Cloudflare SSO Setup¶
Project: Arlyn Labs — all applications
Date: April 2026
This is a one-time configuration performed at the Cloudflare Zero Trust account level. It connects JumpCloud as the SAML identity provider and creates the shared policy that all protected applications reuse. You never need to repeat these steps — each new application you protect only requires the per-application runbook.
Prerequisites
- Admin access to the JumpCloud Admin Console
- Admin access to Cloudflare Zero Trust
- Cloudflare team domain:
arlynlabs.cloudflareaccess.com
Part 1: Add JumpCloud as an Identity Provider in Cloudflare Zero Trust¶
1.1 Open the identity providers screen¶
- Log into Cloudflare Zero Trust and select your account
- In the left sidebar, go to Integrations → Identity providers
- Click Add an identity provider
- Select SAML
1.2 Fill in the SAML provider details¶
| Field | Value |
|---|---|
| Name | JumpCloud |
| Single Sign-On URL | https://sso.jumpcloud.com/saml2/cloudflareaccess |
| IdP Entity ID / Issuer | https://sso.jumpcloud.com/saml2/cloudflareaccess |
1.3 Add the X.509 signing certificate¶
Cloudflare requires the raw base64 certificate from JumpCloud's SAML metadata. To retrieve it:
- In the JumpCloud Admin Console, open the Cloudflare Access SSO application
- On the SSO tab, click Copy Metadata URL — it takes the form
https://sso.jumpcloud.com/saml2/metadata/<app-id> - Open that URL in a browser and locate the
<ds:X509Certificate>element in the XML - Copy the certificate content (the long base64 string between the tags, without the tags themselves)
- Paste it into the Signing certificate field in Cloudflare
Warning
Do not include -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- header/footer lines. Cloudflare expects the raw base64 body only.
Tip
The Arlyn Labs JumpCloud metadata URL is https://sso.jumpcloud.com/saml2/metadata/69d572705a008aff02d3c0a2.
1.4 Save and test¶
Click Save. Cloudflare will prompt you to test the connection — click Test to verify the SAML handshake completes successfully before proceeding.
Part 2: Create the Reusable Allow Policy¶
Rather than defining an access rule on every individual application, create one reusable policy that can be attached to any application you protect.
- In Cloudflare Zero Trust, go to Access controls → Policies
- Click Add a policy
- Configure:
| Field | Value |
|---|---|
| Policy name | Allow JumpCloud Users |
| Action | Allow |
| Include rule | Selector: Everyone |
- Click Save policy
Why "Everyone"?
The login method is restricted to JumpCloud-only at the application level. Any user who successfully authenticates has necessarily gone through JumpCloud SAML, so "Everyone" means "everyone who passes the JumpCloud gate" — which is exactly what we want.
Part 3: Restrict Login Methods Account-Wide¶
To prevent employees from being offered a one-time PIN or any other login method instead of JumpCloud:
- In Cloudflare Zero Trust, go to Integrations → Identity providers
- Ensure only SAML • JumpCloud is enabled
- Uncheck One-time PIN if it appears in the list
- Turn OFF the Accept all available identity providers toggle
This setting applies account-wide — all Access applications will only offer JumpCloud login.
What This Unlocks¶
Once this setup is complete, the following are shared automatically with every new application you protect:
| Component | Shared? |
|---|---|
| JumpCloud SAML identity provider | ✅ Yes — configured once at account level |
| X.509 certificate / SSO URLs | ✅ Yes — part of the IdP record |
| "Allow JumpCloud Users" reusable policy | ✅ Yes — attach to any application |
| Login method restriction (JumpCloud only) | ✅ Yes — account-wide setting |
To protect a new application, follow the per-application runbook, which covers both the JumpCloud and Cloudflare steps needed for each app.