What you need
A domain in Cloudflare, active Google Workspace, and a site on Cloudflare Pages. Free Zero Trust supports up to 50 users.
Step 1: Activate Zero Trust
Go to one.dash.cloudflare.com. Set a Team name, select Free plan. Once in: Access controls.
Step 2: Create the Access app
Access controls → Applications → Self-hosted. Name, 24h session, hostname: subdomain + domain.
Step 3: Access policy
“Add a policy” → Allow → Include: Emails → add each authorized email.
Step 4: Google Workspace as IdP
In Access controls → Overview → “Integrate your identity providers” → Google Workspace. It asks: Client ID, Client Secret, Workspace domain.
Step 5: Google Cloud Console
Go to console.cloud.google.com, new project, OAuth consent screen. Then Clients → Create Client → Web application. Redirect URI:
https://YOUR-TEAM.cloudflareaccess.com/cdn-cgi/access/callback💡 Tip: If you click Create too fast, you only see Client ID. Click the client name to see the Secret.
Step 6: Admin SDK API
I forgot this the first time. In Google Cloud: APIs & Services → Enable APIs → “Admin SDK API” → Enable.
Step 7: Finish Setup
Paste Client ID, Secret, domain in Cloudflare. Save → “Finish setup” → authorize in Google Admin. “Success” = done.
⚠️ Common mistake: If you close the tab before Save, the Google integration is already saved. Just recreate the app in Access (2 min).