Cloudflare Docs
Learning Paths
Visit Learning Paths on GitHub
Set theme to dark (⇧+D)

User authentication

  2 min read

Finally, decide how users will authenticate to your Zero Trust organization. There are two options: manual enrollment via an identity provider (IdP), or automatic enrollment with a service token.

Authentication method Pros Cons
Identity provider (most common)
  • Can build policies based on specific users and groups.
  • DNS logs show who made the request.
  • Users must manually click on the WARP client and authenticate.
  • Service token
  • No user authentication required.
  • Immediate enforcement of policies.
  • Cannot use identity selectors in policies.
  • DNS logs only show device-level information, not user identity.
  • ​​ Configure IdP authentication

    To allow users to authenticate with an identity provider:

    1. In Zero Trust, go to Settings > Authentication.

    2. In the Login methods card, select Add new.

    3. Select the identity provider you want to add.

      If you do not see your identity provider listed, these providers can typically still be enabled. If they support OIDC or OAuth, select the generic OIDC option. If they support SAML, select the generic SAML option. Cloudflare supports all SAML and OIDC providers and can integrate with the majority of OAuth providers. If your provider supports both SAML and OIDC, we recommend OIDC for ease of configuration.

    4. Fill in the necessary fields to set up your identity provider.

      Each identity provider will have different required fields for you to fill in. Step-by-step instructions are shown in the dashboard side panel.

    5. Once you have filled in the necessary fields, select Save.

    1. In your device enrollment permissions, verify that the IdP is selected as an authentication option.

    Users will now be able to select this IdP when they are prompted to authenticate. To learn more about IdP configuration, refer to SSO integration.

    ​​ Configure service token authentication

    To enroll devices with a service token:

    1. Create a service token.

    2. Copy the token’s Client ID and Client Secret.

    3. In your device enrollment permissions, create the following policy:

      Selector Operator Value Action
      Service Token is <TOKEN-NAME> Service Auth
    4. In your MDM deployment parameters, add the following fields:

      • auth_client_id: The Client ID of your service token.
      • auth_client_secret: The Client Secret of your service token.

    When you deploy the WARP client with your MDM provider, WARP will automatically connect the device to your Zero Trust organization.