Shine a light on shadow apps

ConductorOne Docs

Cloudflare Zero Trust integration

ConductorOne provides identity governance for Cloudflare Zero Trust. Integrate your Cloudflare Zero Trust instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests.

Availability

General availability. The Cloudflare Zero Trust integration is available to all ConductorOne users.

Capabilities

  • Sync user identities from Cloudflare Zero Trust to ConductorOne

  • Resources supported:

    • Access groups
    • Roles
  • Provisioning supported:

    • Group membership
    • Role assignment

Set up the Cloudflare Zero Trust integration

This task requires either the Integration Administrator or Super Administrator role in ConductorOne.

  1. In ConductorOne, open Admin and click Integrations > Cloudflare Zero Trust.

  2. If this is your first Cloudflare Zero Trust integration, the integration form opens automatically. Otherwise, click Add connector.

  3. Choose whether to add the new Cloudflare Zero Trust connector as a data source to an existing application (and select the app of your choice) or to create a new application.

    Do you SSO into Cloudflare Zero Trust using your identity provider (IdP)? If so, make sure to add the connector to the Cloudflare Zero Trust app that was created automatically when you integrated your IdP with ConductorOne, rather than creating a new app.

  1. Set the integration owner for this connector. You can manage the integration yourself, or choose someone else from the list of ConductorOne users. Setting multiple integration owners is allowed.

    A Cloudflare Zero Trust integration owner must have the following permissions:

    • Integration Administrator or Super Administrator role in ConductorOne
    • Super Administrator access in Cloudflare Zero Trust
  1. Click Create and add details.

Next steps

  • If you are the integration owner, proceed to Integrate your Cloudflare Zero Trust instance for instructions on integrating Cloudflare Zero Trust with ConductorOne.

  • If someone else is the integration owner, ConductorOne will notify them by email that their help is needed to complete the integration.

Integrate your Cloudflare Zero Trust instance

A user with the Integration Administrator or Super Administrator role in ConductorOne and Super Administrator access in Cloudflare Zero Trust must perform this task.

Step 1: Locate your Cloudflare Account ID

  1. Log into your Cloudflare Super Administrator account and select Workers from the left nav.

  2. On the Workers page, find your Account ID on the right side of the page.

  3. Copy and save the Account ID. We’ll use it in Step 3.

Step 2: Create an API Token

Alternative credential option: If you do not want to generate and use an API token for the integration, Cloudflare Zero Trust also accepts authentication via an API key and the corresponding account’s email address. Find your API keys by navigating to My Profile > API Tokens.

  1. Click the user icon and select My Profile.

  2. Click API Tokens on the left side, then click Create Token.

  3. At the bottom of the page, in the Custom Token area, click Get started.

  4. Fill out the Create Custom Token page as follows:

    1. Give the API token a name, such as ConductorOne

    2. Set the appropriate permissions for the API token:

    If you want to use ConductorOne to provision Cloudflare Zero Trust group memberships, set:

    • Account -> Account Settings -> Read
    • Account -> Access: Organizations, Identity Providers, and Groups -> Edit
    • Account -> Access: Apps and Policies -> Read

    Otherwise, set:

    • Account -> Account Settings -> Read
    • Account -> Access: Organizations, Identity Providers, and Groups -> Read
    • Account -> Access: Apps and Policies -> Read
    1. Click Continue to summary
  5. Click Create Token and copy the token generated for you. We’ll use it in Step 3.

Step 3: Add your Cloudflare Zero Trust credentials to ConductorOne

  1. In ConductorOne, open Admin and click Integrations > Cloudflare Zero Trust.

  2. In the list of connectors, locate and click on the name of the connector with the Not connected label.

  3. Find the Settings area of the page and click Edit.

  4. Enter the account ID you looked up in Step 1 into the Account ID field.

  5. Paste the API token you generated in Step 2 into the API token field.

    If you’re using an API key and email to authenticate: Leave the API token field blank and instead enter the API key and associated account email into the corresponding fields.

  1. Click Save.

  2. The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Cloudflare Zero Trust instance is now integrated with ConductorOne.

Configure the Cloudflare Zero Trust integration using Terraform

As an alternative to the integration process described above, you can use Terraform to configure the integration between Cloudflare Zero Trust and ConductorOne.

See the ConductorOne Cloudflare Zero Trust integration resource page in the ConductorOne Terraform registry for example usage and the full list of required and optional parameters.