I have been using JumpCloud’s LDAP implementation as the central directory for a few things: vCenter, QNAP and CloudFlare Access. I have also configured DUO directory sync to retrieve user information and send out MFA activations automatically. You can enable and configure any TOTP service for JumpCloud user portal however DUO makes it easy with push notification.

I will talk about CloudFlare Access and Teams in a different post but in a nutshell Access is one of the many cloud solutions that replaces the need for a typical VPN. For example I use it to provide access to internal resources via publicly accessible portal.

Now when I think about creating a public portal, it’s a scary task to take on. No matter how much experience and confidence one has, opening your firewall ports to allow access from Internet is a big undertaking. It’s also a very unnecessary risk for smaller teams and organization. Instead, I can leave that to CloudFlare with its massive network, capacity and properly configured and secured infrastructure. CloudFlare Access can also integrate with a directory or authentication service via SAML. In addition, MFA can be added as a second layer of security and peace of mind.

CloudFlare Access does not magically find and connect to your on premise (web-based) servies of course! There still needs to be some form of connection from the internal network. This is where Argo Tunnel and cloudflared come to play. Cloudflared can be downloaded as a binary for Liux, Windows and Mac, and configured to establish a secure tunnel from server(s) to CloudFlare network.

Argo Tunnel can also be used with CloudFlare load balancer. A good example for this combination is, if you did not want to allow direct public access to web servers but obviously still be able to serve the website and conent. Argo Tunnel will establish the secure connection and attach to load balancer with a proxied DNS for the website.

Now we know what Access can do, the first step is to configure CloudFlare and JumpCloud to talk to each other for authenticaiton.

Pre-requisties:

  • A reason or interest to do this!
  • JumpCloud account (free)
  • CloudFlare account (free) that serves DNS for your domain
  • CloudFlare Access (free)
  • CloudFlare Argo ($5 USD monthly subscription, first gigabyte of traffic is free, after it will cost you $0.10 per GB)

Resources:

  • Checkout my JumpCloud - Directory as a Service post to learn about JumpCloud services and set up a new account
  • I don’t have a detailed post about CloudFlare but I do go over account creation and moving DNS to CloudFlare in my From Github to Gitlab post
  • Official CloudFlare document to setup Access
  • Enable/Subscribe to Argo on CloudFlare portal argo-enable

The plan:

  • Export SAML metadata from Access
  • Create SSO application on JumpCloud and import CloudFlare’s SAML metadata
  • Export SAML metadata from Jumpcloud’s SSO application
  • Import JumpCloud’s SAML metadata into Access

Sounds easy enough right? I will list out the steps and some screenshots below just in case :stuck_out_tongue_winking_eye:

CloudFlare (Part 1):

  • Login to CloudFlare dashboard
  • Select your site and then Access
  • Change Page Login Domain to something that makes sense to you
  • Click on add button under Login Method and select SAML
  • Download SAML metadata file from the link provided in the instruction section on Step 6

JumpCloud:

  • Login to jumpcloud admin console https://console.jumpcloud.com
  • Select SSO and add a new application
  • Search for CloudFlare and select configure
  • Type in a name for this SSO configuration
  • In the IdP Entity ID box, type in your CloudFlare Access login Domain
  • Scroll down, click on Upload Metadata button and select XML/SAML file downloaded from CloudFlare
  • Scroll down and change any pre-defined attribute if required
  • Enable group attributes option and type in memberOf - Access can be configured to allow or deny based on the group membership
  • Now scroll back up and click on User Groups tab
  • Select the groups that you would like to allow application access - This determines whether users see this SSO application on their portal
  • Finally click on activate button
  • Open up the newly created SSO application and expand SMAL settings, then download metadata file

CloudFlare (Part 2):

  • Click on add button under Login Method and select SAML
  • Upload SAML file from JumpCloud
  • Type in a provider name, this can be anything, then click Save and Close
  • Click on the SAML provider we just created, scroll down to add a second attribute and type memberOf in the box, then Save and Close
  • Cick on Launch Teams button to launch CloudFlare Teams console
  • Expand Access, click on Authentication and then Test from Login Methods
  • This should open a new page redirecting to JumpCloud login page
  • After successful authentication you’ll be presented with a confirmation that everything is configured correctly