How to connect GSuite to Cloudflare

Note: you must be an admin for the GSuite organization you are connecting to connect your GSuite account to Cloudflare.

1. Login to the Google Cloud console. Create a new project for your Cloudflare connection or choose an existing project, and click ‘Enable’ for the Admin SDK. 

https://console.cloud.google.com/apis/api/admin.googleapis.com/overview

Screen_Shot_2017-07-13_at_2.01.09_PM.png

2. Then on the left hand side, click on Credentials.

3. Click Create Credentials, and from the list select OAuth Client ID.

Screen_Shot_2017-07-13_at_11.37.40_AM.png

4. Click on the button that says ‘Configure Consent Screen’

Screen_Shot_2017-07-13_at_11.38.28_AM.png

5. Fill out the Product Name field and click Save. (This will display to users during the sign in flow).

Screen_Shot_2017-07-13_at_11.40.50_AM.png

6. Select the Application Type ‘Web Application’. The field name, give it some name. In Authorized Javascript Origins, put your account’s authorization domain, found in the authorization domain section of the Cloudflare Access dashboard. It is likely https://something.cloudflareaccess.com. In the Authorized redirect URIs section, put your authorization domain /cdn-cgi/access/callback. Click create.

Screen_Shot_2017-07-13_at_11.45.12_AM.png

7. Copy your client ID and secret and paste them in the Cloudflare dashboard. You will need the client ID again in a minute.

Screen_Shot_2017-07-13_at_11.46.02_AM.png

8. The next step is to connect your GSuite account and provision Cloudflare read-only access. Login to your GSuite admin account https://admin.google.com/ and go to Security > Advanced settings > Authentication > Manage API client access.

9. In the Client Name field, paste the Client ID you copied from the Google Cloud console. In the field called ‘One or More API Scopes’, paste: https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly and click Authorize.

Screen_Shot_2017-07-13_at_2.19.42_PM.png

10. You are done - you have created a key for Cloudflare to use to authenticate your GSuite users, have given that key read only access to your GSuite organization, and have given Cloudflare the key.

Troubleshooting

If you login to Cloudflare Access and see:

Screen_Shot_2017-07-27_at_1.28.31_PM.png

This is so easy to fix. Have no fears. It takes just a minute. Ready?

Go back to the Google Cloud Console: https://console.cloud.google.com/apis/credentials and click on the pencil next to the Cloudflare Access credentials.

Screen_Shot_2017-07-27_at_1.57.43_PM.png

Then in the field for Authorized redirect URIs add the domain Google complains about in the 400 error. It will look something like https://dani.cloudflareaccess.com/cdn-cgi/access/callback. 

Screen_Shot_2017-07-27_at_1.59.58_PM.png

Click Save.

 

Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk