Cloudflare Docs
Cloudflare-One
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Google Workspace

You can integrate a Google Workspace (formerly Google Suite) account with Cloudflare Access. Unlike the instructions for generic Google authentication , the steps below will allow you to pull group membership information from your Google Workspace account.

Once integrated, users will login with their Google Workspace credentials to reach resources protected by Cloudflare Access or to enroll their device into Cloudflare Gateway.

Please note that you don’t need to be a Google Cloud Platform user to integrate Google Workspace as an identity provider with Cloudflare Zero Trust. You will only need to open the Google Cloud Platform to access settings for your OIDC identity provider.

  1. Log in to the Google Cloud Platform console. This is separate from your Google Workspace console.

    GCP Console

  2. Click Create Project to create a new project. Name the project and click Create. You should now see a Dashboard for your project.

    Post Create

  3. On the left-hand side, select APIs & Services and click Dashboard.

  4. In the screen that loads, click + Enable APIs and Services in the top toolbar.

  5. The API Library will load. Search for admin in the search bar.

    API Library

  6. Select Admin SDK API by Google.

  7. Click Enable on the Admin SDK API page. The Admin SDK will be added to your project.

    Admin SDK

  8. Return to the APIs & Services page. Click Credentials in the navigation bar. You will see a warning that you need to configure a consent screen. Click Configure Consent Screen.

    Configure Consent Screen

  9. Cloudflare Access will gather information about users in your Google Workspace account, but not other accounts. Toggle Internal to limit this to members in your account.

    Internal Users

  10. Input information about the application.

In this case, you are making an application available to your users and can add your team’s contact information.

Internal Users

You will not need to configure scopes in this screen and can leave these fields blank.

Consent Screen Scope

The summary page will load and you can save and exit.

Consent Screen Summary

  1. Return to the Credentials page. Click + Create Credentials

    Create Credentials

  2. Select OAuth client ID.

    Select OAuth

  3. Select Web application as the Application type.

  4. Under Authorized JavaScript origins, in the URIs field, enter your team domain .

  5. Under Authorized redirect URIs, in the URIs field, enter your team domain followed by this callback at the end of the path: /cdn-cgi/access/callback. For example:

    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback

Input Team Domain

Click **Create**.
  1. Google will present the OAuth Client ID and Secret values. The secret field functions like a password and should be kept securely and not shared. For the purposes of this tutorial, the secret field is kept visible. Copy both values.

    Secret Field

    The Client ID will now appear in the APIs & Services page.

    Client ID Visible

  2. On the Zero Trust dashboard, navigate to Settings > Authentication.

  3. Under Login methods, click Add new.

  4. Select Google Workspace.

  5. Input the Client ID and Client Secret fields generated previously. Additionally, input the domain of your Google Workspace account. Click Save.

  6. To complete setup, you must scroll below and visit the link generated. If you are not the Google Workspace administrator, share the link with the administrator.

  1. The generated link will prompt you to login to your Google account and to authorize Cloudflare Access to view group information.

    Authorize Groups

    A success page will then load from Cloudflare Access.

    Group Success

  2. You can now return to the list of identity providers in the Authentication page of the Cloudflare Zero Trust dashboard. Select Google Workspace and click Test.

    Your user identity and group membership should return.

    Connection Works

Example API Configuration

{
"config": {
"client_id": "<your client id>",
"client_secret": "<your client secret>",
"apps_domain": "mycompany.com"
},
"type": "google-apps",
"name": "my example idp"
}