---
title: "Enabling Okta SSO connections with your OVHcloud account"
description: "Learn how to associate your Okta service with your OVHcloud account via SAML 2.0"
url: https://docs.ovhcloud.com/en/guides/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta
lang: en
lastUpdated: 2025-05-15
---
# Enabling Okta SSO connections with your OVHcloud account

## Objective

You can use **Single Sign-On** (SSO) to connect to your OVHcloud account. To enable these connections, your account and your Okta accounts have to be configured using SAML (_Security Assertion Markup Language_) authentications.

**This guide explains how to associate your OVHcloud account with an external Okta service.**

## Requirements

- Being an administrator of an Okta service
- An [OVHcloud account](/en/guides/account-and-service-management/account-information/ovhcloud-account-creation.md)


***

### OVHcloud Control Panel Access

- **Direct link:** <ManagerLink to="/#/iam/identities/sso">SAML SSO</ManagerLink>
- **Navigation path:** <code className="action">Identity, Security & Operations</code> > <code className="action">Users</code> > <code className="action">SSO connection</code>

***


## Instructions

:::info
In order for a service provider (i.e. your OVHcloud account) to establish an SSO connection with an identity provider (i.e. your Okta service), the key is to establish a mutual trust relationship by registering the SSO connection in both services.

:::

### Registering OVHcloud into Okta

Your Okta service acts as an identity provider. Requests to authenticate your OVHcloud account will only be accepted if you have first declared it as a trusted third party.

This means that it must be added to `Applications`.

Log in to the Okta administration interface with your administrator account.

Go to `Applications
` then again `Applications
`.
![Add SAML Application, Step 1](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/OKTA_add_application_step1.png)
Click `Create App Integration
` and select `SAML 2.0
`.
![Add SAML Application, Step 2](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/OKTA_add_application_step2.png)
In the "General Settings" step, add a name for this application, **OVHcloud**
 for example, and a logo if you want. Click `Next
`.
![Add SAML Application, Step 3](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/OKTA_add_application_step3.png)
In the step "Configure SAML", complete the `Single sign-on URL` and `Audience URI` fields with the values for your region:

- EU region: **Single sign-on URL**: `https://www.ovhcloud.com/eu/auth/saml/acs` and **Audience URI**: `https://www.ovhcloud.com/eu/auth/`
- CA region: **Single sign-on URL**: `https://www.ovhcloud.com/ca/auth/saml/acs` and **Audience URI**: `https://www.ovhcloud.com/ca/auth/`

![Add SAML Application, Step 4](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/OKTA_add_application_step4.png)
Then set the following `Attribute Statements`:

- **Name**: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` and **Value**: `user.login`
- **Name**: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` and **Value**: `user.email`
- **Name**: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` and **Value**: `user.displayName`

Set these `Group Attribute Statements`:

- **Name**: `groups` and **Filter**: `Matches regex:.*` (Adapt the filter if you want to be more specific)

Click `Next
`.
![Add SAML application, step 5](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/OKTA_add_application_step5.png)
In the "Feedback" step, select the according option and click `Finish
`.
Then open the application and go to the "Assignments" tab and assign users or groups to the application.

![Assign users](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/OKTA_add_user.png)
Before going to the next section, go to the "Sign On" tab, and access to the **Metadata URL** and save the provided XML file.

![Retrieve metadata](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/OKTA_retrieve_metadata.png)
Your Okta service now trusts OVHcloud as a service provider. The next step is to ensure that the OVHcloud account trusts your Okta as an identity provider.

### Registering Okta into the OVHcloud account and configuring the connection

To add Okta as a trusted identity provider, you need to provide the identity provider metadata. Open the SAML SSO
 page and click the `SSO connection
` button.
![Access to the IAM menu](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/access_to_the_IAM_menu_03.png)
Fill in the XML metadata of your Okta service. Enter `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`
 as the "User Attribute Name" and `Group`
 as the "Group Attribute Name". Click on `Confirm
`.
You can keep local users by ticking the `Keep active OVHcloud users` box.

![OVHcloud SSO connection step 2](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/ovhcloud_add_federation.png)
Now you need to retrieve your Okta as identity provider, as well as default groups.

![OVHcloud SSO connection step 3](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/ovhcloud_add_federation_success.png)
For more information, click on the link under “SSO Service URL”.

![OVHcloud SSO connection step 4](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/ovhcloud_idp_details.png)
The `...
` button allows you to update or delete the SSO, and view its details.
![OVHcloud SSO connection step 5](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/ovhcloud_user_management_connect_sso_5.png)
Your Okta service is now considered a trusted identity provider. However, you still need to add groups to your OVHcloud account.

:::warning
If you try to connect via SSO at this point, you will probably receive a `Not in valid groups` error message.

That is because your OVHcloud account checks whether the authenticating user belongs to an existing group on the account.

:::

You must then assign **roles** to Okta user groups at OVHcloud. Otherwise, your OVHcloud account does not know what the user is allowed to do and, by default, no rights are assigned.

In the `Identities
` section, open the `User groups
` tab. Then click the `Declare a group
` button and fill in the fields:
- **Group name**: Group name within Okta
- **Role**: Level of rights granted to this group

![Okta User Management Groups](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/ovhcloud_user_management_groups_1.png)
![Okta User Management Groups](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/ovhcloud_user_management_groups_2.png)
You can then verify that the group is added to your OVHcloud account in the "Groups" section:

![Okta User Management Groups](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/ovhcloud_user_management_groups_3.png)
When you later log in with a user from the **Intern** group, your OVHcloud account will recognise that the user has the role "UNPRIVILEGED" specified by his group.

Warning: if you give the `NONE` role, you will need to assign permissions to this group via the [IAM policies](/en/guides/account-and-service-management/account-information/iam-policy-ui.md).

You will then be able to log out of your account and log back in with your Okta as an identity provider.

### Connecting via SSO

On the OVHcloud login page
, enter your [login](/en/guides/account-and-service-management/account-information/ovhcloud-account-creation.md#what-is-my-nic-handle)
 followed by **/idp**
 without a password and click the `Login
` button.
![Connection to OVHcloud federation](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/ovhcloud_federation_login_1.png)
You are then redirected to your Okta login page. Enter the login and password for a user of your Okta, then click the `Sign in
` button.
![OVHcloud Federation login Redirection Okta](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/OKTA_login.png)
You are now logged in with the same customer ID, but through your Okta user.

![OVHcloud User Info Federation](/images/account-and-service-management/account-information/ovhcloud-account-connect-saml-okta/ovhcloud_user_infos_federation.png)
## Go further

[Creating an OVHcloud account](/en/guides/account-and-service-management/account-information/ovhcloud-account-creation.md)

[Securing my OVHcloud account and managing my personal information](/en/guides/account-and-service-management/account-information/all-about-username.md)

[Setting and managing your account password](/en/guides/account-and-service-management/account-information/manage-ovh-password.md)

[Securing your OVHcloud account with two-factor authentication](/en/guides/account-and-service-management/account-information/secure-ovhcloud-account-with-2fa.md)

[How to use IAM policies using the OVHcloud Control Panel](/en/guides/account-and-service-management/account-information/iam-policy-ui.md).

Join our [community of users](https://community.ovhcloud.com/).