Get the Guide to Modern IGA

ConductorOne Docs

Set up a Cloudflare Zero Trust connector

ConductorOne provides identity governance for Cloudflare Zero Trust. Integrate your Cloudflare Zero Trust instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests.

Availability

General availability. The Cloudflare Zero Trust connector is available to all ConductorOne users.

Capabilities

  • Sync user identities from Cloudflare Zero Trust to ConductorOne

  • Resources supported:

    • Access groups
    • Roles
  • Provisioning supported:

    • Group membership
    • Role assignment

Add a new Cloudflare Zero Trust connector

This task requires either the Connector Administrator or Super Administrator role in ConductorOne.

  1. In ConductorOne, open Admin and click Connectors > Add connector.

  2. Search for Cloudflare Zero Trust and click Add.

  3. Choose whether to add the new Cloudflare Zero Trust connector as a data source to an existing application (and select the app of your choice) or to create a new application.

    Do you SSO into Cloudflare Zero Trust using your identity provider (IdP)? If so, make sure to add the connector to the Cloudflare Zero Trust app that was created automatically when you integrated your IdP with ConductorOne, rather than creating a new app.

  1. Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.

    A Cloudflare Zero Trust connector owner must have the following permissions:

    • Connector Administrator or Super Administrator role in ConductorOne
    • Super Administrator access in Cloudflare Zero Trust
  1. Click Next.

Next steps

  • If you are the connector owner, proceed to Configure your Cloudflare Zero Trust connector for instructions on integrating Cloudflare Zero Trust with ConductorOne.

  • If someone else is the connector owner, ConductorOne will notify them by email that their help is needed to complete the setup process.

Configure your Cloudflare Zero Trust connector

A user with the Connector Administrator or Super Administrator role in ConductorOne and Super Administrator access in Cloudflare Zero Trust must perform this task.

Step 1: Locate your Cloudflare Account ID

  1. Log into your Cloudflare Super Administrator account and select Workers from the left nav.

  2. On the Workers page, find your Account ID on the right side of the page.

  3. Copy and save the Account ID. We’ll use it in Step 3.

Step 2: Create an API Token

Alternative credential option: If you do not want to generate and use an API token for the integration, Cloudflare Zero Trust also accepts authentication via an API key and the corresponding account’s email address. Find your API keys by navigating to My Profile > API Tokens.

  1. Click the user icon and select My Profile.

  2. Click API Tokens on the left side, then click Create Token.

  3. At the bottom of the page, in the Custom Token area, click Get started.

  4. Fill out the Create Custom Token page as follows:

    1. Give the API token a name, such as ConductorOne

    2. Set the appropriate permissions for the API token:

      If you want to use ConductorOne to provision Cloudflare Zero Trust group memberships, set:

      • Account -> Account Settings -> Read
      • Account -> Access: Organizations, Identity Providers, and Groups -> Edit
      • Account -> Access: Apps and Policies -> Read
      • Account -> Access: Audit Logs -> Read

      Otherwise, set:

      • Account -> Account Settings -> Read
      • Account -> Access: Organizations, Identity Providers, and Groups -> Read
      • Account -> Access: Apps and Policies -> Read
      • Account -> Access: Audit Logs -> Read
    3. Click Continue to summary

  5. Click Create Token and copy the token generated for you. We’ll use it in Step 3.

Step 3: Add your Cloudflare Zero Trust credentials to ConductorOne

  1. In ConductorOne, navigate to the Cloudflare Zero Trust connector by either:

    • Clicking the Set up connector link in the email you received about configuring the connector.

    • Navigate to Admin > Connectors > Cloudflare Zero Trust (if there is more than one Cloudflare Zero Trust listed, click the one with your name listed as owner and the status Not connected).

  2. Find the Settings area of the page and click Edit.

  3. Enter the account ID you looked up in Step 1 into the Account ID field.

  4. Paste the API token you generated in Step 2 into the API token field.

    If you’re using an API key and email to authenticate: Leave the API token field blank and instead enter the API key and associated account email into the corresponding fields.

  1. Click Save.

  2. The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Cloudflare Zero Trust connector is now pulling access data into ConductorOne.

Configure the Cloudflare Zero Trust integration using Terraform

As an alternative to the integration process described above, you can use Terraform to configure the integration between Cloudflare Zero Trust and ConductorOne.

See the ConductorOne Cloudflare Zero Trust integration resource page in the ConductorOne Terraform registry for example usage and the full list of required and optional parameters.