Configuring Curity Identity Server as an Identity Provider in Cloudflare

Configuring Curity Identity Server as an Identity Provider in Cloudflare

tutorials

Cloudflare is a company that provides content delivery network services and its products operate in a reverse proxy architecture in front of websites. The provided services sits between a website’s visitor and the hosting provider of the targeted service. As part of its offering, Cloudflare provides an Authentication service called Access, that can leverage external Identity Providers (IDP’s) to control access to protected applications and services.

This article serves as a guide on how to configure a Cloudflare Access environment to use the Curity Identity Server as its IDP using the Generic OpenID configuration option that is available to Cloudflare Enterprise customers.

Curity Setup

Create a client or use an existing one. Follow these instructions to configure a client that enables the Code Flow.

Important configurations

* Make sure that the `openid` and `email` scopes are provided by the client. * The callback URL will have to be aligned with the configuration in Cloudflare, see below

Configuring Cloudflare Access

Configuring the Login Method

In Cloudflare for Teams, click Access -> Authentication -> Add in the Login methods section and select OpenID Connect

Parameter Name                        Example value
NameCurity
Client IDwww
Client SecretSecr3t!
Auth URLThe Default URL for a host with the name idsvr.example.com would be https://idsvr.example.com/oauth/v2/oauth-authorize
Token URLThe Default URL for a host with the name idsvr.example.com would be https://idsvr.example.com/oauth/v2/oauth-token
Certificate URLThe Default URL for a host with the name idsvr.example.com would be https://idsvr.example.com/oauth/v2/jwks

Callback URL

The Callback URL will depend on the configuration in Cloudflare. The Auth Domain will determine what the complete Callback URL is. If the Auth Domain is example.cloudflareaccess.com the Callback URL will be https://example.cloudflareaccess.com/cdn-cgi/access/callback

Test the configuration

When the configuration has been saved, click Test. A new tab should open in the browser showing the authentication configured for the client configured above. Provided that everything is correctly configured and a successful authentication is performed a confirmation message is displayed

Testing the Login Method

The Login Method should now be saved and available to use throughout the Cloudflare Access configuration.

Configure Access App Launch

One example of where the Login Method can be used is accessing the App Launch page. To configure that and use the newly created Login Method using the Curity Identity Server:

  1. Go to Access -> Authentication -> App launcher
  2. Click Set up Access App Launcher
  3. Add appropriate rules to your environment, Ex. Emails Ending in: @example.com, then Save
  4. Go to the App Launch page, i.e. https://example.cloudflareaccess.com/
  5. A login page should be presented, click Login
  6. The created Login Method above (Curity) should be available as an option. Click Curity
  7. This redirects to the Curity Identity Server for authentication using the Authentication method configured in the Client used and gives access to the App Launch page

Login with Curity

Note

The user might not have access to any Applications even though Authentication works.

Conclusion

Cloudflare Access with an Enterprise account has out-of-the-box capabilities to leverage an external IDP. With a few simple configuration steps, it is possible to make full use of the capabilities that the Curity Identity Server has to offer for authentication and authorization. The Curity Identity Server can enhance the authentication to Cloudflare protected Applications by:

  • Providing many more mechanisms for authentication. For example Duo, WebAuthn, SMS, different Government eID’s, social and more
  • Allowing for Multi-Factor and Conditional Multi-Factor Authentication scenarios
  • Applying advanced post-authentication workflows without user interactions

Resources

Let’s Stay in Touch!

Get the latest on identity management, API Security and authentication straight to your inbox.

Keep up with our latest articles and how-tos using RSS feeds