Home Integrate SSO to Cloudflare Access Applications
Post
Cancel

Integrate SSO to Cloudflare Access Applications

In one of the previous articles, I detailed how to ssh to any of your machines without port forwarding but instead make use of a secure cloudflare tunnel to do the job for you. It would be cool to integrate your Office 365 or Google email to authenticate and ssh as the user you want. It takes care of the ssh authentication and you do not have to bother entering the password/key each and every time you try to login when the tokens expire.

Scenario

I would use the web browser and navigate to the url(s) that I specified so that I get terminal(s) to the machine(s) on my web browser. The login workflow is simple yet secure and would leverage the SSO integration with AAD or Google to authenticate to the machines.

Details

Check out the previous article and setup the apps on CF Zero Trust dashboard and create the required tunnels.

An extra step here would be to edit the Authentication methods for the apps and select the AAD and Google providers:

Window shadow Authentication providers

Let’s see in detail how to add the AAD and Google providers in the first place.

Google

  • On the Google Cloud project home page, go to APIs & Services on the sidebar.
  • Select OAuth Consent Screen on the left sidebar and create a consent screen. Choose External as the User Type. Give the App name, add a User support email, and input contact fields. Google Cloud Platform requires an email in your account.
  • On the APIs & Services page, on the Credentials section of the sidebar, select Create Credentials > OAuth client ID, select the application type as Web Application, give it a Name.
  • For the Authorized JavaScript origins, in the URIs field, enter your team domain. Your team domain can be found in the Cloudflare Zero Trust dashboard, under Settings > General.
  • For Authorized redirect URIs, in the URIs field, enter your team domain with the path as follows:
    1
    
    https://_your-team-name_.cloudflareaccess.com/cdn-cgi/access/callback
    
  • Once the settings is Created, google will provide the OAuth Client ID and Secret for you to add in the Cloudflare Zero Trust dashboard.
  • Navigate to Zero Trust dashboard , go to Settings > Authentication.
  • Find the Login Method section and Add new and opt for Google under Select an identity provider.
  • Feed in the Client ID and Secret that you obtained from the previous steps.
  • Click Save
  • Verify the connection using the Test and you should get a success message from CF:

Window shadow Identity provider added successfully

AAD

  • Navigate to App registrations on the AAD portal.
  • New Registration then give a Name and choose Accounts in this organizational directory only ( Single tenant)
  • For the Redirect URI (optional), select the platform as Web and add the path as follows:

    Your team domain can be found in the Cloudflare Zero Trust dashboard, under Settings > General.

    1
    
    https://_your-team-name_.cloudflareaccess.com/cdn-cgi/access/callback
    
  • Click Register
  • Copy the Application (client) ID and Directory (tenant) ID. You will need to input these values into the Cloudflare dashboard.
  • From the sidebar, select Certificates & Secrets and create New client secret. Select the expiration acccording to your policies or select the maximum of 24 months.
  • Copy the client secret Value provided by Microsoft. This will be displayed once by the portal.
  • From the sidebar, select API Permissions and Add permission then under Microsoft APIs tab, select Microsoft Graph. Opt for Delegated Permissions and choose the following scopes:
    • email
    • openid
    • profile
    • offline_access
    • User.Read
    • Directory.Read.All
    • Group.Read.All
  • If the Grant admin console is greyed out, contact the administrator as your org may be restricting it otherwise click Grant Admin Consent for <org>
  • Navigate to Zero Trust dashboard , go to Settings > Authentication.
  • Find the Login Method section and Add new and opt for Azure AD under Select an identity provider.
  • Feed in the Application ID, secret, and Directory ID that you noted from the previous steps.
  • Click Save.

Local usernames and SSO identities

A user’s Unix username should match their email address prefix. The short-lived certificates from Cloudflare will be valid for the user’s email address prefix. If the user’s email is [email protected], they would log in to the SSH server as nevin. However, you can configure your SSH server daemon to accept principals that do not match the local username. So, for the email [email protected] to authenticate as the linux user nj, edit the ssh server, sshd_config and add the following:

1
2
3
Match user 'nj'
  AuthorizedPrincipalsCommand echo 'nevin'
  AuthorizedPrincipalsCommandUser nobody

Public key

  • Navigate to Zero Trust dashboard
  • From the sidebar, select Access > Service Auth. From the SSH tab, in the dropdown, choose the application that represents the secured server/service.
  • Click Generate certificate and CF will provide you the pub key to be saved in the ssh config on your origin server.
  • On the origin server, create a key file, for example:
    1
    
    $ sudo nano /etc/ssh/cf-access.pub
    
  • Paste the public key that you got from CF to the cf-access.pub and save the file.
  • Edit the SSH server config:
    1
    
    $ sudo nano /etc/ssh/sshd_config
    
  • Uncomment # PubkeyAuthentication yes
  • Add the line TrustedUserCAKeys /etc/ssh/cf-access.pub
  • Restart the ssh server.
    1
    
    $ sudo systemctl restart ssh
    

End Result

Window shadow SSO Identity providers on the login prompt

This post is licensed under CC BY 4.0 by the author.