Single Sign-On
CloudBilling supports Single Sign-On (SSO) and Single Sign-Out through OpenID Connect (OIDC). Contact support to set up SSO for your environment.
Client Application
To set up SSO, we need some information from your identity provider (IdP). This is usually available through the configuration portal of your IdP when you register a new application.
- Client Identifier The authorization server issues the registered client a client identifier – a unique string representing the registration information provided by the client.
- Issuer Identifier Verifiable Identifier for an Issuer – a case sensitive URL. Sometimes also referred to as Authority.
When setting up the client application, you configure your IdP with the following parameters (we provide you the value for [ID]):
- Redirect URI:
https://app.cloudbilling.nl/SSO/OIDC/[ID]/Callback - Logout URI:
https://app.cloudbilling.nl/SSO/OIDC/[ID]/SignOut
We use the implicit flow and support either form post or query tokens. We request a scope of openid profile email.
User permissions are defined through application roles. Within CloudBilling you create the User Groups as desired. Then using the roles claim, assign users to one or more user groups by passing the user group’s ID as the role. This allows for fine-grained permission control from within the IdP. These role assignments can be dynamic, as we apply the new roles on each subsequent sign in or token renewal.
After setting up SSO you can point your users to the URL specific to your tenant (e.g. https://app.cloudbilling.nl/AcmeCorp). If the user is not signed in, we will redirect them to the IdP.
Claims
In addition to the normal claims as part of the OIDC token, CloudBilling requires the following claims:
| Name | Format | Description |
|---|---|---|
sub | String | The principal about which the token asserts information: the user. |
roles | Array of strings | A set of user groups assigned to the user. These are references to identifiers of user groups within CloudBilling. |
email | String | E-mail address of the user. |
name | String | The name claim provides a human-readable value that identifies the subject of the token. Optional: if not provided, the preferred_username claim is used. |
preferred_username | String | The primary username that represents the user. It could be an email address, phone number, or a generic username without a specified format. Optional: if not provided, the name claim is used. |
given_name | String | The given / first name of the user. Optional: if not provided, the name claim is used. |
family_name | String | The family / surname of the user. Optional: if not provided, the name claim is used. |
locale | String | The user’s locale, e.g. en-GB for British English. |
zoneinfo | String | The user’s time zone, e.g. Europe/Amsterdam. |