Manage your CloudZero user groups by enabling your single-sign on (SSO) identity provider (IdP) to automatically assign users to existing, manually-created groups.

After creating one or more user groups and setting up your SSO integration in CloudZero, you can enable the SSO for Groups setting. CloudZero will look for existing user groups with a matching name and then sync the appropriate users to those groups. Any groups without a matching name will be ignored.

How to Enable SSO for Groups

You can enable SSO for groups by following the steps for your IdP:

• Okta
• Microsoft Entra ID (Azure AD)
• OpenID Connect (including GCP)

Okta

Note that you must manually create one or more user groups in CloudZero before you can enable SSO for groups.

To enable SSO for groups using an Okta integration, you must take the following steps:

1. Add a claim to the Okta Authorization Server.
2. Add a claim to the CloudZero-specific application in Okta.
3. Enable SSO for groups in CloudZero.

Step 1: Add Claim to Okta Authorization Server

1. In Okta, navigate to Security > API > Authorization Servers and select the appropriate authorization server. This is usually the default server.

2. Select Claims > Add Claim.

3. Enter a Name (for example, groups).

4. In the Include in token type field, select ID Token, and in the second dropdown, select Userinfo/id_token request.

5. Set Value type to Groups.

6. In the Filter field, set the filter predicate drop-down menu to your choice of predicate (for example, Matches regex).

7. Set the filter value to your choice of value (for example, .* to match all CloudZero groups). Ensure this matches the name of the groups your users are in.

8. Set the Include in field to Any scope.

9. Select Save.

   

You should then see the claim in the claims table for your authorization server:

Step 2: Add Claim to CloudZero Application in Okta

1. In Okta, navigate to Admin Console > Applications > Applications.

2. Select your CloudZero application.

3. In the Sign On tab, scroll down to the OpenID Connect ID Token and select Edit.

   

4. In the Groups claim filter section, set the first drop-down menu to groups.

5. Set the second drop-down menu to your choice of filter predicate (for example, Matches regex).

6. Set the filter value field to your choice of value (for example, .* to match all CloudZero groups). Ensure this matches the name of the groups your users are in.

   

7. Select Save.

Step 3: Enable SSO for Groups in CloudZero

1. In CloudZero, navigate to Settings > SSO Integrations and select your Okta integration:

   

2. Scroll down to the SSO Connection Status and Controls section and check the Enable SSO for Groups box:

   

3. Select the Enable button.

Microsoft Entra ID (Azure AD)

Note that you must manually create one or more user groups in CloudZero before you can enable SSO for groups.

To enable SSO for groups using a Microsoft Entra ID (Azure Active Directory) integration:

1. In CloudZero, navigate to Settings > SSO Integrations and select your Microsoft Entra ID (Azure AD) integration:

   

2. Scroll down to the SSO Connection Status and Controls section and check the Enable SSO for Groups box:

   

3. Select the Enable button.

OpenID Connect (including GCP)

The groups claim is often a new scope in your OpenID Connect (OIDC) IdP. Currently, none of CloudZero's existing OIDC integrations ask for this claim.

Note that you must manually create one or more user groups in CloudZero before you can enable SSO for groups.

In order to send CloudZero the groups claim and enable your OIDC IdP to manage your existing groups in CloudZero:

1. In CloudZero, navigate to Settings > SSO Integrations and select your OIDC integration.

   

2. Scroll down to the SSO Connection Status and Controls section and check the Enable SSO for Groups box.

   

3. Select the Enable button.