Enabling Azure AD SSO connections with your OVHcloud account
Find out how to associate your Azure Active Directory to your OVHcloud account using SAML 2.0
Last updated 5th April 2023
Objective
You can use Single Sign-On (SSO) to connect to your OVHcloud account. To enable these connections, your account and your Azure AD have to be configured using SAML (Security Assertion Markup Language) authentications.
This guide explains how to associate your OVHcloud account with an external Azure AD.
Requirements
- Belong to the Application Administrator and User Administrator roles of an Azure AD service
- An OVHcloud account
- Access to the OVHcloud Control Panel
Instructions
In order for a service provider (i.e. your OVHcloud account) to establish an SSO connection with an identity provider (i.e. your Azure AD), the essential part is to establish a mutual trust relationship by registering the SSO connection in both services.
Azure AD Users and Groups
Your Azure AD acts as your identity provider. Authentication requests by your OVHcloud account will only be accepted if it is declared as a trusted party first.
Let's focus for a moment on the identities on the identity provider side.
Azure AD Users
To start, go to your Azure AD dashboard.
Then click on Users from the left-hand menu.
Create as many users as you need, or you can just check your users clicking on them.
For this example, the user John Smith will be used.
When an SSO authentication is performed, John Smith's identity will be provided by Azure AD to the OVHcloud account. However, it is necessary that this identity contains at least one group. If no group exists, let's look at how to create one to add John Smith to it.
Azure AD Groups
Click on Groups from the left-hand menu.
Click on New group in the top menu, and fill in all the necessary information.
For this example, the group manager@ovhcloudsaml will be used.
Click on the Create button to display all information about this group.
Now, users who will be used for SSO authentication must be added to a group.
In this example, let's link the user John Smith with the group manager@ovhcloudsaml.
In the selected group interface, click on Members from the left-hand menu, then click Add members in the top menu.
Select the user to be added to this group, then click on the Select button.
Now we have a user assigned to a group.
In order to perform SSO authentications, an Azure AD application must be created.
SSO must be configured on this application.
Azure AD applications
First of all, it is necessary to create an application if one does not yet exist.
Create an Azure AD application
Click on Enterprise applications from the left-hand menu.
Click on New application in the top menu.
Click on Create your own application in the top menu.
Select the Non-gallery from the left-hand menu, and click on the Create button.
The details of the application will then be displayed.
The Azure AD application is now created. Users who want to perform SSO authentications via this application must now be added to it.
Azure AD application - User assignment
In order for a user to perform an SSO authentication from an Azure AD application, it must be added to that application. It is therefore shown here how to add a user to an Azure AD application.
However, it is better to add a user group instead of users if you have Azure AD Premium.
Click on Users and groups from the left-hand menu, then click Add user/group in the top menu.
Click then on the Users section, select the user to add to the application, and click on the Select button.
The application is created, a user has been assigned, all that remains is to set up the SSO via SAML.
Azure AD application SSO
Get back to the overview via the Overview button from the left-hand menu, then click on the Set up single sign on section.
Click on the SAML section.
Click on Upload metadata file in the top menu.
Click on the Select a file icon button, select the OVHcloud Service Provider metadata file and click on the Add button.
You can obtain the appropriate metadata file via the following links:
Download the metadata file, it will be necessary later.
The SAML configuration will be displayed.
In the Attributes & Claims section, click on the Edit button.
Click on Add a group claim in the top menu.
Select Security groups, and Group ID from the Source attribute and click on the Save button.
The groups claim should now appear in the list.
Copy and save the Claim name value somewhere (i.e a notepad), it will be necessary later.
In the SAML certificates section, copy the App Federation Metadata Url field value.
Use this link to download the Azure AD application metadata file in order to use it later in the OVHcloud account.
Establishing OVHcloud account trust and configuring the connection
Adding your Azure AD application as a trusted identity provider is done in the OVHcloud Control Panel where you can provide the identity provider metadata.
Establish OVHcloud trust
Log in and click on your profile in the top-right corner.
Click on your name to access your profile management page.
Open the User management tab.
Click on the SSO connection button.
Fill in the Group Attribute Name field with the Azure AD application groups Claim name value saved before.
Fill in the XML metadata of your Azure AD application from the file saved before.
Click on the Confirm button.
The trust of your Azure AD application as identity provider is thus established but you still have to add groups to your OVHcloud account.
If you try to connect at this stage via SSO, you will probably receive a Not in valid groups error message.
That is because your OVHcloud account checks if the authenticating user belongs to a group that actually exists on the account.
To resolve this, check the "Group" attribute that your Azure AD application returns: the Object Id field.
OVHcloud groups declaration
Add it by clicking on the Declare a group.
Fill in the fields, then click on the Confirm button.
The created group should appear on the list.
Connect via SSO
On the OVHcloud login page, enter your NIC handle followed by /idp without entering a password, and click the Login button.
You are then redirected to your Azure AD application login page. Select Use another account.
Enter the Azure AD application user email and click on the Next button.
Enter the Azure AD application user password and click on the Sign In button.
You are now logged in with the same NIC handle, but via your Active Directory user and using your Azure AD application SSO.
Go further
Join our community of users on https://community.ovh.com/en/.
Did you find this guide useful?
Please feel free to give any suggestions in order to improve this documentation.
Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.
Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.
Thank you. Your feedback has been received.