Using Okta as an IdP

The following guide will help you setup Okta to be used as an Identity Provider for CloudZero.

Okta Setup - create new application

In Okta, add an application for CloudZero.

Next, create a new application connection since CloudZero is not available from the marketplace.

In the popup window, configure the application with:

• Platform = Web
• Sign on method = SAML 2.0

Okta Connection General Settings

For "Step 1 - General Settings," enter an app name that matches the following guidelines: cloudzero-

🚧

App Name

Only enter the domain name, not the domain extension. For example, if your companies emails are @acme.com, you would enter "cloudzero-acme" in the app name.

(Optionally) setup the logo and app visibility settings.

Okta connection SAML configuration

For "Step 2 - Configure SAML," use the following settings:

• Single sign on URL - https://cloudzero.auth0.com/login/callback
• Audience URI (SP Entity ID) - urn:auth0:cloudzero:cloudzero-
  • Example from above = cloudzero-acme
• Default RelayState –
• Name ID format - Unspecified
• Application username – Okta username
• Update application username on – Create and Update
• ATTRIBUTE STATEMENTS (these are required)
  • email
    • Name – email
    • Name format – Unspecified
    • Value – ${user.email}
  • email_verified
    • Name – email_verified
    • Name format – Unspecified
    • Value – true

Okta connection Feedback

For "Step 3 - Feedback," use the following settings:

• Are you a customer or partner? - I'm an Okta customer adding an internal app

Then click finish.

Email CloudZero the Okta Details

Once you’re done create the cloudzero application within Okta, e-mail the connection details to [email protected] with the subject “ - Okta Setup”.

The connection details can be found on the application’s detail page is made up of the following pieces of information:

• General Tab -> Audience Restriction
• Sign-On -> Identity Provider Single Sign-On URL
• Sign-On Tab -> Identity Provider Issuer
• Sign-On Tab -> X.509 Certificate

General Tab

When you first view the details for your application, you’ll be placed on the “General” tab. Scroll down to the SAML Settings sections and copy the Audience Restriction value into the e-mail you’re drafting.

Sign-On Tab

When you click on the “Sign-On” tab, click “View Setup Instructions” to the right of the yellow box.

The connection details will load in a new tab. Download the certificate and attach that to the e-mail along with the Identity Provider Single Sign-On URL and Identity Provider Issuer to [email protected].

Send the email with that information and we'll get back to you shortly.

Initiating logins from Okta

Due to security concerns CloudZero does not support fully IDP initiated logins at this time. However, if you'd like your employees to see a CloudZero tile in their Okta screen we suggest that you setup a bookmark app. For instructions on how to do that please refer to this Okta help article: https://support.okta.com/help/s/article/How-do-you-create-a-bookmark-app?language=en_US