Configure SAML or OIDC SSO with Google Workspace, Azure AD, AWS IAM Identity Center, Okta, and more
Single Sign-On lets your team authenticate to CloudThinker using your existing identity provider — no separate passwords, automatic user provisioning, and centralized deprovisioning when someone leaves.
SSO is available on Business and Enterprise plans. To get started, navigate to Organization Settings → Security → SSO and click Add Connection.
In the Azure Portal, go to Microsoft Entra ID → Enterprise applications → New application → Create your own application.Name it CloudThinker, select Integrate any other application you don’t find in the gallery, and click Create.
2
Set Up Single Sign-On
Open the new application → Single sign-on → SAML.
3
Enter Basic SAML Configuration
Click Edit on Basic SAML Configuration and fill in from CloudThinker’s SP Metadata:
Azure Field
CloudThinker Value
Identifier (Entity ID)
Paste the SP Entity ID
Reply URL (ACS URL)
Paste the ACS URL
Sign on URL
Same as ACS URL
Save.
4
Configure Attributes & Claims
In Attributes & Claims, confirm the emailaddress claim maps to user.mail. Optionally add:
firstName → user.givenname
lastName → user.surname
5
Download the Federation Metadata
In SAML Signing Certificate, download the Federation Metadata XML or copy:
App Federation Metadata URL (recommended — use this to auto-import into CloudThinker)
Certificate (Base64)
Login URL (SSO URL)
Azure AD Identifier (Entity ID)
6
Assign Users and Groups
Go to Users and groups → Add user/group and assign who should have access to CloudThinker.
7
Complete Setup in CloudThinker
In CloudThinker’s IdP Configuration step, use the Import field to paste the App Federation Metadata URL — this auto-fills all fields. Or enter manually:
In the Okta Admin Console, go to Applications → Applications → Create App Integration → SAML 2.0.
2
General Settings
Name the app CloudThinker and click Next.
3
Configure SAML Settings
Fill in from CloudThinker’s SP Metadata:
Okta Field
CloudThinker Value
Single sign-on URL
Paste the ACS URL
Audience URI (SP Entity ID)
Paste the SP Entity ID
Name ID format
EmailAddress
Application username
Email
4
Add Attribute Statements
In Attribute Statements, add:
Name
Value
email
user.email
firstName
user.firstName
lastName
user.lastName
5
Get IdP Metadata
After saving, go to the app’s Sign On tab → SAML Signing Certificates section → click Actions → View IdP metadata to get the metadata XML URL.Or copy directly:
Identity Provider Single Sign-On URL
Identity Provider Issuer
X.509 Certificate
6
Assign People or Groups
Go to the Assignments tab and assign users or groups who should have access.
7
Complete Setup in CloudThinker
In CloudThinker’s IdP Configuration step, paste the Okta metadata URL into the Import field, or enter manually:
After creating the SAML app in your IdP, return to CloudThinker and complete the IdP Configuration step:
Field
Where to find it
Display Name
Choose any label (e.g., “Okta SAML”)
Entity ID
Your IdP’s entity identifier (sometimes called “Issuer”)
SSO URL
Your IdP’s single sign-on endpoint URL
Certificate
The X.509 signing certificate from your IdP (base64-encoded)
SLO URL
(Optional) Single logout endpoint — only needed if you want users logged out of the IdP when they sign out of CloudThinker
NameID Format
Leave as “Email Address” unless your IdP requires a different format
If your IdP provides a metadata URL or XML file, use the Import field at the top to auto-fill Entity ID, SSO URL, and Certificate — this saves time and avoids copy-paste errors.
In Azure Portal → Microsoft Entra ID → App registrations → New registration.Name it CloudThinker. Under Redirect URI, select Web and paste the redirect URI from CloudThinker’s OIDC SP Metadata.
2
Create a Client Secret
Go to Certificates & secrets → New client secret. Copy the Value immediately — it won’t be shown again.
Once verified, you can require all users to authenticate via SSO:
Go to Organization Settings → Security → SSO
Toggle Enforce SSO on
Users will be redirected to your IdP on next login — email/password login is disabled
Make sure at least one Owner account works with SSO before enforcing it. If SSO breaks after enforcement, an Owner with a backup access method can disable it.
CloudThinker auto-provisions users on first SSO login using the email, firstName, and lastName attributes from your IdP. New users are assigned the Developer role by default — you can change this in SSO settings.
Double-check that the ACS URL you entered in your IdP exactly matches what CloudThinker shows — including protocol (https://) and no trailing slash.
Attributes not mapping (name shows as email)
Confirm your IdP is sending firstName and lastName attributes. See the attribute mapping table for your provider above.
Certificate validation error
Make sure you copied the full X.509 certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers. If your IdP rotated its certificate, update it in CloudThinker’s SSO settings.
Users can't log in after SSO enforcement
An Owner can disable SSO enforcement at Organization Settings → Security → SSO using their backup credentials. Check the IdP app is assigned to all affected users.
'Audience mismatch' or 'Entity ID mismatch'
The SP Entity ID in your IdP must exactly match the SP Entity ID shown in CloudThinker’s SP Metadata — they are case-sensitive.
