Replace Your Complicated VPN with Cloudflare Access and Okta

by Connor Peshek

I wrote this post for Okta back in March, you can see it on their blog here.

“I love connecting to the corporate VPN!” said no one ever. If you work from an office or a remote location far away from the VPN server, you will practice patience waiting for internal applications to load. If you want to browse something on your phone, you’re going to jump through a few hoops before you connect. And anytime VPN hardware goes down, no one can get online.

However, with Okta’s identity management features and Cloudflare’s edge network, you can replace your VPN entirely. You just connect Okta to Cloudflare, and every request to your applications behind Cloudflare will be authenticated by Okta.

In this post, we’re going to review how to use Okta with Cloudflare Access to allow users to connect to different internal tools depending on their permission levels. It takes 5-10 minutes to setup, and then you can immediately begin to gate access to internal applications without the use of a VPN.

We’ll do this by:

  1. Setting up Cloudflare Access
  2. Creating an Okta Application
  3. Connecting Okta and Cloudflare Access

Prerequisites:

  • Okta Account (Create one here: okta.com/free-trial)
  • Cloudflare Account (Create one here: cloudflare.com/a/signup)

Let's begin.

Set up Cloudflare Access

Login to the Cloudflare dashboard. You will see an app in the nav bar called Access. This is where Cloudflare Access lives. Click on it and claim an authentication domain (this is what your visitors see as the URL when they login via Cloudflare Access). This domain is shared for all the domains across your account. You cannot change this later.

Now that we have an authentication domain, let’s put this section on hold and move over to our Okta account.

Create an Okta Application

We need to create an application inside of Okta so that we can configure how Cloudflare Access and Okta are going to work together.

In your Okta account, create a new Application. Go to Applications, and click Add Application, and then click Create New App. Select OpenID Connect as the application integration type. Name the application, and in the field Login redirect URIs, put your authentication domain plus /cdn-cgi/access/callback. Click Save.

Okta will show you your Application's details.

Configure Okta and Cloudflare Access

We need to configure Okta to let Cloudflare know who is attempting to access the page behind Cloudflare Access, so let’s set that up. Scroll down to the OpenID Connect Token section and click Edit.

In the groups claim field, switch Starts With to Regex and set it equal to .*. Then, click Save. This will cause Okta to put all of the user's groups into the ID token that is passed back to Cloudflare.

Cloudflare needs a way to tell Okta what configuration it needs to use, so we’ll have Cloudflare send Okta an application unique Client ID and Client Secret with it’s OAuth request. Go to your general settings, scroll down to copy your Client ID and Client Secret from the Okta Application details.

Create a new EdgeAuth connection in the Cloudflare Access dashboard and paste in the Client ID and Client Secret from Okta.

In the Okta dashboard, click on the Assign dropdown for the Application. Select Assign to Groups and assign the Everyone group to the Application. We’ll lock down access through the Cloudflare Access dashboard.

Now go to the Cloudflare dashboard and specify which Okta groups and users should be allowed or denied access.

After that, you’re done configuring Okta for Cloudflare Access.

Using Cloudflare Access and Okta together is a great way to handle access to internal tools and simplify everyone’s work life. Okta’s Identity Management keeps access control easy, and Cloudflare Access makes sure your private tools are both quick and secure.

Learn more about Cloudflare Access here.