ca0db842561be3 Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Tue, 4 Mar 2025 17:14:56 -0500 Subject: [PATCH 3/7] Update src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx Co-authored-by: Alex Holland --- .../configure-apps/saas-apps/generic-saml-saas.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx index 807f63034a268ec..316d69d83b24f2f 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx @@ -104,7 +104,9 @@ To send additional SAML attributes to your SaaS application, configure the follo ### Transformation -In **Advanced settings** > **Transformation**, you can enter a [JSONata](https://jsonata.org/) script that modifies SAML attributes before they are sent to the SaaS application. This is useful for setting defaults, excluding email addresses, or ensuring usernames meet arbitrary criteria. +In **Advanced settings** > **Transformation**, you can enter a [JSONata](https://jsonata.org/) script that modifies a copy of the user identity before creating SAML attributes to be sent to the SaaS application. This is useful for setting defaults, excluding email addresses, or ensuring usernames meet arbitrary criteria. + +Note that JSONata Transformations are not compatible with SAML attribute statements. JSONata transformations will override any specified SAML attributes. For example, the following JSONata script modifies the `groups` attribute: From 88c44a349feb0b4d1371d266eccb735b68969b7e Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 4 Mar 2025 17:15:50 -0500 Subject: [PATCH 4/7] update groups example --- .../saas-apps/generic-saml-saas.mdx | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx index 16fb31b2510e0f9..266d5ccc7506100 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx @@ -120,9 +120,8 @@ For example, the following JSONata script modifies the `groups` attribute: "email": email, "gateway_account_id": gateway_account_id, "geo": geo, - "groups": $map($.groups, function($group) { - {"group_name": $group.name, "id": $group.id} - }), + "groups": $map($.groups, function($group) { + {"group_name": $group.name}}), "iat": iat, "id": id, "idp": idp @@ -177,6 +176,7 @@ Here is an example of an Access for SaaS payload before applying the transform: "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47", "type": "azureAD" } +} ``` Here is the payload after applying the example JSONata transform: @@ -209,16 +209,13 @@ Here is the payload after applying the example JSONata transform: }, "groups": [ { - "group_name": "IdentityProtection-RiskyUser-RiskLevel-low", - "id": "62fdf91a-fb4f-41b3-995a-de2f72c61d0e" + "group_name": "IdentityProtection-RiskyUser-RiskLevel-low" }, { - "group_name": "Global Administrator", - "id": "25928f47-8465-4860-a03f-c2a1513f267b" + "group_name": "Global Administrator" }, { - "group_name": "Application Administrator", - "id": "55225980-87d7-4917-b0aa-74c01914c40e" + "group_name": "Application Administrator" } ], "iat": 1659474397, @@ -230,4 +227,4 @@ Here is the payload after applying the example JSONata transform: } ``` -In this example, the JSONata transform changed the `group.name` field from `name` to `group_name`. Additionally, we changed the value of `group.id` from ___ to ____. \ No newline at end of file +In this example, the JSONata transform changed the `group.name` field from `name` to `group_name` and removed the `group.id` field. \ No newline at end of file From c913375dc6df4acb504c64faeaad05874597c1fc Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 4 Mar 2025 18:12:44 -0500 Subject: [PATCH 5/7] add more JSONata examples --- .../saas-apps/generic-saml-saas.mdx | 216 +++++++++++++++--- 1 file changed, 187 insertions(+), 29 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx index d52c6f0a82744bb..3807154db4e62a8 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx @@ -5,7 +5,7 @@ sidebar: order: 1 --- -import { Render } from "~/components"; +import { Render, Details } from "~/components"; This page provides generic instructions for setting up a SaaS application in Cloudflare Access using the SAML authentication protocol. @@ -86,7 +86,7 @@ Open an incognito browser window and go to the SaaS application's login URL. You - `email` - User's email address - `groups` - Identity provider group membership -In Access for SaaS, you can add additional SAML attributes and customize the SAML statement sent to the SaaS application. This allows you to integrate SaaS applications which have specific SAML attribute requirements. +In Access for SaaS, you can add additional SAML attributes or customize the SAML statement sent to the SaaS application. This allows you to integrate SaaS applications which have specific SAML attribute requirements. ### SAML attribute statements @@ -102,37 +102,23 @@ To send additional SAML attributes to your SaaS application, configure the follo - **Required**: If a claim is marked as required but is not provided by an IdP, Cloudflare will fail the authentication request and show an error page. - **Add per IdP claim**: (Optional) If you turned on multiple identity providers for the SaaS application, you can choose different attribute mappings for each IdP. These values will override the parent **IdP claim**. -### Transformation +### JSONata transforms -In **Advanced settings** > **Transformation**, you can enter a [JSONata](https://jsonata.org/) script that modifies a copy of the user identity before creating SAML attributes to be sent to the SaaS application. This is useful for setting defaults, excluding email addresses, or ensuring usernames meet arbitrary criteria. +In **Advanced settings** > **Transformation**, you can enter a [JSONata](https://jsonata.org/) script that modifies a copy of the [User Registry identity](/cloudflare-one/insights/logs/users/). This is useful for setting default values, excluding email addresses, or ensuring usernames meet arbitrary criteria. Access will send the modified user identity to the SaaS application as SAML attributes. -Note that JSONata Transformations are not compatible with SAML attribute statements. JSONata transformations will override any specified SAML attributes. +:::note +JSONata transformations are not compatible with [SAML attribute statements](#saml-attribute-statements). JSONata transformations will override any specified SAML attributes. +::: -For example, the following JSONata script modifies the `groups` attribute: +For example, the following JSONata script merges group names into a list and adds an `eduPersonPrincipalName` field which maps to the user email. -```jsonata title="JSONata expression" -{ - "account_id": account_id, - "amr": amr, - "auth_status": auth_status, - "common_name": common_name, - "devicePosture": devicePosture, - "device_id": device_id, - "device_sessions": device_sessions, - "email": email, - "gateway_account_id": gateway_account_id, - "geo": geo, - "groups": $map($.groups, function($group) { - {"group_name": $group.name}}), - "iat": iat, - "id": id, - "idp": idp -} +```jsonata title = "JSONata expression" +$merge([$, {"groups": groups.name, 'eduPersonPrincipalName': email}]) ``` -Here is an example of a user identity before applying the transform: +Here is an example of a user identity before applying the JSONata transform: -```json title= "Before JSONata transform" collapse={2-25, 40-45} +```json title= "User identity before JSONata transform" { "account_id": "699d98642c564d2e855e9661899b7252", "amr": [ @@ -181,9 +167,123 @@ Here is an example of a user identity before applying the transform: } ``` -Here is the payload after applying the example JSONata transform: +Result after applying the example JSONata script: + +```json output +{ + "account_id": "699d98642c564d2e855e9661899b7252", + "amr": [ + "pwd" + ], + "auth_status": "NONE", + "common_name": "", + "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", + "device_sessions": { + "49e653db-991e-11ee-af26-2243bf8c3428": { + "last_authenticated": 1703004275 + } + }, + "devicePosture": { + "8534a230-e85e-4183-8964-a4b7dcf72986": { + "rule_name": "Warp", + "success": true, + "type": "warp" + } + }, + "email": "jdoe@company.com", + "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU", + "geo": { + "country": "US" + }, + "groups": [ + "IdentityProtection-RiskyUser-RiskLevel-low", + "Global Administrator", + "Application Administrator" + ], + "iat": 1659474397, + "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M", + "idp": { + "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47", + "type": "azureAD" + }, + "eduPersonPrincipalName": "jdoe@company.com" +} +``` + +For more JSONata transform use cases, refer to the following examples. + +
+ +The following JSONata script removes the `groups` SAML attribute. This can be useful if your SaaS application does not need to receive user group information. + +```jsonata title="JSONata expression" +$ ~> |$|{}, ['groups']| +``` + +Result after applying the JSONata transform: +```json output +{ + "account_id": "699d98642c564d2e855e9661899b7252", + "amr": [ + "pwd" + ], + "auth_status": "NONE", + "common_name": "", + "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", + "device_sessions": { + "49e653db-991e-11ee-af26-2243bf8c3428": { + "last_authenticated": 1703004275 + } + }, + "devicePosture": { + "8534a230-e85e-4183-8964-a4b7dcf72986": { + "rule_name": "Warp", + "success": true, + "type": "warp" + } + }, + "email": "jdoe@company.com", + "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU", + "geo": { + "country": "US" + }, + "iat": 1659474397, + "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M", + "idp": { + "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47", + "type": "azureAD" + } +} +``` +
+ +
-```json title="After JSONata transform" collapse={2-25, 40-45} +The following JSONata script changes the `groups.name` field from `name` to `group_name` and removes the `groups.id` field: + +```jsonata title="JSONata expression" +{ + "account_id": account_id, + "amr": amr, + "auth_status": auth_status, + "common_name": common_name, + "devicePosture": devicePosture, + "device_id": device_id, + "device_sessions": device_sessions, + "email": email, + "gateway_account_id": gateway_account_id, + "geo": geo, + "groups": $map($.groups, function($group) { + {"group_name": $group.name}}), + "iat": iat, + "id": id, + "idp": idp +} +``` + +Result after applying the JSONata transform: + +```json output { "account_id": "699d98642c564d2e855e9661899b7252", "amr": [ @@ -229,4 +329,62 @@ Here is the payload after applying the example JSONata transform: } ``` -In this example, the JSONata transform changed the `group.name` field from `name` to `group_name` and removed the `group.id` field. \ No newline at end of file +
+ +
+ +The following JSONata script filters groups to those that match a regular expression. + +```jsonata title="JSONata expression" +$merge([$, { "groups": $filter(groups, function($v) { $contains($v.name, /Administrator/) }) }]) +``` + +Result after applying the JSONata transform: + +```json output +{ + "account_id": "699d98642c564d2e855e9661899b7252", + "amr": [ + "pwd" + ], + "auth_status": "NONE", + "common_name": "", + "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa", + "device_sessions": { + "49e653db-991e-11ee-af26-2243bf8c3428": { + "last_authenticated": 1703004275 + } + }, + "devicePosture": { + "8534a230-e85e-4183-8964-a4b7dcf72986": { + "rule_name": "Warp", + "success": true, + "type": "warp" + } + }, + "email": "jdoe@company.com", + "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU", + "geo": { + "country": "US" + }, + "groups": [ + { + "id": "12348f47-8234-4860-a03f-c2a1513f267b", + "name": "Global Administrator" + }, + { + "id": "11235980-87d7-4917-b0aa-74c01914c40e", + "name": "Application Administrator" + } + ], + "iat": 1659474397, + "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M", + "idp": { + "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47", + "type": "azureAD" + } +} +``` +
+ + From 542b121d72a3fc386abdee914093ee52bd429e74 Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Tue, 4 Mar 2025 18:41:27 -0500 Subject: [PATCH 6/7] Update src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx Co-authored-by: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> --- .../applications/configure-apps/saas-apps/generic-saml-saas.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx index 3807154db4e62a8..0026ec2ebf14a95 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx @@ -81,6 +81,7 @@ Open an incognito browser window and go to the SaaS application's login URL. You ## SAML attributes [SAML attributes](/cloudflare-one/identity/idp-integration/generic-saml/#saml-headers-and-attributes) refer to the user identity characteristics that Cloudflare Access shares with your SAML SaaS application upon successful authentication. By default, Cloudflare Access passes the following attributes (if available) to the SaaS application: + - `id` - UUID of the user's Access identity - `name` - Full name of the user (for example, `John Doe`) - `email` - User's email address From 9b7eab5b490eb9a55f765c636670cdd119cea50a Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Tue, 4 Mar 2025 18:42:12 -0500 Subject: [PATCH 7/7] Update src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/index.mdx Co-authored-by: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> --- .../applications/configure-apps/saas-apps/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/index.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/index.mdx index aa5b95329cee985..33ec70d537cd3fd 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/index.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/index.mdx @@ -10,6 +10,6 @@ import { DirectoryListing } from "~/components" Cloudflare Access allows you to add an additional authentication layer to your SaaS applications. When you integrate a SaaS application with Access, users log in to the application with Cloudflare as the Single Sign-On provider. The user is then redirected to the configured identity providers for that application and are only granted access if they pass your Access policies. -Cloudflare integrates with the majority of SaaS applications that support the SAML or OIDC authentication protocol. If you do not see your application listed below, refer to our generic SAML or generic OIDC guide and consult your SaaS application's documentation. +Cloudflare integrates with the majority of SaaS applications that support the SAML or OIDC authentication protocol. If you do not see your application listed below, refer to our [generic SAML](/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas/) or [generic OIDC](/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas/) guide and consult your SaaS application's documentation.