Manage Roles with SSO

You can manage your CloudZero Roles by enabling your single-sign on (SSO) identity provider (IdP) to automatically assign users to existing, manually-created Roles.

After you create one or more Roles and set up your SSO integration in CloudZero, you can enable the SSO for Roles setting.

To do this, navigate to Settings > SSO Integrations > Select an SSO Integration you have configured from the list > Check Enable SSO for Groups.

If you pass in group claims using your IdP (for example, Finance team, IT team, Product team) CloudZero will look for existing Roles with a name matching the group claims passed in and then sync the appropriate users to those Roles. Any Roles without a matching name will be ignored.

To enable SSO for Roles, follow the steps for your IdP:

Manage Roles with Okta

ℹ️ You must manually create one or more Roles in CloudZero before you can enable SSO for Roles.

To enable SSO for Roles using an Okta integration, follow these steps:

  1. Add a claim to the Okta Authorization Server.
  2. Add a claim to the CloudZero-specific application in Okta.
  3. Enable SSO for Roles in CloudZero.

Step 1: Add Claim to Okta Authorization Server

  1. In Okta, navigate to Security > API > Authorization > Servers and select the appropriate authorization server. This is usually the default server.
  2. Select Claims > Add Claim.
  3. Enter a Name for the Okta claim.
  4. In the Include in token type field, select ID Token, and in the second drop-down selector, choose Userinfo/id_token request.
  5. Set Value type to Groups.
  6. In the Filter field, set the filter predicate drop-down menu to your choice of predicate, for example, Matches regex.
  7. Set the filter value to your choice of value, for example, **.***to match all CloudZero Roles. Ensure this matches the name of the Roles your users are in.
  8. Set the Include in field to Any scope.
  9. Click Save.

These Okta settings are illustrated in the Edit Claim form:

Edit claim form

You should then see the claim in the claims table for your authorization server:

Claims table

Step 2: Add Claim to CloudZero application in Okta

  1. In Okta, navigate to Admin Console > Applications > Applications.

  2. Select your CloudZero application.

  3. On the Sign On tab, scroll down to the OpenID Connect ID Token and click Edit.

    Edit OpenID Connect ID Token
  4. In the Groups claim filter section, set the first drop-down menu to groups.

  5. Set the second drop-down menu to your choice of filter predicate, for example, Matches regex.

  6. Set the filter value field to your choice of value, for example, .* to match all CloudZero Roles. In the example below we want to pass all groups that start with app-clou.

    Choose filter value
  7. Click Save.

Step 3: Enable SSO for Roles in CloudZero

  1. In CloudZero, navigate to Settings > SSO Integrations and select your Okta integration:

    Connect your SSO integration
  2. Scroll down to the SSO Connection Status and Controls section and check the Enable SSO for Roles (called Groups in the image) box:

    Enable SSO for Roles called Groups
  3. Click Enable.

Microsoft Entra ID (Azure AD)

ℹ️ You must manually create one or more Roles in CloudZero before you can enable SSO for Roles.

To enable SSO for Roles using a Microsoft Entra ID (Azure Active Directory) integration:

  1. In CloudZero, navigate to Settings > SSO Integrations and select your Microsoft Entra ID (Azure AD) integration:

    Connect your SSO integration
  2. Scroll down to the SSO Connection Status and Controls section and check the Enable SSO for Roles (called Groups in the image) box:

    Enable SSO for Roles called Groups
  3. Click Enable.

OpenID Connect including GCP

ℹ️ You must manually create one or more Roles in CloudZero before you can enable SSO for Roles.

The Roles claim is often a new scope in your OpenID Connect (OIDC) IdP. None of CloudZero's existing OIDC integrations ask for this claim.

Follow these steps to send CloudZero the Roles claim and enable your OIDC IdP to manage your existing Roles in CloudZero:

  1. In CloudZero, navigate to Settings > SSO Integrations and select your OIDC integration.

    Connect your SSO integration
  2. Scroll down to the SSO Connection Status and Controls section and check the Enable SSO for Roles (called Groups in the image) box.

    Enable SSO for Roles called Groups
  3. Click Enable.