HCP SSO with Cloudflare

Hey everyone,

I am trying to add HCP as an SaaS app in Cloudflare access: SaaS applications · Cloudflare Zero Trust docs

In HCP, I configured the following:
SAML IDP Single Sign-On URL: SSO endpoint from Cloudflare (https:// company.cloudflareaccess.com/cdn-cgi/access/sso/saml/XXXX)
SAML IDP Certificate: Public key from Cloudflare

In Cloudflare, I configured the following:
Entity ID: Entity ID from HCP ( urn:hashicorp:HCP-SSO-XXXX-samlp)
Assertion Consumer Service URL: SSO Sign-On URL from HCP (https://auth.hashicorp.com/login/callback?connection=HCP-XXXX-samlp)
Name ID Format: email

When I attempt to log into HCP, I get the following error:
invalid_request : IdP-Initiated login is not enabled for connection “HCP-SSO-XXXXX-samlp”.

Any help appreciated!

1 Like

I just got the same response configuring Google Workspace SAML with HCP.
This article explains why: "invalid_request: IdP-Initiated login is not enabled" error logging into HCP via SSO – HashiCorp Help Center

Thanks for the link, that makes sense for logging in via the IdP. However, I am still not able to log use Cloudflare as my IdP for SSO for logging in from the SP (Hashicorp Cloud Portal).

I am getting this error from Cloudflare Access, when attempting to sign in from HCP:

Failed to validate your SAML Request
The SAML Request consumer service url does not match the expected value

I also tried to setup SAML SSO with Azure AD and I was able to log in successfully. If I use an SAML debugger and sniff the SAML requests for both Azure AD and Cloudflare Access, the requests are identical, except for the Destination URL and the ID. Not sure why it’s not working with Cloudflare.

Same problem here… :melting_face:

@jsilva1 The problem is that HCP does not include the AssertionCustomerServiceURL attribute in the AuthnRequest sent to Cloudflare. After working with support over the last week, they were able to enable that attribute. Not sure if it’s on a per account basis or across all HCP users, but if you’re still having this issue, contact support and ask them to add that attribute for your organization.

1 Like