How to set up identity federation

Reviewed on November 24, 2025

Scaleway supports Identity Federation to provide your teams with secure access to their accounts via Single Sign-On (SSO). Depending on your organization’s requirements, you can use either built-in OAuth2 providers or configure SAML for centralized identity management.

Feature	OAuth2	SAML
Availability	Enabled by default for all organizations	Available, but requires setup
Supported Providers	Google, GitHub	Any SAML-compatible Identity Provider
Setup Required	No	Yes — must be configured by an IAM admin
User Access	Any Scaleway member whose email is verified with Google or GitHub	Only users explicitly defined in the Identity Provider
Centralized Management	No	Yes — manage users from your Identity Provider

Important

Keep in mind that:

Each authentication method (SAML SSO, OAuth2 SSO, authentication code, password) can be enabled or disabled inside the Organization. Members can only authenticate using methods that an IAM admin has enabled.
SSO with SAML does not apply to an Organization's Owner. Owners can log in with SSO with OAuth2.

Follow the steps below to set up Identity Federation for your Organization through SAML at Scaleway.

Before you start

To complete the actions presented below, you must have:

A Scaleway account logged into the console
Owner status or IAM permissions allowing you to perform actions in the intended Organization
An Identity Provider (IdP) configured in your company, making sure it includes all users who need to access Scaleway. Some examples of IdPs:
- Okta
- OneLogin
- Microsoft Entra ID (prev. Azure AD)
- PingIdentity
- Google Workspace
- Authentik

How to set up a SAML connection

Go to your security settings.
Scroll to the Configure Identity Federation section.
Click Set up SAML SSO. A pop-up appears.
Copy the URLs displayed in the pop-up.

The information in the first step are the URLs referring to Scaleway that will be requested by your Identity Provider to create a link between platforms. They are:
- The assertion consumer service (ACS) URL, and
- Scaleway's entity ID
Click Import identity provider data.
Upload your identity provider metadata. Most identity providers supply an XML file export of your configuration. You can upload this file to automatically set up SAML.
Important
Alternatively, you can click Set up manually to manually enter the IdP's metadata. This is the information referring to your Identity Provider that Scaleway needs to confirm the connection. It can be found in your IdP's configuration page. The metadata includes:

Single Sign-On URL - This is the URL your members will be redirected to when logging in with SAML

The Identity Provider's Entity ID
Click Submit.
Enter the signing certificate generated by your Identity Provider in the box.
Important
Keep in mind that:

Only base64-encoded certificates are supported.

The certificate must have an expiration date.

Your certificate entry must start with:
-----BEGIN CERTIFICATE-----
And end with:
-----END CERTIFICATE-----
Note
You can close the Identity Provider pop-up without adding the certificate right away. The certificate can be added at a later time. However, while the certificate is not added, the connection between Scaleway and your Identity Provider will not be complete and the SSO feature will not work for your Organization members.
Click Complete set up.

Once setup is complete, members can log in via SAML.

Tip

You can test the connection by creating a member and logging in with the new member account.

Important

Keep in mind that:

User mapping between Scaleway and the Identity Provider must be done on the user name. When testing the connection, if an error persists about the user not existing in Scaleway, make sure your Identity Provider is mapping the user on their user name
Members need to already have been created manually in Scaleway to log in.
If you delete a user in the IdP, the corresponding Member is not automatically deleted in your Scaleway Organization. The deletion must happen manually.

How to update the connection configuration

If you change your Identity Provider, you will need to re-configure your SAML connection.

Go to your security settings.
Scroll to the Identity Federation section.
Click Edit configuration. A pop-up appears.
(Optional) Replace the Identity Provider's Single Sign-On URL and Entity ID with the information of your new one.
Click Confirm.

How to add a certificate

If you started the connection set up, but did not add a certificate right away, you can add it after. While the certificate is not added, the connection between Scaleway and your Identity Provider will not be complete and the SSO feature will not work for your Organization members.

Go to your security settings.
Scroll to the Identity Federation section.
Click + Add certificate. A pop-up appears.
Enter the signing certificate generated by your Identity Provider in the box.
Click Confirm.

How to renew a certificate

You must regularly update your signing certificate in the frequency set by your Identity Provider. To renew a certificate:

Go to your security settings.
Scroll to the Identity Federation section.
Click Renew certificate. A pop-up appears.
Enter the signing certificate generated by your Identity Provider in the box.
Click Confirm.

How to delete a connection

Go to your security settings.
Scroll to the Identity Federation section.
Click Delete SSO.
Important
A pop-up appears to warn you that:

Deleting the connection will also delete your identity federation configuration and disable SAML-based SSO connections, preventing Members from logging in via this method. You can reconfigure identity federation at any time.
Type DELETE in the box to confirm.
Click Delete.