Globally disable email auth

Hey team I have all of my users logging in through sso - they each have their own because they have their own idps - how can I disable email verification? see below for an explaination of my use case

Federation Broker is a technology that enables users to access resources using credentials at their own identity provider. Furthermore, it enables users to provide access to other users without creating individual federation connections to each and every user.

Here’s the typical setup. Users make or verify the setup of their own identity provider - it can be Okta, Microsoft Entra/Azure AD, Authentik, or anything else. They then connect their own IdP to their personal Cloudflare Zero Trust account. Next, a SaaS application is added to their Cloudflare Zero Trust application which is added as a IdP source within the Federation Broker Cloudflare Zero Trust account. Finally, the Federation Broker Cloudflare Zero Trust account is set as an IdP for resources and other destinations.

So, the flow is User’s Own IdP → User’s Personal Cloudflare Access Account → Federation Broker Cloudflare Access Account → Destination Application. This has some distinct advantages. For starters, since the end user connects their IdP to their own Cloudflare Access account and then that Cloudflare account is connected to federation broker, updates to the end user’s IdP, such as changing to a new IdP or certs expiring, do not require the intervention of Federation Broker administrators.

Federation Broker is a technology that enables users to access resources using credentials at their own identity provider. Furthermore, it enables users to provide access to other users without creating individual federation connections to each and every user.

Here’s the typical setup. Users make or verify the setup of their own identity provider - it can be Okta, Microsoft Entra/Azure AD, Authentik, or anything else. They then connect their own IdP to their personal Cloudflare Zero Trust account. Next, a SaaS application is added to their Cloudflare Zero Trust application which is added as a IdP source within the Federation Broker Cloudflare Zero Trust account. Finally, the Federation Broker Cloudflare Zero Trust account is set as an IdP for resources and other destinations.

So, the flow is User’s Own IdP → User’s Personal Cloudflare Access Account → Federation Broker Cloudflare Access Account → Destination Application. This has some distinct advantages. For starters, since the end user connects their IdP to their own Cloudflare Access account and then that Cloudflare account is connected to federation broker, updates to the end user’s IdP, such as changing to a new IdP or certs expiring, do not require the intervention of Federation Broker administrators.

mermaid
flowchart LR
subgraph User_Side["User-Managed Side"]
IdP["User's IdP<br/>(Okta, Azure AD, Authentik, etc.)"]
CloudflarePersonal["User's Personal<br/>Cloudflare Zero Trust Account"]
end

subgraph Federation_Broker["Federation Broker Side"]
CF_Federation["Federation Broker<br/>Cloudflare Access Account"]
App["Destination Application or Resource"]
end

IdP --> CloudflarePersonal
CloudflarePersonal --> CF_Federation
CF_Federation --> App

classDef light fill:#f9f,stroke:#333,stroke-width:1px;
classDef blue fill:#ccf,stroke:#333,stroke-width:1px;
classDef green fill:#cfc,stroke:#333,stroke-width:1px;

class IdP light
class CloudflarePersonal blue
class CF_Federation blue
class App green

``````

Hey team I have all of my users logging in through sso - they each have their own because they have their own idps - how can I disable email verification? see below for an explaination of my use case

Federation Broker is a technology that enables users to access resources using credentials at their own identity provider. Furthermore, it enables users to provide access to other users without creating individual federation connections to each and every user.

Here’s the typical setup. Users make or verify the setup of their own identity provider - it can be Okta, Microsoft Entra/Azure AD, Authentik, or anything else. They then connect their own IdP to their personal Cloudflare Zero Trust account. Next, a SaaS application is added to their Cloudflare Zero Trust application which is added as a IdP source within the Federation Broker Cloudflare Zero Trust account. Finally, the Federation Broker Cloudflare Zero Trust account is set as an IdP for resources and other destinations.

So, the flow is User’s Own IdP → User’s Personal Cloudflare Access Account → Federation Broker Cloudflare Access Account → Destination Application. This has some distinct advantages. For starters, since the end user connects their IdP to their own Cloudflare Access account and then that Cloudflare account is connected to federation broker, updates to the end user’s IdP, such as changing to a new IdP or certs expiring, do not require the intervention of Federation Broker administrators.

Federation Broker is a technology that enables users to access resources using credentials at their own identity provider. Furthermore, it enables users to provide access to other users without creating individual federation connections to each and every user.

Here’s the typical setup. Users make or verify the setup of their own identity provider - it can be Okta, Microsoft Entra/Azure AD, Authentik, or anything else. They then connect their own IdP to their personal Cloudflare Zero Trust account. Next, a SaaS application is added to their Cloudflare Zero Trust application which is added as a IdP source within the Federation Broker Cloudflare Zero Trust account. Finally, the Federation Broker Cloudflare Zero Trust account is set as an IdP for resources and other destinations.

So, the flow is User’s Own IdP → User’s Personal Cloudflare Access Account → Federation Broker Cloudflare Access Account → Destination Application. This has some distinct advantages. For starters, since the end user connects their IdP to their own Cloudflare Access account and then that Cloudflare account is connected to federation broker, updates to the end user’s IdP, such as changing to a new IdP or certs expiring, do not require the intervention of Federation Broker administrators.

Globally disable email auth

Globally disable email auth

Continue the conversation

ZITADEL

Continue the conversation

ZITADEL

Similar Threads