Skip to main content

Enabling Okta SSO Connections with Your OVHcloud Account

Stephanie R.
Updated

Learn how to associate your OVHcloud account with an external Okta service.

You can use Single Sign-On (SSO) to connect to your OVHcloud account. To enable these connections, your account and your Okta accounts have to be configured using SAML (Security Assertion Markup Language) authentications.

 

Requirements

 

Instructions

For a service provider (i.e. your OVHcloud account) to establish an SSO connection with an identity provider (i.e. your Okta service), the key is to establish a mutual trust relationship by registering the SSO connection in both services.

Registering OVHcloud into Okta

Your Okta service acts as an identity provider. Requests to authenticate your OVHcloud account will only be accepted if you have first declared it as a trusted third party.

This means that it must be added to Applications.

Log in to the Okta administration interface with your administrator account.

Go to Applications then again Applications.

oktasso00.png

Click Create App Integration, select SAML 2.0, then select Next.

oktasso01.png

oktasso02.png

In the General Settings step, add a name for this application, such as "OVHcloud," and click Next.

oktasso03.png

In the SAML Settings step, complete the Single sign-on URL and Audience URI fields with the information below:

  • Single sign-on URL: https://us.ovhcloud.com/auth/ and
  • Audience URI: https://us.ovhcloud.com/auth/

oktasso04.png

Then set the following Attribute Statements:

  • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn and Value: user.login
  • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress and Value: user.email
  • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name and Value: user.displayName

Set these Group Attribute Statements:

  • Name: groups and Filter: Matches regex:.* (Adapt the filter if you want to be more specific)

Click Next.

oktasso06*.png

In the Feedback step, select the appropriate option and click Finish.

oktasso6b.png

Then open the application, go to the Assignments tab, and assign users or groups to the application.

oktasso07B.png

Before going to the next section, go to the Sign On tab, access the Metadata URL, and save the provided XML file.

oktasso08.png

Your Okta service now trusts OVHcloud as a service provider. The next step is to ensure that the OVHcloud account trusts your Okta as an identity provider.

 

Registering Okta into the OVHcloud account and configuring the connection

To add Okta as a trusted identity provider, you must provide the identity provider metadata in the OVHcloud Control Panel.

  1. Click your name and then your initials.
  2. Select Identity and Access Management (IAM) from the left-hand menu.
  3. Click the Identities tab to access local users management.

local_identities.png

Click the SSO connection button.

oktasso12.png

Fill in the XML metadata of your Okta service. Enter groups as the Group Attribute Name. Click on Confirm.

You can keep local users by ticking the Keep active OVHcloud users box.

oktasso13*.png

Now you need to retrieve your Okta as the identity provider, as well as default groups.

oktasso14.png

For more information, click on the link under SSO service URL.

oktasso15.png

The more options ... button allows you to update or delete the SSO, and view its details.

oktasso16.png

Your Okta service is now considered a trusted identity provider. However, you still need to add groups to your OVHcloud account.

NOTE: If you try to connect via SSO at this point, you will probably receive a Not in valid groups error message.

That is because your OVHcloud account checks whether the authenticating user belongs to an existing group on the account.

You must then assign roles to Okta user groups at OVHcloud. Otherwise, your OVHcloud account does not know what the user is allowed to do and, by default, no rights are assigned.

From the OVHcloud Control Panel, add a group by clicking the Declare a group button and filling in the fields:

  • Group name: Group name within Okta
  • Role: Level of rights granted to this group

When finished, click Confirm.

oktasso17.png

oktasso18*.png

You can then verify that the group is added to your OVHcloud account in the "Groups" section:

oktasso19.png

When you later log in with a user from the Intern group, your OVHcloud account will recognize that the user has the role "UNPRIVILEGED" specified by his group.

NOTE: If you set the privileges to NONE, you will need to assign permissions to this group via the IAM policies.

You will then be able to log out of your account and log back in with your Okta as an identity provider.

 

Connecting via SSO

On the OVHcloud login page, enter your customer code followed by /idp without entering a password, and click the Login button.

local_login.png

You are then redirected to your Okta login page. Enter the login and password for a user of your Okta, then click the Sign in button.

oktasso21.png

You are now logged in with the same customer code but through your Okta user.

local_account.png

 

Go further

For more information and tutorials, please see our other User Management & Federation or Manage and Operate guides, or explore the guides for other OVHcloud products and services.

Related articles