This is not currently recommended on production as it has not yet been properly security audited.
The Problem: Using Cloudflare Access with WordPress out of the box requires one layer of authentication through Cloudflare (using 2FA), and then a second layer right after - using the vanilla WordPress login.
This is a major pain in the arse.
The same problem is present on logout, which is actually worse. It's easy to logout of WordPress OR Cloudflare Access - but it's another matter completely to log out of both simultaneously.
The Solution: A plugin to instantly enable SSO when using Cloudflare Access of course! This plugin reads the email header sent from Cloudflare Access and attempts to pair the session up with an existing user in WordPress. It also force redirects the user to the Cloudflare Access logout page AFTER terminating the session in WordPress.
It is VERY IMPORTANT that you ensure only requests from Cloudflare IPs (and your server itself) are allowed connect to your WordPress site when this plugin is activated. You can find the list of Cloudflare IP Ranges here. Also, see our own guide on HOW TO: Block non-Cloudflare requests to your site with a Worker.
Another important step is to Enable Binding Cookie in Cloudflare Access (Cloudflare for Teams -> Access -> Applications -> Settings -> Enable Binding Cookie) to protect against stolen authorization cookies within your org.
If an email is whitelisted in Cloudflare Access but does not exist in the WordPress database, the user will be prompted with:
User not found in site database. Please contact your site administrator for access.
You can grab the plugin code here.