{"id":28549991,"url":"https://github.com/bendwyer/sso","last_synced_at":"2025-07-02T22:32:51.363Z","repository":{"id":296629143,"uuid":"993842657","full_name":"bendwyer/sso","owner":"bendwyer","description":"Single sign-on for various accounts.","archived":false,"fork":false,"pushed_at":"2025-06-01T07:11:48.000Z","size":18785,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-10T03:01:36.740Z","etag":null,"topics":["auth0","cloudflare-access","sso"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bendwyer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-31T16:34:23.000Z","updated_at":"2025-06-01T07:11:51.000Z","dependencies_parsed_at":"2025-06-01T11:09:58.974Z","dependency_job_id":"b24dc6ec-cbd1-4779-b089-46098a1d1962","html_url":"https://github.com/bendwyer/sso","commit_stats":null,"previous_names":["bendwyer/sso"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/bendwyer/sso","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bendwyer%2Fsso","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bendwyer%2Fsso/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bendwyer%2Fsso/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bendwyer%2Fsso/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bendwyer","download_url":"https://codeload.github.com/bendwyer/sso/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bendwyer%2Fsso/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263226544,"owners_count":23433731,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth0","cloudflare-access","sso"],"created_at":"2025-06-10T03:00:24.074Z","updated_at":"2025-07-02T22:32:51.312Z","avatar_url":"https://github.com/bendwyer.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"SSO\n===\n\n[Auth0](https://auth0.com) is the **Identity Provider (IdP)** and [Cloudflare Access](https://www.cloudflare.com/zero-trust/products/access/) is the primary **Service Provider (SP)**. If possible, SSO applications should be added to the [App Launcher](https://developers.cloudflare.com/cloudflare-one/applications/app-launcher/) in Cloudflare Access.\n\nWhen an application is added to App Launcher, for the purposes of documentation Cloudflare Access is the **IdP** and the application being added is the **SP**. Regardless, when login is initiated from App Launcher or the application's login page, Auth0 is still the \"real\" IdP and will handle user credentials.\n\nRequirements\n------------\n\n- Auth0 (free)\n- Cloudflare Access (free)\n- Terraform CLI\n- HCP Terraform (free)\n- SaaS application(s) supporting SSO\n\nSetup - Main\n------------\n\n\u003e [!CAUTION]\n\u003e Deployment from zero without modification will almost certainly fail since many SP's need to be manually configured. That said, the \"foundational\" parts are the [auth0](./terraform//modules/auth0) and [cloudflare-access](./terraform/modules/cloudflare-access) modules, which _should_ \"just work\" from zero. Once those are setup, additional SaaS apps can be layered on.\n\n\u003e [!IMPORTANT]\n\u003e Anywhere you have to provision a user account manually, the username and email must be the same, and it needs to match the user information in Auth0.\n\nWhen connecting Cloudflare Access with a SP, it may be necessary to create the application in Cloudflare Access with blank fields first so that the correct information can be generated for adding to the SP. Once the SP setup is complete, the application config in Cloudflare Access can be updated with the correct information.\n\n### Auth0\n\nPerform the following manual tasks:\n\n- Create a Machine to Machine application for Terraform and permit access to the Auth0 Management API. We need the client secret for authenticating Terraform with Auth0.\n- Create a user account. Username and email must be the same. This will be the SSO user that is created in the SP application.\n\n#### Links\n\n- [Create a custom SAML SSO integration](https://developer.auth0.com/resources/labs/authentication/create-a-custom-saml-sso-integration#introduction)\n\n### Cloudflare Access\n\nNo manual tasks.\n\nThe following API token permissions are required for terraform:\n\n- Zero Trust:Edit\n- Access: Organizations, Identity Providers, and Groups:Edit\n- Access: Apps and Policies:Edit\n- All zones - DNS:Edit\n\nIf you're struggling to find reference ID's for Cloudflare objects to import, sometimes the information can be found by inspecting the page using the \"Network\" tab in your browser's development tools. Filter by \"XHR/Fetch\" (Safari) and you should find a corresponding item that contains the relevant ID. You may need to navigate to different pages for the correct info to show up though.\n\nThe v4.x provider is preferred for the moment since 5.x has a lot of problems.\n\n#### Links\n\n- [IdP Integration - Generic OIDC](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/generic-oidc/)\n\nSetup - SaaS\n------------\n\n### AWS IAM Identity Center\n\nThe settings in AWS IAM Identity Center need to be manually configured. The [hashicorp/aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) provider does not (yet) support this operation (AWS SSO).\n\n#### Links\n\n- [SaaS Apps - AWS SSO](https://developers.cloudflare.com/cloudflare-one/applications/configure-apps/saas-apps/aws-sso-saas/)\n\n### HCP (HashiCorp Cloud Platform)\n\nThe settings in HCP need to be manually configured. The [hashicorp/hcp](https://registry.terraform.io/providers/hashicorp/hcp/latest/docs) provider does not (yet) support this operation. Once SSO is enabled, users can no longer be invited to the organization and should instead be provisioned in the IdP (Auth0).\n\n#### Links\n\n- [Invalid request: IdP initiated login is not enabled](https://support.hashicorp.com/hc/en-us/articles/4404712863379--invalid-request-IdP-Initiated-login-is-not-enabled-error-logging-into-HCP-via-SSO)\n- [Cloudflare SAML SSO in HCP configuration](https://support.hashicorp.com/hc/en-us/articles/36026580143635-Cloudflare-SAML-SSO-in-HCP-Configuration)\n- [Invite Users](https://developer.hashicorp.com/hcp/docs/hcp/iam/users#invite-users)\n\n### HCP Terraform\n\nThe settings in HCP Terraform need to be manually configured. The [hashicorp/tfe](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs) provider does not (yet) support this operation.\n\n#### Links\n\n- [Support for configuring SSO on Terraform Cloud](https://github.com/hashicorp/terraform-provider-tfe/issues/975)\n\n### Tailscale\n\nIf you need to migrate to an OIDC IdP, open a [support request](https://tailscale.com/contact/support) (bottom of the page) and provide the following information:\n\n- Type of request: Identity provider configuration or change\n- Domain name you will use to login to Tailscale (Webfinger needs to be configured to respond on this domain).\n- Change SSO identity provider\n- Old and new providers\n- Client ID from Cloudflare Access\n- Client Secret from Cloudflare Access\n- Prompts (leave default)\n\n#### Links\n\n- [SSO Custom OIDC: Identity Provider Setup](https://tailscale.com/kb/1240/sso-custom-oidc#identity-provider-setup)\n- [Auth using auth0 identity](https://github.com/tailscale/tailscale/issues/1222#issuecomment-1992731979)\n- [Using Auth0 with Headscale and Tailscale](https://codingkoi.com/garden/tips-and-tricks/using-auth0-with-headscale-and-tailscale.html)\n\nSetup - Bookmarks\n-----------------\n\nNo real action is needed here, a Bookmark simply creates a shortcut in the App Launcher to a website. One thing to note is that Bookmarks cannot have policies applied, so if you plan to share this App Launcher dashboard with others, they will also be able to see and access your Bookmarks.\n\n`required-providers` module\n---------------------------\n\nInstead of versioning each child module individually, the `required-providers` module handles provider versions for the entire deployment. Inspired by Martin Atkins' [comment](https://github.com/hashicorp/terraform/issues/35479#issuecomment-2239828829).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbendwyer%2Fsso","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbendwyer%2Fsso","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbendwyer%2Fsso/lists"}