Connect to Salesforce through Access (OIDC)
This guide covers how to configure Salesforce as an OpenID Connect (OIDC) application in Cloudflare Zero Trust.
Prerequisites
- Admin access to a Salesforce account
1. Add a SaaS application to Cloudflare Zero Trust
- In Zero Trust, go to Access > Applications.
- Select SaaS.
- For Application, select Salesforce.
- For the authentication protocol, select OIDC.
- Select Add application.
- In Scopes, select the attributes that you want Access to send in the ID token.
- In Redirect URLs, enter the callback URL obtained from Salesforce (
https://<your-domain>.my.salesforce.com/services/authcallback/<URL Suffix>
). Refer to Add a SAML SSO provider to Salesforce for instructions on obtaining this value. - (Optional) Enable Proof of Key Exchange (PKCE) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
- Copy the following values:
- Client ID
- Client Secret
- Authorization endpoint
- Token endpoint
- User info endpoint
- Select Save configuration.
- Configure Access policies for the application.
- Select Done.
2. Add a SAML SSO provider to Salesforce
- In Salesforce, go to Setup.
- In the Quick Find box, enter
auth
and select Auth providers. - Select New.
- For the provider type, select OpenID Connect.
- Enter a name for the SSO provider (for example,
Cloudflare Access
). - Fill in the following fields with values obtained from Cloudflare Access:
- Consumer Key: Client ID
- Consumer Secret: Client Secret
- Authorize Endpoint URL: Authorization endpoint
- Token endpoint URL: Token endpoint
- User Info Endpoint URL: User info endpoint
- Token Issuer: Issuer
- (Optional) Enable Use Proof Key for Code Exchange if you enabled it in Access.
- In Default Scopes, enter a space-separated list of the scopes you configured in Access (for example,
openid email profile groups
). - Select Save.
- Copy the Callback URL:https://<your-domain>.my.salesforce.com/services/authcallback/<URL Suffix>
- In Zero Trust, paste the Callback URL into the Redirect URL field.
To test the integration, open an incognito browser window and go to the Test-Only Initialization URL ( https://<your-domain>.my.salesforce.com/services/auth/test/<URL Suffix>
)
3. Enable Single Sign-On in Salesforce
Enable Cloudflare Access as an identity provider on your Salesforce domain:
- In the Quick Find box, enter
domain
and select My Domain. - In Authentication Configuration, select Edit.
- In Authentication Service, turn on the Cloudflare Access provider.
- In the Quick Find box, enter
- (Optional) To require users to login with Cloudflare Access:
- In the Quick Find box, enter
single sign-on
and select Single Sign-On Settings. - Turn on Disable login with Salesforce credentials.
- In the Quick Find box, enter
To test, open an incognito browser window and go to your Salesforce domain (https://<your-domain>.my.salesforce.com
).