Single sign on authentication
Allow Single Sign On for users on an Exoscale account, using an Open ID Connect
identity provider. SSO Organization Connect for Exoscale is a paid feature.
Activation
Accessible to users with Owner
role in menu section IAM
, subsection SSO
.
Configuration
Accessible to users with Owner
role in menu section IAM
, subsection SSO
.
You need to provide 3 values :
- your Open ID Connect
Client ID
- the Open ID Connect
Issuer url
- your Open ID Connect
Client secret
This is the url you need to authorize on OIDC provider side : https://portal.exoscale.com/sso-authenticate/<sso-org-name>
Login
The URL for the SSO login page has the form: https://portal.exoscale.com/sso-login/<sso-org-name>
When a user logs in an organisation using SSO, a new unique user is created inside this organization with a TECH
role.
Its username will be an universally unique identifier UUID
to allow having a standard non-SSO user with the same email.
Authorization
Can be achieved:
- using ID token introspection thanks to a Common Expression Language query
- setting up your own proxy with a DEX server or equivalent.
Authorization with ID token introspection
You may provide two values to perform ID token payload introspection to authorize a user:
OIDC additional claims
which contains claim names (space separated)- a
Common expression language expression
which will be evaluated at login time against the ID token payload.
OIDC additional claims
The standard claims which are always part of the ID token payload are openid
profile
email
.
If you need to introspect additionnal claims, you need to provide their name in the OIDC additional claims
field.
Common expression language expression
This Common expression language query will be evaluated at login time against the ID token payload.
If the CEL expression evaluation returns true
the user will be authorized to log in.
With all other return values the login will fail.