CloudZero supports single sign-on (SSO) with any OpenID Connect (OIDC) identity provider (IdP), including GCP. This enables users to log in to CloudZero from their IdP without needing to enter a CloudZero username and password. CloudZero also supports SAML.

What you need

• Administrator access to your OIDC identity provider
• Permission to manage SSO integrations in CloudZero

Overview

To set up a new SSO integration for CloudZero using OIDC, complete the following steps:

1. Create a new OIDC application in your IdP
2. Configure the OIDC SSO integration in CloudZero
3. Complete the OIDC configuration in your IdP

Step 1: Create a new OIDC application in your IdP

Create a new OIDC Single-Page Application in your IdP with the following configuration. For GCP, see Google's OpenID Connect documentation. Refer to your IdP's documentation for other providers.

Ensure that the email_verified attribute is set to true in your IdP. This is the default for many IdPs, but not all.

After creating the application:

1. Copy the Client ID your IdP generates.

2. Keep the OIDC application settings page open so you can finish configuring it in a later step.

Step 2: Configure the OIDC SSO integration in CloudZero

1. Log in to CloudZero and navigate to Settings > SSO Integrations.

2. Select Create New Integration.

   

3. On the Select Your Identity Provider page, select Other. CloudZero displays the Connect Other to CloudZero form:

   

4. Enter the Email Domain. Users with an email address from this domain will be forwarded to your SSO integration to log in to CloudZero.

5. Enter the Issuer. This is the URL for your IdP's OIDC discovery endpoint (for example, https://your-idp/.well-known/openid-configuration).

6. Paste the client ID you copied from your IdP into the Client ID field.

7. Select Create Integration. CloudZero creates the integration and shows its details.

   

8. Select the Open Test Window button to open a new browser tab to test the integration by logging in to your IdP:

   

9. In the new tab, authorize CloudZero's request to connect to your account.

10. When the test is successful, the tab closes and CloudZero shows a Connection test successful! message. Select Close. If the test fails, verify the values you entered in the previous steps and try again.

11. In the SSO Connection Status and Controls section, check the Enable log-ins with my SSO box.

12. Optionally, check the Enable SSO for Groups box to allow your IdP to manage your roles. See Manage Roles with SSO for more information.

    

13. Select Enable.

    ⚠️

    Selecting Enable immediately activates the SSO integration. If you need to disable this integration, contact your account manager or email [email protected].

14. Scroll back up to the General Configuration section and copy the Bookmark URL. This is the URL your users will use to access CloudZero from their IdP. It follows this format: https://app.cloudzero.com/?connection=<your-connection-name>

    

Step 3: Complete the OIDC configuration in your IdP

1. Return to your IdP's OIDC application settings and paste the bookmark URL you copied into the Bookmark URL field. Depending on your IdP, this field may be called Initiate Login URL or Website URL.

2. Save your IdP settings.

What to expect

Users can now log in to CloudZero through your IdP. CloudZero uses Just-in-Time provisioning, so any user granted access in your IdP receives a CloudZero account automatically on first login.