Table of contents
Hello!
Today I’ll walk you through the steps of configuring the single sign-on (SSO) service between the Cloudflare Zero Trust service server and Authentik.
Introduction
What is Cloudflare Zero Trust?
Cloudflare Zero Trust is an offer from Cloudflare, which provides network security and performance services. It is part of the larger Cloudflare One platform, which is designed to provide a comprehensive and deeply integrated Zero Trust solution to protect and accelerate the performance of devices, applications and entire networks.
Zero Trust, also known as the “don’t trust, verify” model, is an approach to network security that assumes that no device, user or network service is trusted by default, regardless of whether it is inside or outside the corporate network.
It is a powerful tool that allows secure access to network resources. By integrating with various identity providers (IdPs), such as Authentik, Cloudflare Zero Trust allows you to access resources using identity providers via Single Sign-On
What is Authentik?
Authentik is an open source software that serves as an Identity Provider to manage user authentication and authorization. As an alternative to commercial services such as Okta or One Login, Authentik offers similar functionality in an open-source model. Other open-source tools with a similar purpose include Keycloak and Authelia, which also allow central management of user identities in applications and web services.
It stands out for its configuration flexibility and broad support for various authentication protocols, making it an excellent choice for organizations looking for an advanced but accessible open-source identity management solution.
Preparation
For the purpose of preparing the tutorial, we will adopt the domain names and identifiers described below. During setup, adjust the settings according to your needs.
- Full domain name (FQDN) Portainer: https://auth.xyz.com
What is OpenID Connect?
The OpenID Connect (OIDC) protocol is an authentication layer based on the OAuth 2.0 protocol that enables secure authentication and acquisition of user identity information in web applications. Below are the key elements that describe how OpenID Connect works:
- OAuth 2.0 authentication: OpenID Connect uses the OAuth 2.0 protocol as the basis for authentication. OAuth 2.0 allows applications to access resources on behalf of the user, and OpenID Connect extends this protocol with an authentication layer.
- Issuing Tokens: Once a user is successfully authenticated, its gets tokens that contain identity information. These are typically:
- ID Token: Contains basic information about the user, such as ID, first name, last name, etc.
- Access Token: Allows access to protected resources on behalf of the user.
- Refresh Token: It is used to refresh or obtain new tokens after expiration.
- JSON Web Tokens (JWT): The information sent in the tokens is often encoded in the JSON form of Web Tokens, which keeps them concise and secure.
- End-User Authentication: OpenID Connect supports various methods of user authentication, such as password login, multi-factor authentication or even third-party identity providers.
- Configuration Information: The identifiers and information necessary to authorize and receive tokens are obtained from the configuration document, which is usually available at a fixed URL.
- Security over TLS: Communication between the client and the identity provider, as well as between the provider and the resource server, should take place over a secure TLS (HTTPS) connection.
In summary, OpenID Connect facilitates secure and efficient authentication of users in web applications, while allowing users to acquire their identity information through tokens.
Operation of OpenID Connect
The process of the OpenID Connect (OIDC) protocol can be divided into several steps. Below you will find a general description of the steps involved in this process:
- Initiate Authorization Request:
- The user wants to log into the application, supporting OpenID Connect.
- The application directs it to the identity provider (IdP) with an authorization request.
- This request contains the ranges (scopes) of access that the application wants, and information about what actions are required after the authorization is completed.
- User Authentication (Authentication):
- The identity provider authorizes the user.
- If the user is not logged in, they may be asked for their credentials.
- Redirection Back:
- Once the user is successfully authenticated, the identity provider redirects the user back to the application while providing an authorization code.
- Code-to-Token Exchange (Token Exchange):
- The application sends the received authorization code back to the identity provider.
- In return, it receives a set of tokens, such as an ID Token, Access Token and possibly a Refresh Token.
- Use of Tokens (Access Resources):
- The application uses the received Access Token to access protected resources on behalf of the user.
- Access to resources can be limited by the access range specified in the token.
- Token Verification:
- The application verifies the validity of the received tokens, especially the ID Token, which contains information about the user’s identity.
- Verification may include checking the token’s signature, its validity and compliance with authorization requests.
- Token Refresh:
- If Refresh Token is used, the application can refresh its tokens without having to re-authenticate the user.
Step 1 – Configuration in Authentik
- Log in to your account and go to the administration interface,
- After successfully logging into the administrative interface, go to the Applications tab on the left side of the screen, and then select Providers.
- Click Create and select the OAuth2/OpenID Provider type. Then move on by clicking Next.
- Fill the provider with the following values:
- Name: cloudflare-zerotrust
- Authentication flow: Choose your configured or set default (default-authentication-flow)
- Authorization flow: choose your configured or set explicit or implicit consent. (This setting refers to the function used during authorization for this application – we define whether Authentik should display a button that allows you to go to the application after logging in, or simply redirect you without asking).
- Protocol settings:
- Client type: We leave Confidential
- Client ID: Copy and save for later
- Client Secret: Copy and save for later
- Redirect URIs/Origins (RegEx): https://<TEAM_NAME>.cloudflareaccess.com/cdn-cgi/access/callback(field <TEAM_NAME> swap with your team’s existing name in Cloudflare Zero Trust)
- Signing Key: authentik Self-signed Certificate
- Leave the other values unchanged and click Finish.
- On the left side of the screen, selectApplications, and then Applications again.
- Kliknij Create and fill the application with the following values:
- Name: Cloudflare Zero Trust
- Slug: cloudflare-zerotrust
- Provider: cloudflare-zerotrust
- UI Settings you may or may not want to complete.
- Icon: download the Cloudflare icon from the Internet and upload it.
- Publisher: i.e. Cloudflare Inc.
- Description: np. Zero Trust Network Access
- We approve the creation of the application with the Create button.
On the identity provider side, we have already completed the necessary steps. Now it’s time for Cloudflare Zero Trust configuration.
Step 2 – Configuration in Cloudflare
Create a new configuration based on OpenID Connect
-
To take benefit of Cloudflare Zero Trust, first log into the administration panel of your Cloudflare account. Then, from the menu on the left, select Zero Trust.
-
Po wybraniu opcji Zero Trust z menu po lewej stronie, otworzy się menu konfiguracji Zero Trust. Click on the Settings tab to access the settings
-
Go to the Authentication section,
- Inside the Login methods section, click on Add new,
- Click on OpenID Connect,
- Fill in the fields with the following values:
- Name: Authentik
- App ID: Paste Client ID from Authentik
- Client secret: Paste Client secret from Authentik
- Auth URL: https://auth.xyz.com/application/o/authorize/
- Token URL: https://auth.xyz.com/application/o/token/
- Certificate URL: https://auth.xyz.com/application/o/cloudflare-zerotrust/jwks/
- Confirm the configuration by clicking on Save. You can test the performance of the systems by clicking on Test. If everything is configured correctly, you should get the message Your connection works!
Edit basic settings in Cloudflare Zero Trust authentication
- Return to the Authentication section and go to edit Global session timeout. Set as Same as application session timeout,
- App Launcher: We will configure a basic option without advanced settings of who can access the App Launcher in Zero Trust. Then, according to your needs, you can customize it.
- Click Manage,
- In the Rules / Policies section, click Add a rule and set the given values:
- Rule name: Access,
- Rule action: Allow,
- Include:
- Selector: Login Methods,
- Value: OpenID Connect * Authentik,
- Assign a group: leave default group
- Save your settings with the Save button.
If you have additional questions about the setup, go ahead and leave a comment under this article or contact me directly. I will be happy to answer any concerns and help solve any problems. Your questions can help improve this guide for other users.
Additional Sources and information
For further exploration and more information, I recommend checking out the links below. They are valuable sources that were used in the development of this guide:
- https://developers.cloudflare.com/cloudflare-one/ – Cloudflare One documentation,
- https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/ – Integrate Single Sign-On
Read also
- How to configure Leox GPON ONT insert on Mikrotik router / Step-by-step guide on how to configure Leox LXT-010S-H GPON ONT insert on Mikrotik RB5009 router, instead of ONT module from Orange.
- UniFi Network Application: Connecting an Access Point from another network / Discover how to connect a device from Ubiquiti UniFi from another network to Network Application – using Mikrotik’s IPSec tunnel as an example.
- UniFi Controller in Docker: Migrating to UniFi Network Application / UniFi Controller: Discover step-by-step how to successfully migrate to Network Application using Docker Compose.
- Home Assistant: Install mirror lighting on ESPHome / Set up simple mirror lighting with ESPHome in Home Assistant. Discover simple integration and control light with ease.
- ADS-B: Receiver Installation and Configuration on Raspberry Pi / Discover the secrets of installing and configuring your own ADS-B antenna on Raspberry Pi. Develop skills and track aircraft in real time.
- Traccar: A guide to installing on Synology with Docker / Step-by-step guide: Installing Traccar on Synology using Docker. Effective vehicle tracking on your own server.
Leave a Reply