Protect Public Site¶
Project: Arlyn Labs — all applications
Date: April 2026
Use this runbook each time you want to put employee-only authentication in front of a new application or subdomain. It covers both the JumpCloud and Cloudflare steps needed for each app.
This assumes the one-time account setup has already been completed.
Prerequisites
- The application is publicly reachable at a hostname you control (e.g.
app.arlyn.io) - The JumpCloud SAML IdP and "Allow JumpCloud Users" policy are already configured (see account setup)
- Admin access to Cloudflare Zero Trust
- Admin access to JumpCloud Admin Console
Part 1: JumpCloud — Create an SSO Application for This App¶
Each protected application gets its own JumpCloud SSO application. This gives employees a dedicated portal tile, allows you to control which users can access each app independently, and sets the correct Login URL so the authentication flow works.
1.1 Add a new SSO application¶
- Log into the JumpCloud Admin Console
- Navigate to SSO Applications in the left sidebar
- Click + Add New Application
- Search for Cloudflare Access and select the native connector
- Give it a name matching the application, e.g.
Arlyn Labs Docs - Click Next: SSO
1.2 Configure SAML settings¶
On the SSO configuration tab, enter the following. These values are shared across all applications — they point to the Cloudflare Access account-level endpoints, not any specific app.
| Field | Value |
|---|---|
| SP Entity ID | https://arlynlabs.cloudflareaccess.com/cdn-cgi/access/saml-metadata |
| ACS URL | https://arlynlabs.cloudflareaccess.com/cdn-cgi/access/callback |
| SAMLSubject NameID | email |
| SAMLSubject NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
Leave the Sign Assertion checkbox enabled (default).
1.3 Set the Login URL¶
Scroll down to the Login URL field and enter the application's public hostname:
For example: https://docs.arlyn.io
This step is required — do not skip it
Without a Login URL, JumpCloud performs an IdP-initiated SAML POST when a user clicks the portal tile. Cloudflare Access rejects these with an "Invalid Login Session" error because it didn't initiate the request.
Setting the Login URL causes JumpCloud to redirect the user's browser to the application first. Cloudflare Access intercepts that, initiates its own SAML request back to JumpCloud (SP-initiated flow), and authentication completes correctly.
Click Save.
1.4 Set a display name and logo¶
On the General Info tab:
- Set the Display Label to the application name (e.g.
Arlyn Labs Docs) - Upload a logo that represents the application in the User Portal Image section
This is what employees will see in their JumpCloud user portal.
1.5 Assign users or groups¶
On the User Groups tab, add the groups (or individual users) that should have access to this application.
Warning
If you skip this step, employees will reach the JumpCloud login page but receive an access denied error after authenticating. Always confirm group membership is set before testing.
Part 2: Cloudflare — Add an Access Application Record¶
2.1 Add the application¶
- Log into Cloudflare Zero Trust
- In the left sidebar, go to Access controls → Applications
- Click Add an application
- Select Self-hosted
2.2 Configure basic details¶
| Field | Value |
|---|---|
| Application name | Match the name used in JumpCloud, e.g. Arlyn Labs Docs |
| Session duration | 24 hours (or adjust to your policy) |
| Application domain | The hostname being protected, e.g. docs.arlyn.io |
Leave all other fields at their defaults and click Next.
2.3 Attach the reusable policy¶
On the Policies step:
- Click Select existing policies
- Choose Allow JumpCloud Users from the list
- Click Next
Tip
Do not create a new policy here. The shared "Allow JumpCloud Users" policy keeps access management centralised.
2.4 Configure login settings¶
On the Login methods tab (accessible after saving, via Configure):
- Ensure only SAML • JumpCloud is checked
- Enable Apply instant authentication — this skips the identity provider selection screen and redirects employees directly to JumpCloud
Click Save application.
Part 3: Verify¶
- Open an incognito browser window and navigate to the application's URL
- You should be immediately redirected to
arlynlabs.cloudflareaccess.com, then straight to the JumpCloud login page - Log in with a JumpCloud account that is authorised for this application
- You should land on the application
If login fails, check:
- The hostname in the Cloudflare Access Application exactly matches the application URL
- The Login URL in the JumpCloud SSO application is set to that same hostname
- The user's JumpCloud account is assigned to the JumpCloud SSO application for this app
- The Cloudflare Access Application has the "Allow JumpCloud Users" policy attached
Reference: Configured Applications¶
| Application | Hostname | JumpCloud App | Cloudflare App ID |
|---|---|---|---|
| Arlyn Labs Docs | docs.arlyn.io |
Arlyn Labs Docs | 37d728b3-d565-47cc-89f8-31ea4fc7f397 |
Add new rows to this table as additional applications are protected.