CloudZero supports single sign-on (SSO) with Okta as your identity provider (IdP). This enables users to log in to CloudZero from an Okta tile without needing to enter a CloudZero username and password. This guide covers the OIDC integration method. CloudZero also supports SAML with Okta.

What you need

• Administrator access to your Okta account
• Permission to manage SSO integrations in CloudZero

Overview

To set up a new SSO integration for CloudZero using Okta, complete the following steps:

1. Create a new Okta application
2. Configure the Okta SSO integration in CloudZero
3. Complete the configuration in Okta

Step 1: Create a new Okta application

For general guidance on creating app integrations in Okta, see Okta's app integration documentation.

1. Log in to Okta and navigate to Admin Console > Applications > Applications.

2. Select Create App Integration.

3. Select OIDC - OpenID Connect as the Sign-in method.

4. Select Single-Page Application.

5. Select Next.

6. Enter a name in the App integration name field, such as CloudZero.

7. Optionally, upload a logo to the Logo field. Download the CloudZero logo here.

8. In the Grant type field, select Advanced, and then check the box for Implicit (hybrid).

9. In the Sign-in redirect URIs field, enter https://auth.cloudzero.com/login/callback

10. Select Save to create the app integration, then select Edit to configure additional options.

11. In the General tab, ensure the Proof Key for Code Exchange (PKCE) box is checked in the Client Credentials section.

    

12. Copy the Client ID.

13. Keep the Okta settings page open so you can finish configuring it in a later step.

Step 2: Configure the Okta SSO integration in CloudZero

1. Log in to CloudZero and navigate to Settings > SSO Integrations.

2. Select Create New Integration.

   

3. On the Select Your Identity Provider page, select Okta. CloudZero displays the Connect Okta to CloudZero form:

   

4. Enter the Email Domain. Users with an email address from this domain will be forwarded to your Okta integration to log in to CloudZero.

5. Enter the Issuer. This is the URL for your Okta authorization server's discovery endpoint (for example, https://example.okta.com/.well-known/openid-configuration). See Okta's OIDC documentation for details on finding this URL.

6. Paste the client ID you copied from Okta into the Client ID field.

7. Select Create Integration. CloudZero creates the integration and shows its details.

   

8. Select the Open Test Window button to open a new browser tab to test the integration by logging in to your IdP:

   

9. In the new tab, authorize CloudZero's request to connect to your account.

10. When the test is successful, the tab closes and CloudZero shows a Connection test successful! message. Select Close. If the test fails, verify the values you entered in the previous steps and try again.

11. In the SSO Connection Status and Controls section, check the Enable log-ins with my SSO box.

12. Optionally, check the Enable SSO for Groups box to allow your IdP to manage your roles. See Manage Roles with SSO for more information.

    

13. Select Enable.

    ⚠️

    Selecting Enable immediately activates the SSO integration. If you need to disable this integration, contact your account manager or email [email protected].

14. Scroll back up to the General Configuration section and copy the Bookmark URL. This is the URL your users will use to access CloudZero from Okta. It follows this format: https://app.cloudzero.com/?connection=<your-connection-name>

    

Step 3: Complete the configuration in Okta

1. In Okta, return to the application settings page and paste the bookmark URL you copied into the Initiate login URI field, which is in the LOGIN section of the General tab.

   

2. Select Save in Okta.

What to expect

Users can now log in to CloudZero by selecting the CloudZero tile in their Okta dashboard. CloudZero uses Just-in-Time provisioning, so any user granted access in Okta receives a CloudZero account automatically on first login.