| title | excerpt | updated |
|---|---|---|
Enabling Okta SSO connections with your OVHcloud account |
Learn how to associate your Okta service with your OVHcloud account via SAML 2.0 |
2024-07-05 |
You can use Single Sign-On (SSO) to connect to your OVHcloud account. To enable these connections, your account and your Okta accounts have to be configured using SAML (Security Assertion Markup Language) authentications.
This guide explains how to associate your OVHcloud account with an external Okta service.
- Being an administrator of an Okta service
- An OVHcloud account
- Access to the OVHcloud Control Panel
[!primary]
In order for a service provider (i.e. your OVHcloud account) to establish an SSO connection with an identity provider (i.e. your Okta service), the key is to establish a mutual trust relationship by registering the SSO connection in both services.
Your Okta service acts as an identity provider. Requests to authenticate your OVHcloud account will only be accepted if you have first declared it as a trusted third party.
This means that it must be added to Applications.
Log in to the Okta administration interface with your administrator account.
Go to Applications{.action} then again Applications{.action}.
{.thumbnail}
Click Create App Integration{.action} and select SAML 2.0{.action}.
{.thumbnail}
In the "General Settings" step, add a name for this application, OVHcloud for example, and a logo if you want. Click Next{.action}.
{.thumbnail}
In the step "Configure SAML", complete the Single sign-on URL and Audience URI fields with the values for your region:
- EU region: Single sign-on URL:
https://www.ovhcloud.com/eu/auth/saml/acsand Audience URI:https://www.ovhcloud.com/eu/auth/ - CA region: Single sign-on URL:
https://www.ovhcloud.com/ca/auth/saml/acsand Audience URI:https://www.ovhcloud.com/ca/auth/
{.thumbnail}
Then set the following Attribute Statements:
- Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upnand Value:user.login - Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressand Value:user.email - Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameand Value:user.displayName
Set these Group Attribute Statements:
- Name:
groupsand Filter:Matches regex:.*(Adapt the filter if you want to be more specific)
Click Next{.action}.
{.thumbnail}
In the "Feedback" step, select the according option and click Finish{.action}.
Then open the application and go to the "Assignments" tab and assign users or groups to the application.
{.thumbnail}
Before going to the next section, go to the "Sign On" tab, and access to the Metadata URL and save the provided XML file.
{.thumbnail}
Your Okta service now trusts OVHcloud as a service provider. The next step is to ensure that the OVHcloud account trusts your Okta as an identity provider.
To add Okta as a trusted identity provider, you need to provide the identity provider metadata in the OVHcloud Control Panel.
Click your account name in the top-right corner, then on your name again in the sidebar.
{.thumbnail}
You can access the IAM menu via the dedicated entry in your Control Panel.
{.thumbnail}
Then click on the Identities{.action} tab to access local users management.
{.thumbnail}
Click the SSO connection{.action} button.
{.thumbnail}
Fill in the XML metadata of your Okta service. Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn as the "User Attribute Name" and Group as the "Group Attribute Name". Click Confirm{.action}.
You can keep local users by ticking the Keep active OVHcloud users box.
{.thumbnail}
Now you need to retrieve your Okta as identity provider, as well as default groups.
{.thumbnail}
For more information, click on the link under “SSO Service URL”.
{.thumbnail}
The ...{.action} button allows you to update or delete the SSO, and view its details.
{.thumbnail}
Your Okta service is now considered a trusted identity provider. However, you still need to add groups to your OVHcloud account.
Warning
If you try to connect via SSO at this point, you will probably receive a Not in valid groups error message.
That is because your OVHcloud account checks whether the authenticating user belongs to an existing group on the account.
You must then assign roles to Okta user groups at OVHcloud. Otherwise, your OVHcloud account does not know what the user is allowed to do and, by default, no rights are assigned.
From the OVHcloud Control Panel, add a group by clicking the Declare a group{.action} button and filling in the fields:
- Group name: Group name within Okta
- Role: Level of rights granted to this group
{.thumbnail}
{.thumbnail}
You can then verify that the group is added to your OVHcloud account in the "Groups" section:
{.thumbnail}
When you later log in with a user from the Intern group, your OVHcloud account will recognise that the user has the role "UNPRIVILEGED" specified by his group.
Warning: if you give the NONE privilege, you will need to assign permissions to this group via the IAM policies.
You will then be able to log out of your account and log back in with your Okta as an identity provider.
On the OVHcloud login page, enter your login followed by /idp without a password and click the Login{.action} button.
{.thumbnail}
You are then redirected to your Okta login page. Enter the login and password for a user of your Okta, then click the Sign in{.action} button.
{.thumbnail}
You are now logged in with the same customer ID, but through your Okta user.
{.thumbnail}
Securing my OVHcloud account and managing my personal information
Setting and managing your account password
Securing your OVHcloud account with two-factor authentication
How to use IAM policies using the OVHcloud Control Panel.
Join our community of users.