Skip to main content

Single sign-on (SSO)

Infracost Cloud supports authenticating with Enterprise SSO providers. It is important that all steps in this page are implemented to ensure users are automatically provisioned based on your SAML user groups, and they can login using your SSO provider.

Step 1: Setup SSO

Assuming you have already purchased Infracost Cloud, you can setup SSO by following these steps. Email support@infracost.io if you would like to enable SSO for proof-of-concept projects where many people are involved.

  1. Go to Infracost Cloud and sign up with your email and a password. You will delete this user after SSO is enabled.
  2. From the top dropdown menu, switch to your company organization or create a new organization for your company.
  3. Follow the applicable sections below to setup SSO, each option ends with you emailing us your SSO details.
    Microsoft Entra ID
    1. In the Infracost Cloud dashboard go to Org Settings and copy your Org ID. You will need to provide this to Infracost in a future step.
    2. Login to the Azure portal
    3. Go to Microsoft Entra ID > Enterprise applications
    4. Click New application
    5. Click Create your own application
    6. For the name enter Infracost Cloud
    7. Make sure 'Integrate any other application you don't find in the gallery (Non-gallery)' is selected.
    8. On the left select Single sign-on and select SAML
    9. Click Edit in the Basic SAML Configuration section.
    10. Click Add identifier and enter urn:auth0:infracost:YOUR_INFRACOST_ORG_ID
    11. Click Add reply URL and enter https://login.infracost.io/login/callback?connection=YOUR_INFRACOST_ORG_ID
    12. Click Save
    13. Download 'Certificate (Base64)'. You will need to provide this to Infracost.
    14. Copy the 'Login URL'. You will need to provide this to Infracost in the next step.
    Okta
    1. In the Infracost Cloud dashboard go to Org Settings and copy your Org ID. You will need to provide this to Infracost in a future step.
    2. Login to the Okta Admin dashboard
    3. Go to Applications > Applications
    4. Click Create App Integration
    5. Select SAML 2.0 and click Next.
    6. For the App name enter Infracost Cloud and click Next.
    7. For Single sign on URL enter https://login.infracost.io/login/callback?connection=YOUR_INFRACOST_ORG_ID

    8. For the Audience URL (SP Entity ID) enter urn:auth0:infracost:YOUR_INFRACOST_ORG_IDOkta Attribute Statements form
    9. Add the following for the Attribute Statements section and click Next.Okta Attribute Statements form
    10. Choose I'm an Okta customer adding an internal app and click Finish
    11. In the Sign on tab, scroll down to the SAML Signing Certificates section. On the right-hand side click the button to View SAML setup instructions.
    12. Copy the Identity Provider Single Sign-On URL and download the certificate.
    13. In the Okta Admin dashboard assign any users to the Infracost Cloud app. You can also add an Infracost button or icon to your SSO portal as we support IdP-Initiated logins from Okta too, save the following image to use for that:
    Google Workspace
    1. In the Infracost Cloud dashboard go to Org Settings and copy your Org ID. You will need this when setting up the SAML app in Google Workspace.
    2. Login to Google Workspace admin
    3. Go to Apps > Web and mobile apps
    4. Click Add app > Add custom SAML app
    5. For the App name enter Infracost Cloud
    6. Copy the SSO URL and download the Certificate. You will need to supply these to Infracost in a future step. Click Continue.
    7. In the ACS URL enter: https://login.infracost.io/login/callback?connection=YOUR_INFRACOST_ORG_ID
    8. In the Entity ID enter: urn:auth0:infracost:YOUR_INFRACOST_ORG_ID
    9. Tick Signed response
    10. For Name ID format choose UNSPECIFIED and for Name ID choose Basic Information > Primary email. The form should look like the following:Google Workspace Service Provider form
    11. Click Continue
    12. Add the following Attributes and click Finish:Google Workspace Service Provider form

SSO login notes

After SSO is configured:

  • SSO is enabled on your company domain name(s), such as acme-inc.com. So anyone who enters an email address that contains your company domain names in the Infracost log in page will be redirected to your SSO provider for authentication.
  • Once SSO is enabled, it becomes the only login method for your organization. Users removed from your SSO system will automatically lose access to Infracost Cloud.
  • You can invite users to your Infracost Cloud organization from the Org Settings > Members page. They will also need to be added to the corresponding group in your SSO provider so they can login.
  • If a user had already logged-in prior to SSO being enabled, on their first login after SSO is enabled, they will be asked to confirm if they want to link their login accounts. They must click Continue do this to be able to access your company's Infracost Cloud organization, otherwise a new empty organization will be created for them. If they skip this step, email support@infracost.io so we can assist you. Linking login accounts
  • For organizations using Okta: If users see the error "User is not assigned to this application" when signing in, it means they need to be added to the Okta Infracost app.

Step 2: SAML group mapping

Infracost uses SAML to provision users automatically based on your user groups. This allows you to manage access to Infracost Cloud by managing SAML groups in your SAML provider, instead of inviting users individually to your Infracost Cloud account. With SAML groups, users are automatically provisioned when they sign-in for the first time; their roles are updated every time they sign-in.

To enable this feature you should:

  1. Create SAML user groups in your SAML provider and put users in those groups. Infracost supports four roles (Viewer, Editor, Admin, Owner); we recommend two user groups to start with: Owner for people who manage Infracost, and Viewer for all engineers.

If you already have a SAML group that most engineers are part of (e.g. for GitHub), you should re-use that for the Infracost Viewer role. This enables them to see their repo's pre-existing issues and fix them.

Users that are part of multiple groups will get the highest role from their group. For example, if a user is part of the InfracostViewer and InfracostEditor groups, they'll get the Editor role.

If you have multiple organizations under an Infracost enterprise, the SAML groups can also be treated as global roles that span all orgs in the enterprise. For example, your engineering user group can be given the Viewer role, and your central FinOps team can be given the Owner role in all organizations that are part of your enterprise.

After enabling SAML, you can send us a custom support URL or email address. This will be shown to users who sign in with SSO but aren't part of your SAML user groups. It helps guide these users on how to follow your company's process to join the correct SAML group and access Infracost Cloud.

  1. Configure group claims in your SAML provider: The SAML assertion must include the relevant groups that the user belongs to, and it must be the group names that are sent, not the group IDs. The group claim field typically has one of these names:

    • groups
    • roles
    • memberOf
    • http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
    • http://schemas.microsoft.com/ws/2008/06/identity/claims/role

    Note the exact field name you configure as you'll need to provide this to Infracost in the next step.

    Details

    Microsoft Entra ID For Microsoft Entra ID, follow the Emit cloud-only group display name in token section in the Microsoft documentation. Specifically:

    • Set the Group Claims to 'Groups assigned to the application'
    • Set the Source Attribute to 'Cloud-only group display names'

Step 3: Email us key setup information

  1. Email us the following information:
Email template

To: support@infracost.io
Subject: Enable SSO & SAML
Body:

Please enable SSO & SAML groups for our organization.

  • Company name or Infracost Org ID: xxx

  • SSO service provider: [Microsoft Entra ID, Okta, Google Workspace, Other SAML Provider]

  • Identity Provider Single Sign-On URL: xxx
  • SSO domains (comma separated list of domains to enable for this SSO connection): xxx
  • The public certificate is attached: **Don't forget to attach it ;) **

  • SAML group role mapping:
    | SAML group name | Infracost Org slug | Infracost role |
    |-----------------|--------------------|----------------|
    | AllEngineers | my_org | Org Viewer |
    | InfracostEditor | my_org | Org Editor |
    | InfracostAdmin | my_org | Org Admin |
    | InfracostOwner | all orgs | Org Owner |

  • SAML Assertion Group attribute: [This typically has one of these names: groups, roles, memberOf, http://schemas.microsoft.com/ws/2008/06/identity/claims/groups, or http://schemas.microsoft.com/ws/2008/06/identity/claims/role]

  • If possible, an example of the SAML assertion that will be sent.

  • How I'd like this enabled (Select one):
    A. Let's schedule a 10 minute screenshare to test and enable together for the fastest setup. Here are a few convenient times: XXX
    B. Enable initial SSO to test, but continue to allow existing login methods while we confirm everything is working
    C. Fully enable now, then let me know it's ready to test (WARNING: If there's a misconfiguration in your settings, it could lock your users out temporarily)

Thanks!

  1. Once we receive your email, we will enable the SAML groups and reply back to you so you can verify that users are automatically provisioned correctly.

Org Admins and Owners will still be able to delete users from Infracost Cloud to cleanup old users from the Org Settings > Members page. However, if those users login again, their users will be auto-provisioned again. If users are removed from your SSO system, or SAML groups, they will not be able to login.

  1. In Infracost Cloud, go to Settings > Org Settings > Custom Support, and add an email address or a link to your internal wiki or chat channel. This should explain how team members can request access.

This message will appear to anyone who signs in with SSO but isn’t part of your SAML groups — so they won’t get access until you add them to the right group on your side.