CloudZero Academy
Guides
CloudZero Status
  1. Settings & Administration
  2. Security Overview
  3. Single Sign-On

SSO with SAML

CloudZero supports single sign-on (SSO) using SAML 2.0 with any identity provider (IdP) that supports SAML, including Okta. This enables users to log in to CloudZero from their IdP without needing to enter a CloudZero username and password. For OIDC, see the Okta or OpenID Connect setup guides.

What you need

  • Administrator access to your SAML identity provider
  • Permission to manage SSO integrations in CloudZero

Overview

To set up a new SSO integration for CloudZero using SAML, complete the following steps:

  1. Open the SAML SSO setup page
  2. Configure CloudZero as a SAML application in your IdP
  3. Complete configuration in CloudZero
  4. Test your SAML configuration
  5. Enable seamless login

Step 1: Open the SAML SSO setup page

  1. Log in to CloudZero and navigate to Settings > SSO Integrations.
  2. Select Create New Integration.
  3. Select SAML from the list of options.

CloudZero displays the Connect SAML to CloudZero screen with the values you will need to configure your IdP:

Connect SAML to CloudZero configuration screen
FieldDescription
Single Sign on URLThe Assertion Consumer Service (ACS) endpoint where your IdP sends the SAML response after authentication
Audience URI (SP Entity ID)A unique identifier for CloudZero as the SAML service provider
Email DomainThe allowed email domain(s) for users authenticating through this SAML connection
Sign In URLThe login URL of your IdP, where CloudZero redirects users to authenticate
Certificate UploadThe X.509 certificate from your IdP, used to validate the digital signature on SAML assertions
Attribute MappingConfirms your IdP includes an email attribute in the SAML assertion payload

Step 2: Configure CloudZero as a SAML application in your IdP

Set up CloudZero as a SAML application in your IdP. For IdP-specific guidance, see the documentation for Okta or Microsoft Entra ID.

  1. Copy the Single Sign-on URL and the Audience URI (SP Entity ID) from the CloudZero screen.
  2. Register CloudZero as a SAML application in your IdP using the values you copied. Enter the entire Audience URI string.
  3. Download an X.509 certificate from your IdP (.pem or .cert file).
  4. Configure a SAML attribute named email (for example, <saml:Attribute Name="email" ...>) mapped to the CloudZero application.

Step 3: Complete configuration in CloudZero

  1. Return to the Connect SAML to CloudZero screen in CloudZero.
  2. Enter your company's email domain into the Email Domain field.
  3. Paste the SAML Sign-On URL from your IdP into the Sign In URL field.
  4. Select Upload File next to the Certificate Upload field and upload the signing certificate from your IdP.
  5. Check the Attribute Mapping checkbox to confirm you have configured the email attribute in your IdP.
  6. Select Create Integration.
  7. If the integration succeeds, CloudZero returns you to the SSO Integrations page. If it fails, verify your configuration details and try again. If the problem persists, contact your account manager or email [email protected].

Step 4: Test your SAML configuration

  1. Do not close or log out of your current CloudZero session.
  2. Open a private browser or incognito window and navigate to https://app.cloudzero.com/.
  3. Enter your email address. If your SSO connection is configured correctly, you will be redirected to your IdP.
  4. Enter your login credentials. If you can complete the login, your configuration is correct.

Step 5: Enable seamless login

After your SAML integration is working, configure your IdP so users can log in to CloudZero directly from their SSO dashboard. The steps differ by IdP:

  • Okta requires updating two separate applications (a SAML app and a bookmark app). See Option A.
  • All other IdPs require updating the callback URL and bookmark URL in a single application. See Option B.

Both options start by copying the Bookmark URL from CloudZero:

  1. In CloudZero, navigate to Settings > SSO Integrations and select your SAML integration.

  2. Copy the Bookmark URL in the General Configuration section. This is the URL your users will use to access CloudZero. It follows this format: https://app.cloudzero.com/?connection=<your-connection-name>

    Copy the Bookmark URL from the CloudZero UI

Option A: Okta

Okta SAML integrations use two separate applications: a SAML app for authentication and a bookmark app for the login tile. Update both:

  1. In Okta, navigate to Admin Console > Applications > Applications.
  2. Select your CloudZero SAML application (not the bookmark app).
  3. In the General tab, scroll down to SAML Settings and select Edit.
  4. Verify the Single Sign On URL is set to https://auth.cloudzero.com/login/callback.
  5. If the Recipient URL and Destination URL fields are filled out, verify they also use https://auth.cloudzero.com/login/callback. Otherwise, leave them blank.
  6. Select Save.
  7. Navigate to Admin Console > Applications > Applications and select your CloudZero bookmark app.
  8. In the General tab, scroll down to App Settings and select Edit.
  9. Set the URL field to the bookmark URL you copied from CloudZero.
  10. Select Save.

Option B: Other IdPs

⚠️

You must update the callback URL and bookmark URL at the same time. If you save the callback URL before adding the bookmark URL, your users will not be able to log in to CloudZero until the bookmark URL is also saved. Contact your account manager to restore access.

  1. Log in to your SAML IdP and select the CloudZero SSO application.
  2. Verify the Redirect URI is set to https://auth.cloudzero.com/login/callback.
  3. Set the Bookmark URL field to the bookmark URL you copied from CloudZero. This field may be labeled Initiate Login URL or Website URL depending on your IdP.
  4. Save your IdP settings.

What to expect

Users can now log in to CloudZero through their IdP. CloudZero uses Just-in-Time provisioning, so any user granted access in your IdP receives a CloudZero account automatically on first login.

ℹ️

Have questions or feedback? Reach out to your account manager.

Updated 17 days ago