Cloud Console authentication

Cloud Console supports authentication using either basic authentication or SAML authentication.

Basic authentication

Cloud Console supports native authentication using email and password login credentials. This type of basic authentication must be used alongside multi-factor authentication (MFA). Users logging in with basic authentication must set up MFA through an authenticator app such as Authy, Duo Mobile, Okta Verify, Google Authenticator, or Microsoft Authenticator.

Basic authentication requires no admin configuration and users can create their own accounts.

SAML authentication

Cloud Console uses service provider (SP)-initiated SSO authentication and supports identity providers (IdPs) that use security assertion markup language (SAML) 2.0. Cloud Console admins can create a SAML connection from the SSO tab of the Installations page.

Add a SAML connection

Note

Before creating a new SSO configuration in Cloud Console, you must first create an app registration, or equivalent concept, in your IdP.

You need the following information when adding a new Cloud Console SAML connection:

Setting Description Value
Name A name for the SAML connection. This value doesn’t correspond to a value in your IdP configuration. Any descriptive name, such as [your company name]-[your IdP name]-saml. Connection names can contain only alphanumeric characters and dashes, must start and end with an alphanumeric character, and can be up to 64 characters long.
Sign in URL The URL where users are redirected to log in to your IdP. The sign-in URL of your app registration. Also called the identity provider login URL, IdP SSO URL, or similar.
Domain Aliases Your company’s email domain. When a user first attempts to sign up for Cloud Console and enters their email address, if their domain matches a listed domain alias they’re redirected to the IdP to complete SSO authentication. You can list multiple domain aliases.
Note
After enabling SSO authentication, any existing users with an email address using a listed domain are redirected to your IdP to complete authentication. Any existing users with email addresses with unlisted domains can’t log in through SSO but can continue to log in using basic authentication. Any new users with email addresses with unlisted domains can’t use SSO but can sign up and log in using basic authentication.
Your corporate email domain, such as instabase.com or company.ca.
x.509 Certificate The signing certificate that authenticates the response. This certificate is typically available to download from your IdP as a .pem file. The contents of your x.509 signing certificate. Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
Note
If copying the contents of the certificate directly from an XML file, do not include any XML tags, and surround the certificate value with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

To add a new SAML connection:

  1. Open Cloud Console.

  2. On the Installations page, select the SSO tab.

  3. Click Create new SAML connection.

  4. In the Name field, define a name for the connection.

  5. In the Sign in URL field, enter the sign-in URL of your app registration.

  6. In the Domain Aliases field, enter your corporate email domain.

  7. (Optional) To add additional domain aliases, click Add Additional Alias and enter the alias in the new input field. Repeat as needed.

  8. In the x.509 Certificate field, paste the contents of the x.509 certificate from the .pem file or from your IdP metadata XML. Ensure the certificate contents are surrounded with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

  9. Click Create.

  10. From the SAML connections list, turn on the toggle for the connection you added.

  11. In your IdP, complete the app registration configuration using the values that display in the confirmation dialog, Audience and Post-back URL.

    Info

    The Audience value is also often called the SAML SP entity ID, entity ID, audience URI, audience restriction, or similar. The Post-back URL is also often called the assertion consumer service (ACS) URL, reply URL, application callback URL, single sign on URL, or similar.

  12. In the confirmation dialog, click Enable.

Edit a SAML connection

To edit a SAML connection:

  1. Open Cloud Console.

  2. On the Installations page, select the SSO tab.

  3. Locate the SAML connection to edit in the SAML connections list.

  4. Click the Edit (notepad) icon.

  5. Update the connection configuration as needed.

  6. In the confirmation dialog, click Disable.

Disable or delete a SAML connection

If you no longer want to use a SAML connection, you have two options: disable the connection or delete the connection. Disabling a SAML connection keeps the configuration in Cloud Console but disables the connection itself. Deleting a SAML connection removes both the connection and its configuration.

Note

After disabling or deleting a SAML connection, existing users with an email address containing a domain listed in the removed connection might lose Cloud Console access. Users can register a new account using basic authentication (email and password credentials with enforced multi-factor authentication), using the same email address.

To disable a SAML connection:

  1. Open Cloud Console.

  2. On the Installations page, select the SSO tab.

  3. Locate the SAML connection to disable in the SAML connections list.

  4. Turn off the toggle for the connection.

  5. Click Confirm.

To delete a SAML connection:

  1. Open Cloud Console.

  2. On the Installations page, select the SSO tab.

  3. Locate the SAML connection to delete in the SAML connections list.

  4. Click the Delete (trash can) icon.

  5. Click Confirm.