Set up dashboard SSO
Cloudflare offers single sign-on (SSO) for all customers who log in with a custom email domain. By creating a Cloudflare SSO connector, you can enforce SSO to the Cloudflare dashboard with the identity provider (IdP) of your choice. SSO will be enforced for every user in your email domain.
Cloudflare Dashboard SSO is available for free to all plans.
| Free | Pro | Business | Enterprise | |
|---|---|---|---|---|
| Availability | Yes | Yes | Yes | Yes | 
- 
You must control your email domain and be able to add a TXT record to verify this. - Public email providers such as @gmail.comare not allowed.
- Every user with that email domain must be an employee in your organization. For example, university domains such as @harvard.eduare not allowed because they include student emails.
 
- Public email providers such as 
- 
You must be a super administrator and be able to access the Cloudflare API. 
- 
A Cloudflare Zero Trust organization with any subscription tier (including Free) must be created. To set up a Cloudflare Zero Trust organization, refer to Create a Cloudflare Zero Trust organization. 
Add an IdP to Cloudflare Zero Trust by following our detailed instructions.
Once you configure your IdP, make sure you also test your IdP.
- Once you have configured an IdP in Zero Trust, go to the Members page to manage SSO connectors.
- If step 1 was successful, a button to add a new SSO domain will be present. Select the button to begin the process of adding a new SSO domain.

- Enter your email domain and select Create to move to the verification step.
Using a command line terminal where you have already set the environment variable CLOUDFLARE_API_TOKEN to a user or account API token which has the SSO Connector Edit permission, run the following command to create an SSO connector. Replace {account_id} with your account ID, and {domain} with your email domain.
curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors" \  --request POST \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{"email_domain":"{domain}"}'{  "success": true,  "errors": [],  "messages": [],  "result": {    "id": "c3ebcba5c20b42f73e111110d0be67d",    "enabled": false,    "email_domain": "cool.cats",    "verification": {      "code": "cloudflare_dashboard_sso=111111111",      "status": "pending"    },    "created_on": "2025-09-05T20:35:34Z"  }}If you are unable to change your DNS records right away, the option to verify later is available. The verification process can be manually triggered from the actions menu for that connector in the list.

Copy the verification code and create a TXT record in your DNS configuration with that value. The record must include all of the text including the cloudflare_dashboard_sso= prefix.
Cloudflare will automatically poll this DNS record until it is found or a timeout is reached within two days.
If the verification process fails due to timeout, you can manually reinitiate the polling by selecting Begin verification in the actions menu for that connector in the list.
Copy the verification code (for example cloudflare_dashboard_sso=1111111) and create a TXT record in your DNS configuration with that value. To test that the DNS record was correctly configured, you can use the dig command to query your email domain:
dig cool.cats TXT +short"cloudflare_dashboard_sso=111111111"The TXT record must include the cloudflare_dashboard_sso= prefix along with the numerical code.
Cloudflare will automatically poll this DNS record until it is found or a timeout is reached within two days. If verification fails due to timeout, you may manually reinitiate the polling by running the following command:
curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{sso_connector_id}/begin_verification" \  --request POST \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"Once the verification process has completed or timed out, you will receive an email notification with the verification result.
Once the verification process has completed and successfully verified domain ownership, you may enable the connector.
Domains that are associated with an already enabled connector belonging to a different account may not be enabled on a new account until disabled on the old account.
Enable the connector by selecting Enable in the Actions menu for that connector in the list.

Enable the connector by running the following — again, replacing the {account_id} value with your account ID, and additionally replacing the {sso_connector_id} with the value you obtained from the id field in the response to the previous call.
curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{sso_connector_id}" \  --request PATCH \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{"enabled": true}'Cloudflare dashboard SSO does not support:
- Users with plus-addressed emails, such as example+2@domain.com. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO.
- Adding a separate email-based policy to the Zero Trust SSO application that does not match your SSO domain policy.
- Multiple Zero Trust domain policies. If another domain policy is required, you can create another SSO connector. This will create a second policy for that new domain in your SSO application.
- Deleting the auto-generated Zero Trust allow email domainpolicy. If this policy is deleted, your organization's administrators cannot access the Cloudflare dashboard.
IdP-initiated login is supported for Cloudflare dashboard SSO, with configuration available via your identity provider (IdP).
A step-by-step guide is currently available for Okta, and similar configurations are possible with other identity providers that support custom SSO endpoints.
Configure an identity provider (IdP)-initiated single sign-on (SSO) session using Cloudflare Zero Trust and Okta.
- In Zero Trust ↗, go to Access > Applications > select your SSO App.
- Select Configure to access the application settings.
- In the Basic Information section, copy the SSO Endpoint URL and Access Entity ID or Issuer. You will need these values for your IdP setup.
- Log in to your Okta Admin Dashboard ↗ and go to Applications > Applications.
- Select Create App Integration to start a new SAML integration to handle the IdP-initiated SSO flow.
- In the pop-up, select SAML 2.0 and select Next.
- Enter a name for the app and select Next.
- In the Single Sign-On URL field, paste the SSO Endpoint URL you copied earlier.
- In the Audience URI (SP Entity ID) field, paste the Access Entity ID or Issuer you copied earlier.
- Set the Name ID Format to EmailAddress.
- Set the Application Username to Email.
- Select Next > Finish to save the integration.
- Test the integration by going to your Okta User Dashboard, locating the new app tile, and selecting it to verify the SSO flow.
(Optional) Enforce single IdP login with Instant Auth
If you use only one IdP (for example, Okta) for Cloudflare SSO and want users to skip the identity provider selection prompt:
- In Zero Trust ↗, go to Access > Applications > select your SSO App.
- Go to Login methods.
- Disable Accept all available identity providers and ensure only Okta is selected as the login method.
- Enable Instant Auth to allow users to skip identity provider selection.
This section describes how to restore access to the Cloudflare dashboard in case you are unable to login with SSO.
If there is an issue with your SSO IdP provider, you can add an alternate IdP using the API. The following example shows how to add Cloudflare One-time PIN as a login method:
- 
Add one-time PIN login: 
At least one of the following token permissions is required:Required API token permissions - Access: Organizations, Identity Providers, and Groups Write
 Add an Access identity provider curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers" \--request POST \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"type": "onetimepin","config": {}}'
- 
Get the idof thedash_ssoAccess application. You can usejq↗ to quickly find the correct application:cURL command curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \| jq '.result[] | select(.type == "dash_sso")'{"id": "3537a672-e4d8-4d89-aab9-26cb622918a1","uid": "3537a672-e4d8-4d89-aab9-26cb622918a1","type": "dash_sso","name": "SSO App"// ...}
- 
Using the idobtained above, update SSO App to accept all identity providers. To avoid overwriting your existing configuration, the PUT request body should contain all fields returned by the previous GET request.
At least one of the following token permissions is required:Required API token permissions - Access: Apps and Policies Write
 Update an Access application curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/3537a672-e4d8-4d89-aab9-26cb622918a1" \--request PUT \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"id": "3537a672-e4d8-4d89-aab9-26cb622918a1","uid": "3537a672-e4d8-4d89-aab9-26cb622918a1","type": "dash_sso","name": "SSO App","allowed_idps": []}'
Users will now have the option to log in using a one-time PIN.
- Navigate to the Members page.
- 
Select the actions menu for the SSO connector in the list and select Disable. 
- 
Type the domain of the connector and click confirm to complete the disable action. 
The following API calls will disable SSO enforcement for an account. This action can only be performed by API tokens with the SSO connectors edit role or Super Administrators.
- 
Get your SSO connector id:cURL command curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors" \--request GET \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"{"result": [{"id": "d616ac82cc7f87153112d75a711c5c3c","email_domain": "cool.cats","enabled": true// ...}],"success": true,"errors": [],"messages": []}
- 
Disable the SSO connector: cURL command curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{connector_id}" \--request PATCH \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"enabled": false}'{"result": [{"id": "d616ac82cc7f87153112d75a711c5c3c","email_domain": "cool.cats","enabled": false// ...}],"success": true,"errors": [],"messages": []}
Users can now log in using their Cloudflare account email and password. If a user does not have a password, they can use the forgot password method on the login page to create one.
Cloudflare does not allow you to change your team name while a SSO connector is created. To change your team name, you must disable and delete your SSO connector(s).
- Navigate to the Members page.
- Disable all SSO connectors.
- Delete all SSO connectors.
- 
Get all SSO connectors for your account. cURL command curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors" \--request GET \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
- 
Disable any active SSO connectors using the idof each connector from the previous step.cURL command curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{connector_id}" \--request PATCH \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"enabled": false}'
- 
Delete all SSO connectors using the idof each connector from the previous step.cURL command curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{connector_id}" \--request DELETE \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
- In Zero Trust ↗, go to Settings > Custom Pages.
- Under Team domain, select Edit to enter the new team name. Select Save.
- In your identity provider, update your Cloudflare integration with the new team name. For example, if you are using a SAML IdP, you will need to update the Single Sign-on URL and Entity ID to https://<new-team-name>.cloudflareaccess.com/cdn-cgi/access/callback.
- Recreate any deleted SSO connectors using the steps in Register your domain with Cloudflare for SSO.
- Follow the verification and enable steps after recreating the SSO connectors.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-