AWS
  Last reviewed:  12 months ago  
This guide covers how to configure AWS ↗ as a SAML application in Cloudflare Zero Trust.
- An identity provider configured in Cloudflare Zero Trust
- Admin access to an AWS account
- In the AWS admin panel, search for IAM Identity Center.
- Go to IAM Identity Center > Settings.
- In the Identity source tab, select the Actions dropdown and select Change identity source.
- Change the identity source to External identity provider.
- Copy the values shown in Service provider metadata. You will need these values when configuring the SaaS application in Zero Trust.
Next, we will obtain Identity provider metadata from Zero Trust.
- In a separate tab or window, open Zero Trust ↗ and go to Access > Applications.
- Select SaaS.
- For Application, select Amazon AWS.
- For the authentication protocol, select SAML.
- Select Add application.
- Fill in the following fields:
- Entity ID: IAM Identity Center issuer URL
- Assertion Consumer Service URL: IAM Identity Center Assertion Consumer Service (ACS) URL
- Name ID format: Email
 
- (Optional) Additional SAML attribute statements can be passed from your IdP to AWS SSO. To learn more about AWS Attribute mapping, refer to Attribute mappings - AWS Single Sign-On ↗.
- AWS supports uploading a metadata XML file. To download your SAML metadata from Access:
- Copy the SAML Metadata endpoint.
- In a separate browser window, go to the SAML Metadata endpoint (https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/sso/saml/xxx/saml-metadata).
- Save the page as access_saml_metadata.xml.
 
- Configure Access policies for the application.
- Save the application.
- 
Return to the IAM Identity Center > Settings > Change identity source tab. 
- 
Under IdP SAML metadata, upload your access_saml_metadata.xmlfile.
- 
Select Next to review settings, type ACCEPT and select Change identity source to confirm changes. 
- 
Confirm that Provisioning is set to Manual. 
To test the connection, go to your AWS access portal URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark