Automate Role assignment by enabling your single sign-on (SSO) identity provider (IdP) to assign users to CloudZero Roles. For an overview of Roles, see Users & Permissions.

After you create one or more Roles and set up your SSO integration, you can enable SSO for Roles.

When your IdP sends group claims (for example, Finance team, IT team, Product team), CloudZero matches them to existing Roles by name and syncs users to those Roles. Roles without a matching group claim are ignored.

To enable SSO for Roles, follow the steps for your IdP:

• Okta
• Microsoft Entra ID (Azure AD)
• OpenID Connect including GCP

Manage Roles with Okta

To enable SSO for Roles using an Okta integration, follow these steps:

1. Add a claim to the Okta Authorization Server.
2. Add a claim to the CloudZero-specific application in Okta.
3. Enable SSO for Roles in CloudZero.

Step 1: Add Claim to Okta Authorization Server

1. In Okta, navigate to Security > API > Authorization > Servers and select the appropriate authorization server. This is usually the default server.
2. Select Claims > Add Claim.
3. Enter a Name for the Okta claim.
4. In the Include in token type field, select ID Token, and in the second drop-down selector, choose Userinfo/id_token request.
5. Set Value type to Groups.
6. In the Filter field, set the filter predicate drop-down menu to your choice of predicate, for example, Matches regex.
7. Set the filter value to your choice of value, for example, .* to match all CloudZero Roles. Ensure this matches the name of the Roles your users are in.
8. Set the Include in field to Any scope.
9. Select Save.

The claim appears in the claims table for your authorization server:

Step 2: Add Claim to CloudZero application in Okta

1. In Okta, navigate to Admin Console > Applications > Applications.

2. Select your CloudZero application.

3. On the Sign On tab, scroll down to the OpenID Connect ID Token and select Edit.

   

4. In the Groups claim filter section, set the first drop-down menu to groups.

5. Set the second drop-down menu to your choice of filter predicate, for example, Matches regex.

6. Set the filter value field to your choice of value, for example, .* to match all CloudZero Roles. In this example, the filter passes all groups that start with app-clou.

   

7. Select Save.

If your organization uses Active Directory (Entra ID) groups in Okta, the standard regex filter does not retrieve both AD and Okta groups. See Okta's documentation on retrieving AD and Okta groups in OIDC claims for the correct filter configuration.

Step 3: Enable SSO for Roles in CloudZero

1. In CloudZero, navigate to Settings > SSO Integrations and select your Okta integration:

2. Scroll down to the SSO Connection Status and Controls section and check the Enable SSO for Roles (called Groups in the image) box:

3. Select Update.

Microsoft Entra ID (Azure AD)

To enable SSO for Roles using a Microsoft Entra ID (Azure Active Directory) integration:

1. In CloudZero, navigate to Settings > SSO Integrations and select your Microsoft Entra ID (Azure AD) integration.
2. Scroll down to the SSO Connection Status and Controls section and check the Enable SSO for Roles box.
3. Select Update.

OpenID Connect including GCP

Your OIDC identity provider needs to send CloudZero the list of groups each user belongs to. This is typically done by adding a groups claim to the ID token. Refer to your IdP's documentation for how to configure claims.

After configuring your IdP, enable SSO for Roles in CloudZero:

1. In CloudZero, navigate to Settings > SSO Integrations and select your OIDC integration.
2. Scroll down to the SSO Connection Status and Controls section and check the Enable SSO for Roles box.
3. Select Update.