Allow Single Sign On for users on an Exoscale account, using an Open ID Connect identity provider. SSO Organization Connect for Exoscale is a paid feature.

Activation

Accessible to users with Owner role in menu section IAM, subsection SSO.

SSO activation

Configuration

Accessible to users with Owner role in menu section IAM, subsection SSO.

SSO configuration

You need to provide 3 values :

  • your Open ID Connect Client ID
  • the Open ID Connect Issuer url
  • your Open ID Connect Client secret

This is the url you need to authorize on OIDC provider side : https://portal.exoscale.com/sso-authenticate/<sso-org-name>

SSO shareable endpoints

Login

The URL for the SSO login page has the form: https://portal.exoscale.com/sso-login/<sso-org-name>

SSO login

When a user logs in an organisation using SSO, a new unique user is created inside this organization with a TECH role.

Its username will be an universally unique identifier UUID to allow having a standard non-SSO user with the same email.

Authorization

Can be achieved:

Authorization with ID token introspection

You may provide two values to perform ID token payload introspection to authorize a user:

  • OIDC additional claims which contains claim names (space separated)
  • a Common expression language expression which will be evaluated at login time against the ID token payload.

SSO authorization

OIDC additional claims

The standard claims which are always part of the ID token payload are openid profile email.

If you need to introspect additionnal claims, you need to provide their name in the OIDC additional claims field.

Common expression language expression

This Common expression language query will be evaluated at login time against the ID token payload.

If the CEL expression evaluation returns true the user will be authorized to log in.

With all other return values the login will fail.

SSO Login failed

Common expression language documentation