Use Cloudflare as a SAML identity provider

If you use Cloudflare to centralize authentication and authorization in your business, you can integrate Kinde as a service provider for these processes. This gives you the benefits of Kinde’s robust auth capabilities, while keeping the familiar Cloudflare structure.

You need to set up an enterprise connection in Kinde for this, and add a Cloudflare application. We recommend setting up and testing the connection in a non-production environment before making available to users.

Step 1: Add the connection in Kinde

Link to this section

You can make a connection available only to a specific organization, or you can create it so it can be used across any organization in your business.

Add a connection for a specific organization

Link to this section

1. Go to Organizations and open the organization.
2. In the menu, select Authentication, then select Add connection.
3. In the Add connection window, select New enterprise connection, then click Next.
4. Select the Cloudflare connection and then select Next.
5. Next: ‘Step 2: Configure the connection’.

Add a connection that can be shared across multiple organizations

Link to this section

1. Go to Settings > Environment > Authentication.
2. Scroll to the Enterprise connection section and select Add connection. The Add connection window opens.
3. Select the Cloudflare connection and then select Save.
4. On the tile for the new connection, select Configure.
5. Next: ‘Step 2: Configure the connection’.

Step 2: Configure the connection

Link to this section

1. Enter a random string value for Entity ID, for e.g. 870sa9fbasfasdas23aghkhc12zasfnasd.
2. Complete any optional fields you want, including key attributes. You’ll add the IdP Metadata URL later.
3. Add Home realm domains. We recommend adding these to speed up the sign in process for users of those domains. Note that all home realm domains must be unique across all connections in an environment. For more information, see Home realm domains or IdP discovery.
4. If you use home realm domains, the sign in button is hidden on the auth screen by default. To show the SSO button, select the Always show sign-in button option.
5. Copy the Assertion Customer Service (ACS) URL and the Entity ID somewhere you can access it later. You’ll need this to set up your Cloudflare application.
6. Select provisioning options.
7. Add a signed certificate and key if you have it. You can also do this later.
8. Select Save.

Step 3: Add and configure your Cloudflare application

Link to this section

1. Sign in to your Cloudflare account.
2. In the menu, select Zero trust.
3. Go to Access > Applications, then select Add an application.
4. Select SaaS as the type of application. The Add application window opens.

5. Enter an application name or select an application.
6. Choose Select SAML for the authentication protocol.
7. Select Add Application. The Configure application page opens.

6. Add the Entity ID and ACS URL from Kinde.
7. Copy the SAML Metadata endpoint to your clipboard. You’ll need to enter this back in Kinde.
8. Scroll through the other sections and then select Save configuration. The Add policies page opens.
9. Add a policy to define who can access your application. You might do this via an allowlist and groups, or other strategy.
10. Complete any other relevant sections of the window, and then select Done.

Step 4: Finish setting up your Cloudflare connection

Link to this section

1. Open the connection in Kinde. Via Organization > Authentication or via Settings > Authentication.
2. Scroll to the IdP metadata URL field and paste the Metadata URL you copied from your Cloudflare app.
3. Switch on the connection. This will make it instantly available to users if this is your production environment.
   1. For environment-level connections, scroll down and select the apps that will use the auth method.
   2. For organization-level connections, scroll down and select if you want to switch this on for the org.
4. Select Save.