Single sign-on (SSO)

Infracost Cloud supports authenticating with Enterprise SSO providers; furthermore, users can automatically be provisioned based on your SAML user groups and permissions.

Setup SSO

Assuming you have already purchased Infracost Cloud, you can setup SSO by following these steps. Email hello@infracost.io if you would like to enable SSO for proof-of-concept projects where many people are involved.

Go to Infracost Cloud and sign up with your email and a password. You will delete this user after SSO is enabled.
From the top dropdown menu, switch to your company organization or create a new organization for your company.
Follow the applicable sections below to setup SSO, each option ends with you emailing us your SSO details.
Microsft Entra ID
1. In the Infracost Cloud dashboard go to Org Settings and copy your Org ID. You will need to provide this to Infracost in a future step.
2. Login to the Azure portal
3. Go to Microsoft Entra ID > Enterprise applications
4. Click New application
5. Click Create your own application
6. For the name enter Infracost Cloud
7. Make sure 'Integrate any other application you don't find in the gallery (Non-gallery)' is selected.
8. On the left select Single sign-on and select SAML
9. Click Edit in the Basic SAML Configuration section.
10. Click Add identifier and enter urn:auth0:infracost:<YOUR INFRACOST ORG ID>
11. Click Add reply URL and enter https://login.infracost.io/login/callback?connection=<YOUR INFRACOST ORG ID>
12. Click Save
13. Download 'Certificate (Base64)'. You will need to provide this to Infracost.
14. Copy the 'Login URL'. You will need to provide this to Infracost in the next step.
15. Email us the following information with the certificate attached:
  To: hello@infracost.io Subject: Enable SSO Body: Please enable SSO for our organization. - Company name or Infracost Org ID: xxx - SSO provider: Microsoft Entra ID - Login URL: xxx - Tenant domains, either the email domain (example.com) or Microsoft tenant domain (example.onmicrosoft.com): xxx - The certificate is attached. Thanks!
Okta
1. In the Infracost Cloud dashboard go to Org Settings and copy your Org ID. You will need to provide this to Infracost in a future step.
2. Login to the Okta Admin dashboard
3. Go to Applications > Applications
4. Click Create App Integration
5. Select SAML 2.0 and click Next.
6. For the App name enter Infracost Cloud and click Next.
7. For Single sign on URL enterhttps://login.infracost.io/login/callback?connection=<YOUR INFRACOST ORG ID>
8. For the Audience URL (SP Entity ID) enter urn:auth0:infracost:<YOUR INFRACOST ORG ID>
9. Add the following for the Attribute Statements section and click Next.
10. Choose 'I'm an Okta customer adding an internal app' and click Finish
11. In the Sign on tab, scroll down to the SAML Signing Certificates section. On the right-hand side click the button to View SAML setup instructions.
12. Copy the Identity Provider Single Sign-On URL and download the certificate.
13. Email us the following information with the certificate attached:
  To: hello@infracost.io Subject: Enable SSO Body: Please enable SSO for our organization. - Company name or Infracost Org ID: xxx - SSO provider: Okta - Identity Provider Single Sign-On URL: xxx - SSO domains (comma separated list of domains to enable for this SSO connection): xxx - The public certificate is attached. Thanks!
14. In the Okta Admin dashboard assign any users to the Infracost Cloud app. You can also add an Infracost button or icon to your SSO portal as we support IdP-Initiated logins from Okta too, save the following image to use for that:
Google Workspace
1. In the Infracost Cloud dashboard go to Org Settings and copy your Org ID. You will need this when setting up the SAML app in Google Workspace.
2. Login to Google Workspace admin
3. Go to Apps > Web and mobile apps
4. Click Add app > Add custom SAML app
5. For the App name enter Infracost Cloud
6. Copy the SSO URL and download the Certificate. You will need to supply these to Infracost in a future step. Click Continue.
7. In the ACS URL enter:https://login.infracost.io/login/callback?connection=<YOUR INFRACOST ORG ID>
8. In the Entity ID enter: urn:auth0:infracost:<YOUR INFRACOST ORG ID>
9. Tick Signed response
10. For Name ID format choose UNSPECIFIED and for Name ID chooseBasic Information > Primary email. The form should look like the following:
11. Click Continue
12. Add the following Attributes and click Finish:
13. Email us the following information with the certificate attached:
  To: hello@infracost.io Subject: Enable SSO Body: Please enable SSO for our organization. - Company name or Infracost Org ID: xxx - SSO provider: Google Workspace - SSO URL: xxx - SSO domains (comma separated list of domains to enable for this SSO connection): xxx - The certificate is attached. Thanks!
Other SAML providers
1. In the Infracost Cloud dashboard go to Org Settings and copy your Org ID. You will need to provide this in the next step.
2. Email us the following information with the certificate attached:
  To: hello@infracost.io Subject: Enable SSO Body: Please enable SSO for our organization. - Company name or Infracost Org ID: xxx - SSO service provider: xxx - SSO URL: xxx - SSO domains (comma separated list of domains to enable for this SSO connection): xxx - The SSO certificate is attached. Thanks!
Once we receive your email, we will email you to schedule a quick screenshare call to enable SSO. On the call, we will verify your SSO connection is configured correctly and delete the initial user that was created without SSO.

After SSO is configured:

SSO is enabled on your company domain name(s), such as acme-inc.com. So anyone who enters an email address that contains your company domain names in the Infracost log in page will be redirected to your SSO provider for authentication.
Once SSO is enabled, users logging-in with Github/Google can continue to use those methods until you request us to enable the "Enforce SSO login" option. After that point, SSO will be the only way to login; thus when a user is removed from your SSO system, they will lose their access to Infracost Cloud.
You can invite users to your Infracost Cloud organization from the Org Settings > Members page. They will also need to be added to the corresponding group in your SSO provider so they can login.
If a user had already logged-in prior to SSO being enabled, on their first login after SSO is enabled, they will be asked to confirm if they want to link their login accounts. They must click "Continue" do this to be able to access your company's Infracost Cloud organization, otherwise a new empty organization will be created for them. If they skip this step, email hello@infracost.io so we can assist you.
For organizations using Okta: If users see the error "User is not assigned to this application" when signing in, it means they need to be added to the Okta Infracost app.

SAML group mapping

Infracost can also provision users automatically based on your SAML user groups. This allows you to manage access to Infracost Cloud by managing SAML groups in your SAML provider, instead of inviting users individually to your Infracost Cloud account. With SAML groups, users are automatically provisioned when they sign-in for the first time; their roles are updated every time they sign-in.

To enable this feature you should:

Follow the above instructions to Setup SSO first.
Create SAML user groups in your SAML provider and put users in those groups. Infracost supports four roles (Viewer, Editor, Admin, Owner) so we recommend four user groups.
If you already have a SAML group that most engineers are part of, you should consider re-using that for the Infracost Viewer role. This enables them to see their repo's pre-existing issues and fix them.
Users that are part of multiple groups will get the highest role from their group. For example, if a user is part of the InfracostViewer and InfracostEditor groups, they'll get the Editor role.
If you have multiple organizations under an Infracost enterprise, the SAML groups can also be treated as global roles that span all orgs in the enterprise. For example, your engineering user group can be given the Viewer role, and your central FinOps team can be given the Owner role in all organizations that are part of your enterprise.

Email us the following information

Email template

To: hello@infracost.io
Subject: Enable SAML groups
Body:

Please enable SAML groups for our organization.

- Company name or Infracost Org ID: xxx

- SSO service provider: [Microsoft Entra ID, Okta, Google Workspace, Other SAML Provider]

- SAML group role mapping:
| SAML group name | Infracost Org slug | Infracost role |
|-----------------|--------------------|----------------|
| AllEngineers    | my_org             | Org Viewer     |
| InfracostEditor | my_org             | Org Editor     |
| InfracostAdmin  | my_org             | Org Admin      |
| InfracostOwner  | all orgs           | Org Owner      |

- The attribute name in the SAML assertion that will contain the group names, for example `memberOf`.

- If possible, an example of the SAML assertion that will be sent.

Thanks!

Once we receive your email, we will email you to schedule a quick screenshare call to enable the SAML groups. On the call, we will verify that users are automatically provisioned correctly.
On the call, if you choose to enable the "Enforce SSO login" option, Org Owners can still delete users from Infracost Cloud to cleanup old users from the Org Settings > Members page. However, if those users login again, their users will be auto-provisioned again.
After enabling SAML, you can send us a custom support URL. This URL will be shown to users who sign in with SSO but aren’t part of your SAML user groups. It helps guide these users on how to follow your company’s process to join the correct SAML group and access Infracost Cloud.

Setup SSO​

SSO login notes​

SAML group mapping​

Setup SSO

SSO login notes

SAML group mapping