There are two main ways to log into Cloud: using a login/password created in Cloud itself or using SSO. Where possible, using single sign-on (SSO) is recommended, as it has a number of benefits. SSO allows you to centrally manage accounts in a third-party system you're already using. This simplifies management tasks, eliminates the need for each user to have multiple login/password combinations and allows you to enforce your own security policies, among other things.
Cloud supports both OpenID Connect (OIDC) and SAML for setting up SSO. Any identity provider (IdP) that supports at least one of these options is a suitable candidate for use with Cloud. Azure Active Directory, Google and Okta are just a few examples of identity providers that you can log into Cloud with.
SSO can be set up quickly and easily, as explained in the below steps. Cloud SSO is marked as a preview feature for now, as further usability changes may be implemented at a later time.
1. Open SSO connection popup in Cloud
As the user setting up the SSO connection for a particular domain, you'll first need to log into Cloud using a regular Cloud-created login/password combination. Select a site and then click the
Settings menu in the bottom-left corner of your screen. Select the
Single Sign-On menu and then hit the
Add SSO Connection button.
In the resulting popup, select the type of SSO connection you want to set up and hit
Continue. Cloud supports two types of SSO connections, SAML (Security Assertion Markup Language) and OIDC (OpenID Connect). Which one you choose will depend on the identity provider you're using and the type(s) it supports. If you're using Azure AD as your IdP for instance, SAML is a suitable SSO connection type.
2. Exchange SSO connection details between Cloud and IdP
Once you've selected your preferred SSO connection type, you are asked for a descriptive name for the connection, which you can freely choose, and several pieces of information regarding the connection. This is information you'll gather from your identity provider (IdP). Conversely, you'll also need to take some of the info provided in the Cloud popup and input it in your IdP configuration.
Exactly where in your IdP you can find and input the necessary info for the SSO connection depends on the IdP you're using. Below, instructions are linked for Azure AD and Okta, but there are obviously many more identity providers you can use.
Sample SSO setup instructions for Azure AD and Okta:
3. Configure attributes of SSO connection on IdP side
Cloud's underlying SSO login process requires a user to have an email address and for that email address to be verified. In the attribute setup of your SSO connection on the IdP side, make sure your IdP is configured to send both the user's email and an email_verified attribute (with a value of "true") to Cloud. Our knowledge base contains more specific attribute setup instructions for Azure AD and Okta, but the process will be similar for other identity providers.
4. Add, verify, enable your domain
Once you've exchanged all of the necessary details between Cloud and your IdP, hit
Continue in the Cloud popup. You are now asked to submit the domain(s) you want to configure the SSO connection for. Hit the
Add Domain button and, in the resulting popup, submit your domain name with the format yourdomain.com.
Add Domain and copy the code subsequently presented in the popup. This code you will need to add as a TXT record to your domain's DNS provider to verify the domain. If necessary, consult the website and documentation of your specific DNS provider for up-to-date instructions on how to set up the TXT record. Hit
Got It in Cloud when done. You can then wait a few minutes for the DNS verification to automatically happen or manually hit the
Verify Domain button.
Once your domain is verified, make sure to actually enable it for SSO by hitting the
Enable domain button.
5. Log in with SSO
At this point, once you've set up your SSO connection and have verified that it is working, new or existing Cloud users in your domain should be able to log into Cloud with the
Log in with Single Sign-On button. They will be asked for their email address prior to starting the SSO login process.
- Users who already had a login/password created in Cloud, prior to SSO being enabled for their domain, are by default able to log into Cloud with either their old login details or SSO. When they log in with SSO for the first time, they will be asked to link their old Cloud account with their new SSO one. As part of this process, they are asked to log in with their old account once more.
- Users who did not already have a login/password created in Cloud will only be able to log in with SSO if SSO is configured for their domain. They will not be able to create another user account in Cloud itself.
Be aware that you can combine SSO either with Cloud-configured MFA (multi-factor authentication) or the MFA of your IdP. That way, you can add an extra layer of security to the login process. If you already have MFA set up or even enforced in your IdP, it will automatically be part of the Cloud SSO login process for your domain users.
6. Enforce SSO
Optionally, you can enforce the use of SSO by all users in your site. Go to the
Configuration menu with the gear-shaped icon and then to
Site settings. Here, you can enable the following switch:
Force login with SSO to access this site. If a user subsequently tries to log into your site with a Cloud-created login/password, they will be denied site access.
7. Add more SSO connection managers
Optionally, you can also add more managers to your SSO connection. Having multiple managers is ideal for redundancy and security purposes, so you are not dependent on a single person to manage the SSO connection.