Connect to Google Cloud through Access
This guide covers how to configure Google Cloud as a SAML application in Cloudflare Zero Trust.
Prerequistes
- A SAML identity provider configured in Cloudflare Zero Trust
- Admin access to a Google Workspace account
- Cloud Identity Free or Premium set up in your organization’s Google Cloud account
1. Add a SaaS application to Cloudflare Zero Trust
- In Zero Trust, go to Access > Applications.
- Select Add an application > SaaS > Select.
- For Application, select Google Cloud.
- For the authentication protocol, select SAML.
- Select Add application.
- Fill in the following fields:
- Entity ID:
google.com
- Assertion Consumer Service URL:
https://www.google.com/a/<your_domain.com>/acs
- Name ID format: Email
- Entity ID:
- Copy the SSO endpoint, Access Entity ID or Issuer, and Public key.
- Select Save configuration.
- Configure Access policies for the application.
- Select Done.
2. Create a x.509 certificate
- Paste the Public key from application configuration in Cloudflare Zero Trust into a text editor.
- Wrap the certificate in
-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
. - Set the file extension as
.crt
and save.
3. Create an SSO provider in Google Cloud
- In your Google Admin console, go to Security > Authentication > SSO with third party IdP.
- Select Third-party SSO profile for your organization > Add SSO Profile.
- Turn on Set up SSO with third-party identity provider.
- Fill in the following information:
- Sign-in page URL: SSO endpoint from application configuration in Cloudflare Zero Trust.
- Sign-out page URL:
https://<team-name>.cloudflareaccess.com/cdn-cgi/access/logout
, where<team-name>
is your Zero Trust team name. - Verification certificate: Upload the
.crt
certificate file from step 2. Create a x.509 certificate.
- (Optional) Turn on Use a domain specific issuer. If you select this option, Google will send an issuer specific to your Google Cloud domain (
google.com/a/<your_domain.com>
instead of the standardgoogle.com
).
4. Test the integration
Open an incognito browser window and go to your Google Cloud URL (https://console.cloud.google.com/a/<your_domain.com>
). Sign in using credentials that do not belong to a super admin account.
Troubleshooting
Error: “G Suite - This account cannot be accessed because the login credentials could not be verified.��
If you see this error, it is likely that the public key and private key do not match. Confirm that your certificate file includes the correct public key.