Learn how to associate your OVHcloud account with an external Entra ID.
You can use Single Sign-On (SSO) to connect to your OVHcloud account. To enable these connections, your account and your Entra ID (formerly Azure Active Directory) have to be configured using SAML (Security Assertion Markup Language) authentications.
- belong to the Application Administrator and User Administrator roles of an Entra ID service
- an OVHcloud account
- access to the OVHcloud Control Panel
Entra ID Users and Groups
Your Entra ID acts as your identity provider. Authentication requests by your OVHcloud account will only be accepted if it is declared as a trusted party first.
Let's focus for a moment on the identities on the identity provider side.
Entra ID Users
To start, go to your Entra ID dashboard.
Then click on
Users from the left-hand menu.
Create as many users as you need, or you can just check your users by clicking on them.
For this example, the user John Smith will be used.
When an SSO authentication is performed, John Smith's identity will be provided by Entra ID to the OVHcloud account. However, it is necessary that this identity contains at least one group. If no group exists, let's look at how to create one to add John Smith to it.
Entra ID Groups
Groups from the left-hand menu.
New group in the top menu, and fill in all the necessary information.
For this example, the group manager@ovhcloudsaml will be used.
Click on the
Create button to display all information about this group.
Now, users who will be used for SSO authentication must be added to a group.
In this example, let's link the user John Smith with the group manager@ovhcloudsaml.
In the selected group interface, click on
Members from the left-hand menu, then click
Add members in the top menu.
Select the user to be added to this group, then click on the
Now we have a user assigned to a group.
In order to perform SSO authentications, an Entra ID application must be created.
SSO must be configured on this application.
Entra ID applications
First of all, it is necessary to create an application if one does not yet exist.
Create an Entra ID application
Enterprise applications from the left-hand menu.
New application in the top menu.
Create your own application in the top menu.
Integrate any other application you don't find in the gallery (Non-gallery) option, and click on the
The details of the application will then be displayed.
The Entra ID application is now created. Users who want to perform SSO authentications via this application must now be added to it.
Entra ID application - User assignment
However, it is better to add a user group instead of users if you have Entra ID Premium.
Users and groups from the left-hand menu, then click
Add user/group in the top menu.
Click then on the
Users section, select the user to add to the application, and click on the
The application is created, a user has been assigned, and all that remains is to set up the SSO via SAML.
Assign to add the user assignment.
Entra ID application SSO
Get back to the overview via the
Overview button from the left-hand menu, then click on the
Set up single sign on section.
Click on the
Upload metadata file in the top menu.
Click on the
Select a file icon button, select the OVHcloud Service Provider metadata file, and click on the
You can obtain the US region metadata file via the following link: https://us.ovhcloud.com/auth/sso/saml/sp/metadata.xml
The SAML configuration will be displayed. The Entity ID and URL are:
Save and close the window.
In the Attributes & Claims section, click on the
You now need to add a UPN (User Principal Name) attribute to SAML infos, in order to inform OVHcloud about the user's email. This step is mandatory.
Add a new claim in the top menu.
Fill in the Name field with
Fill in the Source attribute field with
Now let's declare the attribute for the user group.
Add a group claim in the top menu.
Group ID from the Source attribute, and click on the
The groups claim should now appear in the list.
Copy and save the Claim name value somewhere (i.e a notepad), it will be necessary later.
In the SAML Certificates section, copy the
App Federation Metadata Url field value.
Use this link to download the Entra ID application metadata file in order to use it later in the OVHcloud account.
Establishing OVHcloud account trust and configuring the connection
Adding your Entra ID application as a trusted identity provider is done in the OVHcloud Control Panel where you can provide the identity provider metadata.
Establish OVHcloud trust
Log in and click on your profile in the top-right corner.
Click on your name to access your profile management page.
User management tab.
Click on the
SSO connection button.
Fill in the Group attribute name field with the Entra ID application groups Claim name value saved before.
Fill in the XML metadata of your Entra ID application from the file saved before.
Click on the
The trust of your Entra ID application as identity provider is thus established but you still have to add groups to your OVHcloud account.
Not in valid groups error message.
That is because your OVHcloud account checks if the authenticating user belongs to a group that actually exists on the account.
To resolve this, check the "Group" attribute that your Entra ID application returns: the Object Id field.
OVHcloud groups declaration
Add it by clicking on the
Declare a group.
Fill in the fields, then click on the
The created group should appear on the list.
Connect via SSO
On the OVHcloud login page, enter your NIC handle followed by /idp without entering a password, and click the
You are then redirected to your Entra ID application login page. Select
Use another account.
Enter the Entra ID application user email and click on the
Enter the Entra ID application user password and click on the
Sign In button.
You are now logged in with the same NIC handle, but via your Active Directory user and using your Entra ID application SSO.
If your email does not appear below
Connected via SSO, this means you have not configured the UPN attribute properly, and some of the features will not work correctly.