GuidesAPI ReferenceAcademy
Guides

How to Connect OpenID Connect

Suggest Edits

How to Connect Any Other OIDC Application with CloudZero

CloudZero supports single-sign on (SSO) for any OpenID Connect (OIDC) application, including GCP. This enables users to seamlessly log in to CloudZero from their IdP, without needing to enter a CloudZero username and password.

Set Up a New SSO Integration with an OIDC Application

To set up a new SSO integration for CloudZero using an OIDC application, complete the following steps:

  1. Create a new OIDC application.
  2. Configure the OIDC SSO integration in CloudZero.
  3. Complete the OIDC configuration in your IdP.

Step 1: Create OIDC Application in Your IdP

  1. Create a new OIDC Single-Page Application in your identity provider (IdP).

  2. Select

    • Implicit (Hybrid)
    • PKCE Required
    • Redirect URI:
      • https://auth.cloudzero.com/login/callback

  3. Assign at least these Scopes:

    • openid
    • email
    • profile

  4. Ensure that the email_verified attribute is mapped. Note that this is the default for many IdPs, but not for all.

  5. Copy the Client ID your IdP generates for you.

  6. Keep the OIDC application settings page open so you can finish configuring it in a later step.

Step 2: Configure OIDC SSO Integration in CloudZero

  1. Navigate to the SSO Integrations Page.

  2. In the Select Your Identity Provider section, select Other from the Identity Provider Type drop-down menu.

  3. Enter the Email Domain. Users with an email address from this domain will be forwarded to your SSO integration to log in to CloudZero.

  4. Enter the Issuer. This is your OIDC Discovery Endpoint (for example, https://your-idp/.well-known/openid-configuration).

  5. Paste the client ID you copied from your IdP into the Client ID field.

  6. Select Save.

  7. Select the Open SSO Test Window button to open a new browser tab to log into your IdP and confirm a successful round trip with CloudZero. A successful round trip will redirect you to https://jwt.io/ with a valid token. After you see a decoded token, you can close this browser tab.

  8. When the test is successful, CloudZero's SSO Integration page automatically displays the message Testing Complete. If this does not happen within one minute, refresh the page.

  9. Check the Enable log-ins with my SSO box.

🚧

This will immediately switch over the specified email domain to use the configured SSO.

If you need to roll back this configuration, contact your CloudZero support representative.

  1. Copy the Bookmark URL at the bottom of the page.

Copy the Bookmark URL from the CloudZero UI

Step 3: Complete OIDC Configuration

  1. Return to your IdP's OIDC application settings and paste the bookmark URL you copied into the Bookmark URL field, which may also be called the Initiate Login URL field or the Website URL field, depending on your IdP.

  2. Save your IdP settings.

Users can now log into CloudZero through your IdP.

Updated 4 months ago