In HCP, I configured the following:
SAML IDP Single Sign-On URL: SSO endpoint from Cloudflare (https:// company.cloudflareaccess.com/cdn-cgi/access/sso/saml/XXXX)
SAML IDP Certificate: Public key from Cloudflare
In Cloudflare, I configured the following:
Entity ID: Entity ID from HCP ( urn:hashicorp:HCP-SSO-XXXX-samlp)
Assertion Consumer Service URL: SSO Sign-On URL from HCP (https://auth.hashicorp.com/login/callback?connection=HCP-XXXX-samlp)
Name ID Format: email
When I attempt to log into HCP, I get the following error: invalid_request : IdP-Initiated login is not enabled for connection “HCP-SSO-XXXXX-samlp”.
Thanks for the link, that makes sense for logging in via the IdP. However, I am still not able to log use Cloudflare as my IdP for SSO for logging in from the SP (Hashicorp Cloud Portal).
I am getting this error from Cloudflare Access, when attempting to sign in from HCP:
Failed to validate your SAML Request
The SAML Request consumer service url does not match the expected value
I also tried to setup SAML SSO with Azure AD and I was able to log in successfully. If I use an SAML debugger and sniff the SAML requests for both Azure AD and Cloudflare Access, the requests are identical, except for the Destination URL and the ID. Not sure why it’s not working with Cloudflare.
@jsilva1 The problem is that HCP does not include the AssertionCustomerServiceURL attribute in the AuthnRequest sent to Cloudflare. After working with support over the last week, they were able to enable that attribute. Not sure if it’s on a per account basis or across all HCP users, but if you’re still having this issue, contact support and ask them to add that attribute for your organization.
