Cloudflare Docs
Area 1 Email Security
Area 1 Email Security
Visit Area 1 Email Security on GitHub
Set theme to dark (⇧+D)

Azure integration guide

This tutorial will walk you through the steps for configuring a non-gallery enterprise application within Azure Active Directory to establish a SAML SSO connection with Area 1.

​​ 1. Azure Active Directory configuration

  1. Log in to Azure portal and open Enterprise Applications.

  2. Select New Application.

    Create a new application

  3. Select Create your own application.

    Select create your own application

  4. Input a descriptive name for your app and select Integrate any other application you don’t find in the gallery (Non-gallery) > Create.

    Give your application a descriptive name

  5. On the application Overview page that opens, select 2. Set up single sign on.

    Select single sign-on as the type of app

  6. Select SAML as your single sign-on method.

    Select SAML as the sign-on method

  7. Select the pencil icon to edit the Basic SAML Configuration.

    Select the pencil icon to edit Basic SAML Configuration

  8. Enter the following configuration settings:

    Identifier (Entity ID)
    Reply URL (Assertion Consumer Service URL)
    Sign-On URL Leave blank
    Relay State Leave blank
    Logout URL Leave blank
  9. Select Save and the cross button to exit Basic SAML Configuration.

  10. Select the pencil icon to edit SAML Certificates and make the following changes:

    • Signing Option: Select Sign SAML response from the drop-down menu.
    • Signing Algorithm: Select SHA-1 from the drop-down menu.

    Select Sign SAML response and SHA-1 from the menu

  11. Select Save and the cross button to exit SAML Certificates.

  12. Still in the SAML Certificates section, find Federation Metadata XML and select Download. You will need this information for the SSO Configuration in the Area 1 dashboard.

    Download the Metadata XML information

Your Azure configuration is now complete. It should look similar to this:

Your Azure configuration should be similar to this one

​​ 2. Configure Area 1 to connect to Azure

  1. Log in to the Area 1 dashboard.

  2. Go to Settings (the gear icon).

  3. In Users and Actions > Users and Permissions add the email addresses of all your authorized administrators.

    Fill out your authorized administrators

  4. Go to SSO Settings, and enable Single Sign On.

    Enable SSO

  5. In SSO Enforcement, choose one of the settings according to your specific needs:

    • None: This setting allows each user to choose SSO, or username and password plus 2FA (this is the recommended setting while testing SSO).
    • Admin: This setting will force only the administrator account to use SSO. The user that enables this setting will still be able to log in using username and password plus 2FA. This is a backup, so that your organization does not get locked out of the portal in emergencies.
    • Non-Admin Only: This option will require that all Read only and Read & Write users use SSO to access the portal. Admins will still have the option to use either SSO or username and password plus 2FA.

  6. For SAML SSO Domain, enter

  7. In Metadata XML paste the XML metadata you downloaded in the previous step 11. You can open the downloaded file with a text editor to copy all the text. Make sure there are no leading carriage returns or spaces when you copy the text. Your copied text should begin with:

    <?xml version="1.0" encoding="utf-8"?><EntityDescriptor ID="_<YOUR_DESCRIPTIOR_ID>" entityID="https://<YOUR_ENTITY_ID> " xmlns="urn:oasis:names:tc:SAML:2.0:metadata">...
  8. Select Update Settings to save your configuration.

​​ 3. Test SSO configuration

After completing both the Azure and Area 1 set ups, you can test your SSO access. In this example, the logo for Area 1 has been updated.

  1. Log in to your Office 365 portal.

  2. Select All Apps.

  3. Go to Settings > SSO.

  4. Locate the Area 1 Horizon application (or whichever name you gave your application), and select it to initiate your SSO login with Area 1.

  5. If you configured everything correctly, you should be signed in to the Area 1 Portal and redirected to the dashboard.

​​ Troubleshooting

If you have trouble connecting your Azure account to Area 1, make sure that:

If all else fails, enable Chrome browser debug logs. Then, log your activity when SSO is initiated, and contact Cloudflare support.