You can use Single Sign-On (SSO) to connect to your OVHcloud account. To enable these connections, your account and your Okta accounts have to be configured using SAML (Security Assertion Markup Language) authentications.
This guide explains how to associate your OVHcloud account with an external Okta service.
Registering OVHcloud into Okta
Your Okta service acts as an identity provider. Requests to authenticate your OVHcloud account will only be accepted if you have first declared it as a trusted third party.
This means that it must be added to Applications.
Log in to the Okta administration interface with your administrator account.
Applications then again
Create App Integration, select
SAML 2.0, then select
In the General Settings step, add a name for this application, such as "OVHcloud," and click
In the SAML Settings step, complete the
Single sign-on URL and
Audience URI fields with the information below:
- Single sign-on URL:
- Audience URI:
Then set the following Attribute Statements:
Set these Group Attribute Statements:
Matches regex:.*(Adapt the filter if you want to be more specific)
In the Feedback step, select the appropriate option and click
Then open the application, go to the
Assignments tab, and assign users or groups to the application.
Before going to the next section, go to the
Sign On tab and access the Metadata URL and save the provided XML file.
Your Okta service now trusts OVHcloud as a service provider. The next step is to ensure that the OVHcloud account trusts your Okta as an identity provider.
Registering Okta into the OVHcloud account and configuring the connection
To add Okta as a trusted identity provider, you need to provide the identity provider metadata in the OVHcloud Control Panel.
Once logged in, click your profile at the top right.
Click on your name to access your profile management page.
User Management tab.
SSO connection button.
Open the Metadata URL from Okta in an XML editor. Copy and paste the XML metadata of your Okta service into the XML metadata field. Enter
groups as the Group Attribute Name. Click
Now you need to retrieve your Okta as identity provider, as well as default groups.
For more information, click on the link under SSO service URL.
... button allows you to update or delete the SSO, and view its details.
Your Okta service is now considered a trusted identity provider. However, you still need to add groups to your OVHcloud account.
Not in valid groupserror message.
That is because your OVHcloud account checks whether the authenticating user belongs to an existing group on the account.
You must then assign roles to Okta user groups at OVHcloud. Otherwise, your OVHcloud account does not know what the user is allowed to do and, by default, no rights are assigned.
From the OVHcloud Control Panel, add a group by clicking the
Declare a group button and filling in the fields:
- Group name: Group name within Okta
- Role: Level of rights granted to this group
When finished, click
You can then verify that the group is added to your OVHcloud account in the "Groups" section:
When you later log in with a user from the Intern group, your OVHcloud account will recognize that the user has the role "UNPRIVILEGED" specified by his group.
You will then be able to log out of your account and log back in with your Okta as an identity provider.
Connecting via SSO
On the OVHcloud login page, enter your customer code followed by /idp without a password and click the
You are then redirected to your Okta login page. Enter the login and password for a user of your Okta, then click the
Sign in button.
You are now logged in with the same customer ID but through your Okta user.