GuidesAPI ReferenceAcademy
Guides
What's New

SSO with OpenID Connect

Suggest Edits

How to Set Up SSO with Any Other OIDC Application (Including GCP)

CloudZero supports single-sign on (SSO) for any OpenID Connect (OIDC) application, including GCP. This enables users to seamlessly log in to CloudZero from their IdP, without needing to enter a CloudZero username and password.

To set up a new SSO integration for CloudZero using an OIDC application, complete the following steps:

  1. Create a new OIDC application.
  2. Configure the OIDC SSO integration in CloudZero.
  3. Complete the OIDC configuration in your IdP.

Step 1: Create OIDC Application in Your IdP

  1. Create a new OIDC Single-Page Application in your identity provider (IdP).

  2. Select

    • Implicit (Hybrid)
    • PKCE Required
    • Redirect URI:
      • https://auth.cloudzero.com/login/callback

  3. Assign at least these Scopes:

    • openid
    • email
    • profile

  4. Ensure that the "email_verified" attribute is set to "true". Note that this is the default for many IdPs, but not for all.

  5. Copy the Client ID your IdP generates for you.

  6. Keep the OIDC application settings page open so you can finish configuring it in a later step.

Step 2: Configure OIDC SSO Integration in CloudZero

  1. Log in to CloudZero and navigate to Settings > SSO Integrations.

  2. Select the Create New Integration button:

    Select the Create New Integration button from the SSO Integrations page

  3. On the Select Your Identity Provider page, select Other:

    Select Other to set up an SSO integration in CloudZero

  4. CloudZero displays the Connect Other to CloudZero form:

    The Connect Other to CloudZero form

  5. The IdP Callback URL field displays the callback URL. Because you entered this URL into your OIDC application's Redirect URI field in a previous step, you can proceed to the next field.

  6. Enter the Email Domain. Users with an email address from this domain will be forwarded to your SSO integration to log in to CloudZero.

  7. Enter the Issuer. This is your OIDC Discovery Endpoint (for example, https://your-idp/.well-known/openid-configuration).

  8. Paste the client ID you copied from your IdP into the Client ID field.

  9. Select Create Integration. CloudZero creates the SSO integration and reloads the page to display the integration details.

    Your new OIDC integration's details page

  10. Select the Open Test Window button to open a new browser tab to test the integration by logging into your IdP:

    Select the Open Test Window button to test your SSO integration

  11. In the new tab, authorize CloudZero's request to connect to your account.

  12. When the test is successful, the tab closes, and the integration details page in CloudZero displays a modal with the message Connection test successful! Select Close to close the modal.

  13. In the SSO Connection Status and Controls section, check the Enable log-ins with my SSO box.

  14. Optionally, check the Enable SSO for Groups box to allow your IdP to manage your groups. See Manage Groups with SSO for more information.

    Check the necessary boxes before activating your SSO integration

  15. Select Enable.

    ⚠️

    WARNING

    Selecting Enable will immediately activate the SSO integration. If you need to disable this integration, contact your CloudZero support representative.

  16. Scroll back up to the General Configuration section and copy the Bookmark URL. It will follow this format: https://app.cloudzero.com?connection=<your-connection-name>

    Copy the Bookmark URL from the CloudZero UI

Step 3: Complete OIDC Configuration

  1. Return to your IdP's OIDC application settings and paste the bookmark URL you copied into the Bookmark URL field, which may also be called the Initiate Login URL field or the Website URL field, depending on your IdP.

  2. Save your IdP settings.

Users can now log into CloudZero through your IdP.

Updated 3 months ago