Cloudflare Docs
Cloudflare Zero Trust
Cloudflare Docs
Cloudflare Zero Trust
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)
  1. Products
  2. Cloudflare Zero Trust
  3. ...
  4. ...
  5. SaaS applications
  6. Google Cloud

Connect to Google Cloud through Access

This guide covers how to configure Google Cloud as a SAML application in Cloudflare Zero Trust.

​​ Prerequistes

​​ 1. Add a SaaS application to Cloudflare Zero Trust

  1. In Zero Trust, go to Access > Applications.
  2. Select Add an application > SaaS > Select.
  3. For Application, select Google Cloud.
  4. For the authentication protocol, select SAML.
  5. Select Add application.
  6. Fill in the following fields:
    • Entity ID: google.com
    • Assertion Consumer Service URL: https://www.google.com/a/<your_domain.com>/acs
    • Name ID format: Email
  7. Copy the SSO endpoint, Access Entity ID or Issuer, and Public key.
  8. Select Save configuration.
  9. Configure Access policies for the application.
  10. Select Done.

​​ 2. Create a x.509 certificate

  1. Paste the Public key from application configuration in Cloudflare Zero Trust into a text editor.
  2. Wrap the certificate in -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
  3. Set the file extension as .crt and save.

​​ 3. Create an SSO provider in Google Cloud

  1. In your Google Admin console, go to Security > Authentication > SSO with third party IdP.
  2. Select Third-party SSO profile for your organization > Add SSO Profile.
  3. Turn on Set up SSO with third-party identity provider.
  4. Fill in the following information:
    • Sign-in page URL: SSO endpoint from application configuration in Cloudflare Zero Trust.
    • Sign-out page URL: https://<team-name>.cloudflareaccess.com/cdn-cgi/access/logout, where <team-name> is your Zero Trust team name.
    • Verification certificate: Upload the .crt certificate file from step 2. Create a x.509 certificate.
  5. (Optional) Turn on Use a domain specific issuer. If you select this option, Google will send an issuer specific to your Google Cloud domain (google.com/a/<your_domain.com> instead of the standard google.com).

​​ 4. Test the integration

Open an incognito browser window and go to your Google Cloud URL (https://console.cloud.google.com/a/<your_domain.com>). Sign in using credentials that do not belong to a super admin account.

​​ Troubleshooting

Error: “G Suite - This account cannot be accessed because the login credentials could not be verified.��

If you see this error, it is likely that the public key and private key do not match. Confirm that your certificate file includes the correct public key.