SAML-compatible identity federations

Yandex.Cloud supports SAML 2.0-based identity federations. This is a popular markup language to enable Single Sign-On (SSO), a technology that lets users access multiple apps without having to enter their username and password every time. For example, whenever you visit a site and see the Sign in with Yandex, Google, or Facebook buttons, these are examples of the Single Sign-On system at work.

This approach is called identity federation, it's when all the information about usernames and passwords is stored by a trusted Identity Provider (IdP). The Service Provider (SP), such as Yandex.Cloud, redirects the user to authenticate with the Identity Provider (IdP) server.

What do I need identity federations for in Yandex.Cloud?

Large companies usually have a pre-configured system for managing users and access to their networks, such as Active Directory. A company like this may employ thousands of people, which makes it difficult to create a Yandex account for each employee and quickly delete it whenever anyone leaves the company.

By using identity federations, a company can set up Single Sign-On, which is authentication in Yandex.Cloud via their server. This lets company employees use their corporate accounts to access Yandex.Cloud.

Since the authentication process takes place on the IdP server side, you can configure more reliable user data verification with things like two-factor authentication or USB tokens.

How authentication occurs in a federation

To log in to the management console, federated users must follow the link with the federation ID:

https://console.cloud.yandex.com/federations/<federation ID>

The authentication process is shown in the diagram:

image

  1. The user opens a console login link in the browser.

  2. If this is the first time the user authenticates, the console redirects them to the IdP server for authentication.

    If the user was already authenticated, this information is saved in the browser cookie. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. The cookie lifetime is specified when the federation is created.

    If the cookie expires, the console forwards the user to the IdP server for re-authentication.

  3. The IdP server shows the authentication page to the user. For example, it prompts them to enter their username and password.

  4. The user enters the data required for authentication on the IdP server.

  5. If authentication is successful, the IdP server sends the user's browser back to the management console login page.

  6. The management console asks IAM whether this user is added to the cloud. If the user is added, the management console authenticates the user and redirects them to the home page.