Skip to content

ADR — Cloudflare Access for docs.adventive.dev binds to JumpCloud

  • Date: 2026-04-27
  • Status: Accepted
  • Project: engineering-docs-site

Decision

Authentication for docs.adventive.dev is handled by Cloudflare Access, with JumpCloud as the identity provider. Access is granted to members of the JumpCloud group engineering-docs-readers (group name to be finalized at provisioning time).

Context

Adventive maintains identity in JumpCloud. Cloudflare Access supports JumpCloud as a SAML/OIDC IdP, so the integration is first-class. The Admin Dashboard Cloudflare Migration project also targets Access (per project_admin_dashboard_migration.md); aligning the docs site on the same IdP keeps Adventive's auth model consistent across internal surfaces.

Google Workspace was the alternative — also viable as a SAML IdP — but Adventive's source-of-truth for engineering identity is JumpCloud, and routing through Workspace would add a translation layer.

Consequences

Positive:

  • Single identity store for engineering access across the docs site, the new admin dashboard, and any future Cloudflare Access surfaces.
  • Group membership in JumpCloud is the single lever to grant or revoke read access.
  • Off-boarding a colleague is a one-step removal from the JumpCloud group; Access picks it up on next session refresh (or immediately if the session is revoked from the Cloudflare dashboard).

Negative / accepted trade-offs:

  • Hard dependency on JumpCloud availability for site access. Mitigated by Cloudflare Access caching and 24h session lifetime — a brief JumpCloud outage doesn't immediately log everyone out.

Implementation

In Cloudflare Zero Trust:

  1. Settings → Authentication → Login methods → Add JumpCloud (SAML or OIDC; SAML is the standard JumpCloud path).
  2. Test login flow with one engineer.
  3. Access → Applications → Add a Self-hosted application:
  4. Application domain: docs.adventive.dev
  5. Identity providers: JumpCloud (only)
  6. Session duration: 24 hours
  7. Policy: Allow if Email ends with @adventive.com AND Group is engineering-docs-readers
  8. Verify denial path: an Adventive employee NOT in the group is rejected.
  9. Verify allow path: a group member can read.

Operational notes

  • The JumpCloud group engineering-docs-readers is provisioned at Access setup time. Membership is managed in JumpCloud, not in Cloudflare.
  • Service-token policy is added as a fallback for CI/automation that needs to fetch the site (e.g. uptime checks) — bound to a token, not a person, so a misconfigured human policy doesn't lock automation out.
  • Preview deployments inherit the same Access app via wildcard subdomain coverage; if Cloudflare Pages preview URLs land on *.pages.dev and not on *.docs.adventive.dev, a second Access app is configured for the preview pattern.