JumpCloud SSO x CloudFlare Access Policies (Zero Trust)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
โ09-17-2024 01:53 AM - edited โ09-17-2024 08:19 AM
Hi folks,
Hope everyone is sailing smoothly through the last month of Q3 and gearing up for the final stretch of 2024 โ time flies, doesnโt it?
Recently, I encountered a unique use case that got my creative gears turning right from the start. The task? We needed to add an authentication layer to a web applicationโs gateway. Ideally with a SSO IdP that supports SAML.
So, fast forward a bit: I mapped out a strategy that combines CloudFlare Access Policies and JumpCloudโs CloudFlare SAML connector together to achieve this goal. And to validate the concept, I even built a sample Flask app (which, if you're interested, you can check out here).
The architecture looks something like this:
As usual, letโs dive into the How-To.
Step 0 - Make sure the DNS record of your app is managed by CloudFlare.
Step 1 - Integrate CloudFlare with JumpCloud (SAML)
- Integrate with Cloudflare - JumpCloud
- Generic SAML 2.0 | Cloudflare Zero Trust docs
- Create respective user groups on JumpCloud for role based access to your app, and bind the CloudFlare you created above on each user group:
Step 2 - Create the access policies on CloudFlare
- Access policies
- You can create multiple โself-hosted applicationsโ as in our case we have two application paths representing 2 different roles:
- The settings of 1 of the application look like this.
- At Overview section:
- At Policy section - Make sure the policy check against the group member in JumpCloud:
- At the Authentication section - select the SAML integration with JumpCloud you have created from above.
- At Policy section - Make sure the policy check against the group member in JumpCloud:
- I have left the rest of the settings / configurations untouched, feel free to tweak based on your application environment.
- Repeat the same steps for /IT path if needed.
- At Overview section:
Now, Itโs time for a test run
The main use case I can think of is protecting your application โ often internal corporate ones where adding an authentication layer within the application (via auth SDKs) isnโt feasible, especially for just a handful of users. Implementing a modern security solution like SAML for SSO can solve this without needing extensive changes.
Of course, there are plenty of other use cases out thereโas long as those DNS records are in your hands ๐.
Thanks for reading! Catch you folks in the next one!
![](/skins/images/C210B62239BAF37B0AB0FAEB086BB5F1/responsive_peak/images/icon_anonymous_message.png)
![](/skins/images/C210B62239BAF37B0AB0FAEB086BB5F1/responsive_peak/images/icon_anonymous_message.png)