Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Configure Salesforce with Access for SaaS

This guide covers how to:

  • Configure Salesforce as a SaaS application in Cloudflare Zero Trust
  • Force logins to Salesforce through Cloudflare’s Zero Trust rules

​​ Prerequisites

  • Admin access to a Salesforce account

​​ 1. Set up Salesforce as a SaaS application in Cloudflare Zero Trust

  1. In Zero Trust, go to Access > Applications.
  2. Select the SaaS application type.
  3. From the Application drop-down menu, select Salesforce.
  4. Fill the remaining fields as follows:
    • Entity ID: https://[YOUR_SFDC_DOMAIN].my.salesforce.com
    • Assertion consumer service URL: https://[YOUR_SFDC_DOMAIN].my.salesforce.com
    • Name ID format: Email
  5. Select Next.
  6. Set the desired policy configuration for user access.
  7. Select Add application.
  8. Next, take note of the SSO endpoint, the Access Entity ID or Issuer, and the Public Key.

​​ 2. Create a certificate file

  1. Paste the Public key in VIM or another code editor.
  2. Wrap the certificate in -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
  3. Set the file extension as .crt and save.

​​ 3. Enable Single Sign-On in Salesforce

  1. In Salesforce, ensure your users have Federation IDs.

  2. Go to Security Controls > Single Sign-On Settings.

  3. Set the following global settings:

    • SAML Enabled: true
    • Make federation ID case-insensitive: true

​​ 4. Create a new SAML Single-Sign On configuration

  1. Create a new SAML Single-Sign On configuration:
    • Name: (this is what you want your users to see on sign in)
    • API name: (this will pre-populate)
    • Issuer: https://<your-team-name>.cloudflareaccess.com, where your-team-name is your team name.
    • Identity Provider Certificate: upload the .crt certificate file you’ve created in the previous step.
    • EntityID: https://[YOUR_SFDC_DOMAIN].my.salesforce.com
    • SAML Identity type: If the user’s Salesforce username is their email address, select Assertion contains the User’s Salesforce username. Otherwise, select Assertion contains the Federation ID from the User object and make sure the user’s Federation ID matches their email address.
    • Identity Provider Login URL: This is the SSO endpoint provided in Zero Trust for that application.
  2. Select Save.
  3. From the navigation panel on the left, select Domain Management > My Domain and select your domain.
  4. At the bottom, find Authentication Configuration. Select Edit and select your Authentication Service you created.
  5. (Optional) To force all users to sign in through Cloudflare Access:
    1. Select Security Controls > Single Sign-On Settings > Edit.
    2. Select Disable login with Salesforce credentials.