Single Sign-On

Updated on September 18, 2024
Single Sign-On header image

Your corporate login system can be integrated with Vultr's account system by using the Single Sign-On (SSO) feature. SSO helps simplify password management when managing accounts, which is useful for organizations that have employees or contractors.

Just want to login? Visit the SSO login page.

How it works

SSO is managed on your main Vultr account. Once enabled, account users will authenticate through your SSO provider. Your main Vultr account is used to create account users and grant them permissions. Password login for your account users is disabled. To log in, your account users must access the SSO login page, enter their email address, then login through your organization.

Compatibility

SSO on Vultr is made available through OpenID Connect. Your login provider would need to be compatible with OpenID Connect. Example compatible services include:

Other authentication technologies, such as SAML, are not currently supported.

Enabling SSO with OpenID

Log into the main Vultr account that you want to use to manage SSO. Navigate to the Account/Users page. Follow the wizard in the "Single Sign-On" area.

You will need the provide the following pieces of information:

  • OpenID Provider URL
  • OpenID Client ID
  • OpenID Client Secret

Example Integration with Okta

  • Sign into your Okta Admin panel.
  • Under Applications, click on "Add Application", then "Create New App".
  • Select "Web" as the Platform, and "OpenID Connect" as the "Sign on method".
  • Enter https://my.vultr.com/openid/ as both the "Login redirect URI" and "Logout redirect URI".
  • Click Save.
  • Make sure to assign your users to the application via the "Assignments" tab.
  • Save the Client ID and Client secret from the General tab.

Next, return to the Account/Users page page on Vultr and begin the SSO setup.

  • OpenID Provider URL: https://<yourdomain>.okta.com/
  • OpenID Client ID: <Client ID>
  • OpenID Client Secret: <Client Secret>

Click "Enable SSO". Account users can now login on the SSO login page.

Example Integration with OneLogin

Create a OneLogin Application:

  • Log in to your OneLogin Admin panel.
  • Go to Applications and select Applications.
  • Click Add APP.
  • Enter the OpenId Connect keyword in the search box.
  • Customize your App display name, icons and descriptions and click SAVE at the top. A new left navigation menu appears.
  • Click Configuration.
    • Enter https://my.vultr.com/openid/ in the Login Url, Redirect URL, and Post Logout Redirect URIs textboxes.
  • Click SSO.
    • Copy the Client ID, Client Secret and Issuer URL. You must click the Show client secret to display the value.
    • Select POST under Token Endpoint Authentication Method.
  • Save the App.

Create a OneLogin User:

  • Navigate to Users and select Users. Then Click New User.
  • Enter the First name, Last name, and Email.
  • Click Save User. A new navigation menu appears.
  • Select Applications and click the + to assign an application to the user.
  • Select the OpenId Connect App you created earlier and click Continue, then click Save.

Set Up OneLogin SSO Details:

  • Log in to the Vultr Customer Portal and navigate to the Account/Users page.
  • Click Add New User to create a new user account that matches your OneLogin user you created earlier.
  • Click Begin Setup under Single Sign-On and enter the following details to set up SSO:
    • OpenID Provider URL: Your_OneLogin_Issuer_Url. For example, https://sample.onelogin.com/oidc/2
    • OpenID Client ID: your_onelogin_client_id
    • OpenID Client Secret: your_one_login_client_id
    • Click Enable SSO.

You can now use your OneLogin user account to log in to Vultr through the SSO Login page.

Example Integration with Google Accounts

Google Accounts will allow you to use GMail addresses for your account users. Your users must not have previously signed up to Vultr with their GMail address, otherwise adding them as an account user will not work.

First, you'll need to setup OpenID connect on Google.

  • Sign into the Google API Console.
  • Create a project in Google Cloud. We'll call it "Vultr Login".
  • Navigate to the "APIs" / "Credentials" section.
  • Create credentials for a new "OAuth client ID".
  • You will be prompted to give your application a name on the OAuth consent screen. This name is shown upon login.
  • Resume creating credentials for a new "OAuth client ID".
  • For "Application Type", choose "Web Application". You will be prompted for several fields.
  • Authorized JavaScript origins:
  • https://my.vultr.com
  • Authorized redirect URIs:
  • https://my.vultr.com/
  • https://my.vultr.com/openid/
  • Jot down the "Client ID" and "Client Secret" provided by Google.

If needed, additional documentation from Google is available here.

Next, return to the Account/Users page page on Vultr and begin the SSO setup.

  • OpenID Provider URL: https://accounts.google.com/
  • OpenID Client ID: <Client ID>
  • OpenID Client Secret: <Client Secret>

Click "Enable SSO". Account users on your account with email addresses ending in "@gmail.com" can now login on the SSO login page.

Example Integration with Azure AD

  • Sign in to Azure and go to "Azure Active Directory"
  • Go to the "Overview" of your Default Directory
    • Go to "App Registration" (Link located in footer of "Overview")
      • Name it something along the lines of "Vultr SSO"
      • Set the Redirect URI to https://my.vultr.com/openid/
      • Click "Register"
  • Now in your newly registered Application
    • Navigate to "Authentication"
      • Set Logout URL to https://my.vultr.com/openid/ and Save
    • Navigate To "Branding"
      • Set Home page URL to https://my.vultr.com/sso
      • (Optional) Set Terms of Service URL to https://www.vultr.com/legal/tos/
      • (Optional) Set Privacy Statement URL to https://www.vultr.com/legal/privacy/
      • Save
    • Navigate To API Permissions
      • Click "Add Permission"
      • Click "Microsoft Graph"
      • Click "Delegated Permissions"
        • Type "Directory" in search field and check "Directory.Read.All"
        • Type "Group" in search field and check "Group.Read.All"
        • Type "User" in search field and check "User.Read"
        • Type "email" in search field and check "email"
        • Type "offline_access" in search field and check "offline_access"
        • Type "openid" in search field and check "openid"
        • Type "profile" in search field and check "profile"
        • Click "Add Permissions"
      • Click "Grant Admin Consent for Vultr" (Might Not Show Up Until We Setup Vultr)
      • Navigate To "Certificates & secrets"
        • Click "New Client Secret"
          • Name it something along the lines of "SSO"
          • Set Expiration to which ever suits your use case best
          • Click "Add"
        • Secret Key For New Client Secret Will Only Be Available Just This Once. Please temporarily copy it to a text file
      • Navigate To "Overview"
        • Temporarily Copy "Application (client) ID" to a text file
        • Temporarily Copy "Directory (tenant) ID" to a text file
  • Login to Vultr
    • Navigate to "Account"
    • Navigate To "Users"
    • In the "Single Sign-On" Form
      • Set "OpenID Provider URL" to https://login.microsoftonline.com/DIRECTORY_ID_GOES_HERE
        • Replace the DIRECTORY_ID_GOES_HERE with the "Directory (tenant) ID" you copied to temporary text file from earlier
      • Set "OpenID Client ID" to the "Application (client) ID" you copied to temporary text file from earlier
      • Set "OpenID Client Secret" to the "Client Secret" you copied to temporary text file from earlier
      • Enable SSO
    • In the "Users" Form
      • Click the "Add New User" Button
        • Add a User From Your Active Directory into the Add New User Form To allow this user to login to vultr
  • Back In "Azure Active Directory"
    • Navigate to Your Vultr SSO App if you're not already there
      • Navigate To "API permissions"
        • Click "Grant Admin Consent for Vultr" (Might Not Be There if Permissions Were Already Granted)
  • You're Done! Users will need to login using the SSO Page. Only users added under Account/Users can access via SSO.