How does cloudHQ integrate with Okta?

  1. Introduction
  2. Okta Integration with Google Federated Login
  3. Provisioning and Deprovisioning
  4. Summary

Introduction

cloudHQ uses OAuth2 and OpenID Connect (OIDC) for user authentication. It mainly uses Google Workspace and Microsoft 365 OpenID Connect as the identity provider.

If you have a Microsoft 365 or Google Workspace setup, you can log in by default with:

  1. Google OpenID Connect (OIDC)
  2. Microsoft 365 OpenID Connect

Users are authenticated using their sessions with these identity providers. For Google accounts, cloudHQ checks your identity using Google’s authentication tokens, not SAML or custom SSO systems.

Okta Integration with Google Federated Login

cloudHQ does not support direct SAML integration with Okta or similar providers.
Instead, you can use Okta as a federated login provider for Google Workspace. This setup works as follows:

  1. User logs into Okta, and Okta signs the user in to their Google Workspace account (or Microsoft 365 account).
  2. After the user is signed in to Google (via Okta), they can access cloudHQ.
  3. cloudHQ then gets OAuth2 tokens from Google to confirm the user’s identity and grant access.

In short:

“A user can only log into cloudHQ if they are also logged into their Google Account (or Microsoft 365 account), which may be accessed through Okta or a similar system.”

Provisioning and Deprovisioning

cloudHQ requires users to have a valid Google Workspace account. Here is how deprovisioning and provisioning of users works:

  • Deprovisioning: If you delete a user from Google Workspace, their cloudHQ account will be automatically disabled but not deleted. You still need to delete the user from the cloudHQ admin console yourself.
  • Provisioning: If you add a user to Google Workspace, their cloudHQ account will NOT be created. You will need to manually add the user in cloudHQ as needed.

Summary

  • Direct Okta SAML integration: ❌ Not supported.
  • Okta via Google Workspace federated login: ✅ Supported.
  • Login requirements for cloudHQ: Must be authenticated via Google (or other OIDC provider like Microsoft 365), and Okta can serve as the initial authentication layer to Google.
  • Deprovisioning: When a user is deprovisioned from Google Workspace, they will automatically be disabled in cloudHQ. However, they need to be manually removed via the cloudHQ admin console.
  • Provisioning: When a user is provisioned in Google Workspace, they will NOT be provisioned in cloudHQ. The user needs to be manually added as needed via the cloudHQ admin console.
Tagged: