SSO

Single Sign-On

After setting up SSO, you can point your users to the URL specific to your tenant (e.g. https://app.cloudbilling.nl/AcmeCorp). If the user is not signed in, we will redirect them to the IdP.

CloudBilling supports Single Sign-On (SSO) and Single Sign-Out through OpenID Connect (OIDC). Contact support to set up SSO for your environment.

Client Application

To set up SSO, we need some information from your identity provider (IdP). This is usually available through the configuration portal of your IdP when you register a new application.

  • Client Identifier The authorisation server issues the registered client a client identifier — a unique string representing the registration information provided by the client.
  • Issuer Identifier Verifiable Identifier for an Issuer — a case-sensitive URL. Sometimes also called Authority.

When setting up the client application, you configure your IdP with the following parameters (we provide you the value for [ID]):

  • Redirect URI: https://app.cloudbilling.nl/SSO/OIDC/[ID]/Callback
  • Logout URI: https://app.cloudbilling.nl/SSO/OIDC/[ID]/SignOut

We use the implicit flow and support either form post or query tokens. We request a scope of openid profile email.

User permissions are defined through application roles. Within CloudBilling you create the User Groups as desired. Then using the roles claim, assign users to one or more user groups by passing the user group’s ID as the role. This allows for fine-grained permission control from within the IdP. These role assignments can be dynamic, as we apply the new roles on each following sign in or token renewal.

Claims

Besides the normal claims as part of the OIDC token, CloudBilling requires the following claims:

Name Format Description
sub String The principal about which the token asserts information: the user.
roles Array of strings A set of user groups assigned to the user. These are references to identifiers of user
groups within CloudBilling.    
email String E-mail address of the user.
name String The name claim provides a human-readable value that identifies the subject of the token.
Optional: if not provided, the preferred_username claim is used.    
preferred_username String The primary username that represents the user. It could be an email address, phone
number, or a generic username without a specified format.
Optional: if not provided, the name claim is used.		    
given_name String The given / first name of the user.
Optional: if not provided, the name claim is
used.    
family_name String The family / surname of the user.
Optional: if not provided, the name claim is
used.    
locale String The user’s locale, e.g. en-GB for British English.
zoneinfo String The user’s time zone, e.g. Europe/Amsterdam.

Microsoft Entra ID (formerly Azure Active Directory)

A typical integration of CloudBilling Single Sign-on is with Azure Active Directory. By doing so, your users will be able to access the CloudBilling Tenant Portal from their office.com home page.

  1. Contact us, and we will provide you with the data applicable to your tenant.
  2. In the Azure Portal, go to Register an application.
  3. Fill in the form:
    Name: ‘CloudBilling’
    Supported account types: ‘Accounts in this organisational directory only’
  4. On the Overview page, copy the ‘Application (client) ID’ and provide that to us. This allows us to configure the integration on our end.
  5. Go to ‘Branding & Properties’ and enter the following:
    Upload new logo: upload this image
    Home page URL: https://app.cloudbilling.nl/SSO/OIDC/[ID]/Callback (replace [ID] with the value provided by us)
  6. On the ‘Authentication’ page under ‘Platform configurations’ click ‘Add a platform’, click ‘Web’, enter the following and click ‘Configure’.
    Redirect URI: https://app.cloudbilling.nl/SSO/OIDC/[ID]/Callback
    Front-channel logout URL: https://app.cloudbilling.nl/SSO/OIDC/[ID]/SignOut
    Implicit grant and hybrid flows: select ‘ID tokens’
  7. On the ‘Token configuration’ page, click ‘Add optional claim’, enter the following and click ‘Add’:
    Token type: ‘ID’
    Claim: select ‘family_name’ and ‘given_name’
  8. Choose ‘Turn on the Microsoft Graph profile permission (required for claims to appear in token).’ and click ‘Add’.
  9. On the ‘API permissions’ page, click ‘Add a permission’, click ‘Microsoft Graph’, click ‘Delegated permissions’, select the following permissions and click ‘Add permissions’:
    OpenId permissions: profile
  10. On the ‘App roles’ page you’ll create an app role per User Group in CloudBilling Tenant Portal. We will provide you with a list of ‘Name’ and ‘Id’ per User Groups. For every User Group: click ‘Create app role’, enter the following and click ‘Apply’:
    Display name: User Group’s ‘Name’
    Allowed member types: ‘Users/Groups’
    Value: User Group’s ‘Id’
    Description: User Group’s ‘Name’
    Do you want to enable this app role: Yes

Now the application registration is complete, and you can grant permissions to your users. To grant permissions to users:

  1. In the Azure Portal, go to Enterprise applications and click on the application named ‘CloudBilling’.
  2. On the page ‘Users and groups’ click ‘Add user/group’.
  3. Select the user(s) you want to grant the permission to.
  4. Select the role you want to grant them.
  5. Click ‘Assign’.

The integration is now complete. After confirmation from us, you can test the sign-on by visiting the following url: https://app.cloudbilling.nl/SSO/OIDC/[ID]/Callback.

Final steps

After confirming users can use the application through SSO, you can remove their old user accounts from the environment. This makes sure that users can only access the environment through SSO and no longer through username/password.

Back to top

Copyright Ⓒ 2011-2026 CloudBilling B.V.