Skip to navigationSkip to main contentSkip to footerScaleway DocsAsk our AI
Ask our AI
Log inSign up

How to set up identity federation

Scaleway supports Identity Federation to provide your teams with secure access to their accounts via Single Sign-On (SSO). Depending on your organization’s requirements, you can use either built-in OAuth2 providers or configure SAML for centralized identity management.

Important

SAML SSO login is in Early Access. This means that currenttly, only a few Organizations can access and test the feature.

FeatureOAuth2SAML
AvailabilityEnabled by default for all organizationsAvailable, but requires setup
Supported ProvidersGoogle, GitHubAny SAML-compatible Identity Provider
Setup RequiredNoYes — must be configured by an IAM admin
User AccessAny Scaleway member whose email is verified with Google or GitHubOnly users explicitly defined in the Identity Provider
Centralized ManagementNoYes — manage users from your Identity Provider
Important

Keep in mind that:

  • OAuth2 logins are automatically disabled when SAML is configured. If SAML is not set up, members can continue to use Google or GitHub for SSO.
  • SSO with SAML does not apply to an Organization's Owner. Owners can log in with SSO with OAuth2.

Follow the steps below to set up Identity Federation for your Organization through SAML at Scaleway.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • An Identity Provider (IdP) configured in your company, making sure it includes all users who need to access Scaleway. Some examples of IdPs:
    • Okta
    • OneLogin
    • Microsoft Entra ID (prev. Azure AD)
    • PingIdentity
    • Google Workspace

How to set up a SAML connection

  1. Go to your security settings.

  2. Scroll to the Identity Federation section.

  3. Click Set up SSO. A pop-up appears.

  4. Copy the URLs displayed in the pop-up.

    The information in the first step are the URLs referring to Scaleway that will be requested by your Identity Provider to create a link between platforms. They are:

    • The assertion consumer service (ACS) URL, and
    • Scaleway's entity ID

  5. Click Next.

  6. Enter the requested URLs in their respective boxes.

    This is the information referring to your Identity Provider that Scaleway needs to confirm the connection. It can be found in your IdP's configuration page. They are:

    • Single Sign-On URL - This is the URL your members will be redirected to when logging in with SAML
    • The Identity Provider's Entity ID

  7. Click Confirm.

  8. Enter the signing certificate generated by your Identity Provider in the box.

    Important

    Keep in mind that:

    • Only base64-encoded certificates are supported.
    • The certificate must have an expiration date.
    • Your certificate entry must start with: 
      -----BEGIN CERTIFICATE-----
      And end with: 
      -----END CERTIFICATE-----
    Note

    You can close the Identity Provider pop-up without adding the certificate right away. The certificate can be added at a later time. However, while the certificate is not added, the connection between Scaleway and your Identity Provider will not be complete and the SSO feature will not work for your Organization members.

  9. Click Complete setup.

Once setup is complete, members can log in via SAML.

Tip

You can test the connection by creating a member and logging in with the new member account.

Important

Keep in mind that:

  • Members need to already have been created manually in Scaleway to log in.
  • If you delete a user in the IdP, the corresponding Member is not automatically deleted in your Scaleway Organization. The deletion must happen manually.

How to update the connection configuration

If you change your Identity Provider, you will need to re-configure your SAML connection.

  1. Go to your security settings.
  2. Scroll to the Identity Federation section.
  3. Click Edit configuration. A pop-up appears.
  4. (Optional) Replace the Identity Provider's Single Sign-On URL and Entity ID with the information of your new one.
  5. Click Confirm.

How to add a certificate

If you started the connection set up, but did not add a certificate right away, you can add it after. While the certificate is not added, the connection between Scaleway and your Identity Provider will not be complete and the SSO feature will not work for your Organization members.

  1. Go to your security settings.
  2. Scroll to the Identity Federation section.
  3. Click + Add certificate. A pop-up appears.
  4. Enter the signing certificate generated by your Identity Provider in the box.
  5. Click Confirm.

How to renew a certificate

You must regularly update your signing certificate in the frequency set by your Identity Provider. To renew a certificate:

  1. Go to your security settings.
  2. Scroll to the Identity Federation section.
  3. Click Renew certificate. A pop-up appears.
  4. Enter the signing certificate generated by your Identity Provider in the box.
  5. Click Confirm.

How to delete a connection

  1. Go to your security settings.
  2. Scroll to the Identity Federation section.
  3. Click Delete SSO.
    Important

    A pop-up appears to warn you that:

    • Deleting the connection will also delete your identity federation configuration and disable SAML-based SSO connections, preventing Members from logging in via this method. You can reconfigure identity federation at any time.
  4. Type DELETE in the box to confirm.
  5. Click Delete.
See Also
How to enforce security requirements for MembersHow to create an application
Still need help?

Create a support ticket
No Results