DOCS: Cloudflare Zero Trust OIDC Setup Guide

[jason-riddle]

Follow up from https://discord.com/channels/1379528469859532931/1405948286090743829/1422317884767604837.

Warning

I do not claim to be a security expert nor do I claim to be an expert in configuring OIDC.

Therefore, it is the YOUR responsibility to review each step carefully and verify the security of your own OIDC configuration.

Summary

This is an example of how to configure TSIDP to work with Cloudflare Zero Trust.

Prerequisites

You need to have the following already setup and configured.

Prerequisites for Cloudflare

• A Cloudflare account (sign up here: https://dash.cloudflare.com/sign-up)
• A Zero Trust Organization (free, available here: https://one.dash.cloudflare.com)
• Your team name
  • Go to https://one.dash.cloudflare.com, on the left sidebar, scroll down, click "Settings", click "Custom pages", Copy the value for "team domain", it should look like <team>.cloudflareaccess.com

Prerequisites for Tailscale

• Magic DNS needs to be enabled. See: https://tailscale.com/kb/1081/magicdns
• HTTPS certs needs to be enabled. See: https://tailscale.com/kb/1153/enabling-https

Prerequisites for tsidp

• This needs to be running with funnel enabled.

Steps

TSIDP Steps

• Go to https://idp.<magicdns>.ts.net

• Click on "Add New Client"

• Set the following:
  • Client Name: Cloudflare Zero Trust (Can be anything really..)
  • Redirect URLs: https://<team>.cloudflareaccess.com/cdn-cgi/access/callback
  • Click "Create Client"

• Copy the "Client ID" and "Client Secret" to save for later use.

We are done with tsidp.

Cloudflare Steps

• Log in to Zero Trust at https://one.dash.cloudflare.com

• In the left sidebar, scroll down and click on "Settings".

• While here, click on "Authentication".

• Scroll down to "Login methods", click on "Add new".

• Click on "OpenID Connect".

• Set the following:

  • Name: Tailscale SSO (Can be anything..)
  • App ID: <Use the "Client ID" value here>
  • Client secret: <Use the "Client Secret" value here>
  • Auth URL: https://idp.<magicdns>.ts.net/authorize
  • Token URL: https://idp.<magicdns>.ts.net/token
  • Certificate URL: https://idp.<magicdns>.ts.net/.well-known/jwks.json
  • Proof Key for Code Exchange (PKCE): Leave off
  • Enable SCIM: Leave off
  • Email claim: email
  • OIDC scopes: openid, email, profile

• Click "Save".

Now on the authentication settings page, you should see "OpenID Connect • Tailscale SSO". Click on "Test".

If everything was successful, you should see a "Your connection works" page.

Final Steps

We are almost finished, we need to do a couple more things.

• Go to Access > Policies. Click "Add a policy".

• Set the following

  • Name: Allow OIDC Claims (Can be anything really..)
  • For Add rules, under "Include", depending on your desired setup, you can choose which emails are allowed. In the example below, anyone that authenticates with the email foo@gmail.com or their email address ends in @example.com, they are allowed in.

• Scroll down, click "Save".

• Go to Settings > Authentication > App Launcher > click on "Manage".

• Click on "Select existing policies"

• Select the policy you just created and click "Confirm".

Dashboard Login

• Go to https://<team>.cloudflareaccess.com, Click "Login".

• In my account, I have 2 login methods configured. However, this time I want to sign in with Tailscale, so I click on "ODIC • Tailscale SSO".

The OIDC flow with tsidp will occur, afterwards I'll be on the dashboard page where I can see all of my apps.

Done

That concludes this guide. As a follow-up, for each application you want to allow Tailscale SSO login, you'll need to make sure they are using the "Allow OIDC Claims" policy.

Apps and their policies can be viewed and managed under Access > Applications > Click on app name > Configure > Policies.