How to Manage Groups via SSO

Automatically manage your CloudZero User Groups by enabling SSO management to ensure users are always in the correct group(s). Once you set up your identity provider to send groups to CloudZero, CloudZero will look for existing User Groups with a matching name and sync the appropriate users to those groups. Note: any groups without a matching name will be ignored.


The groups claim is often a new scope in OpenIDConnect. None of our existing OpenIDConnect integrations in Auth0 currently ask for this claim.

In order for customers to send us this claim:

  1. Customer needs to:

    • Add groups to their OpenIDConnect Application integration with CloudZero. Depending on the IdP, this may be a checkbox, textbox, etc.
  2. CloudZero needs to add the groups scope in our Auth0 Connection:


Okta with Authorization Servers

While in the Authorization Servers settings:

  1. Select default

  2. Select Claims

  3. Add a claim for groups




  1. Customer needs to

    • Do nothing

  2. CloudZero needs to check the “Get user groups” option in our Auth0 Connection:


  1. Customer needs to

    • Add groups attribute to SAML Application for CloudZero. The setup varies depending on the IdP.
  2. CloudZero needs to

    • Do nothing