Get started
Yandex Identity and Access Management

FederationService

A set of methods for managing federations.

Call Description
Get Returns the specified federation.
List Retrieves the list of federations in the specified folder.
Create Creates a federation in the specified folder.
Update Updates the specified federation.
Delete Deletes the specified federation.
AddUserAccounts Adds users to the specified federation.
ListUserAccounts
ListOperations Lists operations for the specified federation.

Calls FederationService

Get

Returns the specified federation.
To get the list of available federations, make a List request.

rpc Get (GetFederationRequest) returns (Federation)

GetFederationRequest

Field Description
federation_id string
ID of the federation to return. To get the federation ID, make a FederationService.List request. The maximum string length in characters is 50.

Federation

Field Description
id string
Required. ID of the federation. The maximum string length in characters is 50.
folder_id string
Required. ID of the folder that the federation belongs to. The maximum string length in characters is 50.
name string
Required. Name of the federation. Value must match the regular expression |[a-z][-a-z0-9]{1,61}[a-z0-9].
description string
Description of the federation. The maximum string length in characters is 256.
created_at google.protobuf.Timestamp
Creation timestamp.
cookie_max_age google.protobuf.Duration
Browser cookie lifetime in seconds. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. Acceptable values are 10m to 12h, inclusive.
auto_create_account_on_login bool
Add new users automatically on successful authentication. The user will get the resource-manager.clouds.member role automatically, but you need to grant other roles to them.
If the value is false, users who aren't added to the cloud can't log in, even if they have authenticated on your server.
issuer string
Required. ID of the IdP server to be used for authentication. The IdP server also responds to IAM with this ID after the user authenticates. The maximum string length in characters is 8000.
sso_binding enum BindingType
Single sign-on endpoint binding type. Most Identity Providers support the POST binding type.
SAML Binding is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols.
  • POST: HTTP POST binding.
  • REDIRECT: HTTP redirect binding.
  • ARTIFACT: HTTP artifact binding.
    sso_url string
    Required. Single sign-on endpoint URL. Specify the link to the IdP login page here. The maximum string length in characters is 8000.
    security_settings FederationSecuritySettings
    Federation security settings.
    case_insensitive_name_ids bool
    Use case insensitive Name IDs.

    FederationSecuritySettings

    Field Description
    encrypted_assertions bool
    Enable encrypted assertions.

    List

    Retrieves the list of federations in the specified folder.

    rpc List (ListFederationsRequest) returns (ListFederationsResponse)

    ListFederationsRequest

    Field Description
    scope oneof: cloud_id or folder_id
      cloud_id string
    ID of the cloud to list federations in. To get the cloud ID, make a yandex.cloud.resourcemanager.v1.CloudService.List request. The maximum string length in characters is 50.
      folder_id string
    ID of the folder to list federations in. To get the folder ID, make a yandex.cloud.resourcemanager.v1.FolderService.List request. The maximum string length in characters is 50.
    page_size int64
    The maximum number of results per page to return. If the number of available results is larger than page_size, the service returns a ListFederationsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100 Acceptable values are 0 to 1000, inclusive.
    page_token string
    Page token. To get the next page of results, set page_token to the ListFederationsResponse.next_page_token returned by a previous list request. The maximum string length in characters is 50.
    filter string
    1. The field name. Currently you can use filtering only on the Federation.name field.
    2. An operator. Can be either = or != for single values, IN or NOT IN for lists of values.
    3. The value. Must be 3-63 characters long and match the regular expression ^[a-z][-a-z0-9]{1,61}[a-z0-9]$.
    The maximum string length in characters is 1000.

    ListFederationsResponse

    Field Description
    federations[] Federation
    List of federations.
    next_page_token string
    This token allows you to get the next page of results for list requests. If the number of results is larger than ListFederationsRequest.page_size, use the next_page_token as the value for the ListFederationsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results.

    Federation

    Field Description
    id string
    Required. ID of the federation. The maximum string length in characters is 50.
    folder_id string
    Required. ID of the folder that the federation belongs to. The maximum string length in characters is 50.
    name string
    Required. Name of the federation. Value must match the regular expression |[a-z][-a-z0-9]{1,61}[a-z0-9].
    description string
    Description of the federation. The maximum string length in characters is 256.
    created_at google.protobuf.Timestamp
    Creation timestamp.
    cookie_max_age google.protobuf.Duration
    Browser cookie lifetime in seconds. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. Acceptable values are 10m to 12h, inclusive.
    auto_create_account_on_login bool
    Add new users automatically on successful authentication. The user will get the resource-manager.clouds.member role automatically, but you need to grant other roles to them.
    If the value is false, users who aren't added to the cloud can't log in, even if they have authenticated on your server.
    issuer string
    Required. ID of the IdP server to be used for authentication. The IdP server also responds to IAM with this ID after the user authenticates. The maximum string length in characters is 8000.
    sso_binding enum BindingType
    Single sign-on endpoint binding type. Most Identity Providers support the POST binding type.
    SAML Binding is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols.
    • POST: HTTP POST binding.
    • REDIRECT: HTTP redirect binding.
    • ARTIFACT: HTTP artifact binding.
      sso_url string
      Required. Single sign-on endpoint URL. Specify the link to the IdP login page here. The maximum string length in characters is 8000.
      security_settings FederationSecuritySettings
      Federation security settings.
      case_insensitive_name_ids bool
      Use case insensitive Name IDs.

      FederationSecuritySettings

      Field Description
      encrypted_assertions bool
      Enable encrypted assertions.

      Create

      Creates a federation in the specified folder.

      rpc Create (CreateFederationRequest) returns (operation.Operation)

      Metadata and response of Operation:

          Operation.metadata:CreateFederationMetadata

          Operation.response:Federation

      CreateFederationRequest

      Field Description
      folder_id string
      ID of the folder to create a federation in. To get the folder ID, make a yandex.cloud.resourcemanager.v1.FolderService.List request. The maximum string length in characters is 50.
      name string
      Name of the federation. The name must be unique within the cloud. Value must match the regular expression [a-z]([-a-z0-9]{0,61}[a-z0-9])?.
      description string
      Description of the federation. The maximum string length in characters is 256.
      cookie_max_age google.protobuf.Duration
      Browser cookie lifetime in seconds. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. The default value is 8h. Acceptable values are 10m to 12h, inclusive.
      auto_create_account_on_login bool
      Add new users automatically on successful authentication. The user will get the resource-manager.clouds.member role automatically, but you need to grant other roles to them.
      If the value is false, users who aren't added to the cloud can't log in, even if they have authenticated on your server.
      issuer string
      Required. ID of the IdP server to be used for authentication. The IdP server also responds to IAM with this ID after the user authenticates. The maximum string length in characters is 8000.
      sso_binding enum BindingType
      Single sign-on endpoint binding type. Most Identity Providers support the POST binding type.
      SAML Binding is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols.
      • POST: HTTP POST binding.
      • REDIRECT: HTTP redirect binding.
      • ARTIFACT: HTTP artifact binding.
        sso_url string
        Required. Single sign-on endpoint URL. Specify the link to the IdP login page here. The maximum string length in characters is 8000.
        security_settings FederationSecuritySettings
        Federation security settings.
        case_insensitive_name_ids bool
        Use case insensitive Name IDs.

        FederationSecuritySettings

        Field Description
        encrypted_assertions bool
        Enable encrypted assertions.

        Operation

        Field Description
        id string
        ID of the operation.
        description string
        Description of the operation. 0-256 characters long.
        created_at google.protobuf.Timestamp
        Creation timestamp.
        created_by string
        ID of the user or service account who initiated the operation.
        modified_at google.protobuf.Timestamp
        The time when the Operation resource was last modified.
        done bool
        If the value is false, it means the operation is still in progress. If true, the operation is completed, and either error or response is available.
        metadata google.protobuf.Any<CreateFederationMetadata>
        Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
        result oneof: error or response
        The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true, exactly one of error or response is set.
          error google.rpc.Status
        The error result of the operation in case of failure or cancellation.
          response google.protobuf.Any<Federation>
        if operation finished successfully.

        CreateFederationMetadata

        Field Description
        federation_id string
        ID of the federation that is being created.

        Federation

        Field Description
        id string
        Required. ID of the federation. The maximum string length in characters is 50.
        folder_id string
        Required. ID of the folder that the federation belongs to. The maximum string length in characters is 50.
        name string
        Required. Name of the federation. Value must match the regular expression |[a-z][-a-z0-9]{1,61}[a-z0-9].
        description string
        Description of the federation. The maximum string length in characters is 256.
        created_at google.protobuf.Timestamp
        Creation timestamp.
        cookie_max_age google.protobuf.Duration
        Browser cookie lifetime in seconds. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. Acceptable values are 10m to 12h, inclusive.
        auto_create_account_on_login bool
        Add new users automatically on successful authentication. The user will get the resource-manager.clouds.member role automatically, but you need to grant other roles to them.
        If the value is false, users who aren't added to the cloud can't log in, even if they have authenticated on your server.
        issuer string
        Required. ID of the IdP server to be used for authentication. The IdP server also responds to IAM with this ID after the user authenticates. The maximum string length in characters is 8000.
        sso_binding enum BindingType
        Single sign-on endpoint binding type. Most Identity Providers support the POST binding type.
        SAML Binding is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols.
        • POST: HTTP POST binding.
        • REDIRECT: HTTP redirect binding.
        • ARTIFACT: HTTP artifact binding.
          sso_url string
          Required. Single sign-on endpoint URL. Specify the link to the IdP login page here. The maximum string length in characters is 8000.
          security_settings FederationSecuritySettings
          Federation security settings.
          case_insensitive_name_ids bool
          Use case insensitive Name IDs.

          FederationSecuritySettings

          Field Description
          encrypted_assertions bool
          Enable encrypted assertions.

          Update

          Updates the specified federation.

          rpc Update (UpdateFederationRequest) returns (operation.Operation)

          Metadata and response of Operation:

              Operation.metadata:UpdateFederationMetadata

              Operation.response:Federation

          UpdateFederationRequest

          Field Description
          federation_id string
          ID of the federation to update. To get the federation ID, make a FederationService.List request. The maximum string length in characters is 50.
          update_mask google.protobuf.FieldMask
          Field mask that specifies which fields of the federation are going to be updated.
          name string
          Name of the federation. The name must be unique within the cloud. Value must match the regular expression |[a-z]([-a-z0-9]{0,61}[a-z0-9])?.
          description string
          Description of the federation. The maximum string length in characters is 256.
          cookie_max_age google.protobuf.Duration
          Browser cookie lifetime in seconds. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. The default value is 8h. Acceptable values are 10m to 12h, inclusive.
          auto_create_account_on_login bool
          Add new users automatically on successful authentication. The user will get the resource-manager.clouds.member role automatically, but you need to grant other roles to them.
          If the value is false, users who aren't added to the cloud can't log in, even if they have authenticated on your server.
          issuer string
          Required. ID of the IdP server to be used for authentication. The IdP server also responds to IAM with this ID after the user authenticates. The maximum string length in characters is 8000.
          sso_binding enum BindingType
          Single sign-on endpoint binding type. Most Identity Providers support the POST binding type.
          SAML Binding is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols.
          • POST: HTTP POST binding.
          • REDIRECT: HTTP redirect binding.
          • ARTIFACT: HTTP artifact binding.
            sso_url string
            Required. Single sign-on endpoint URL. Specify the link to the IdP login page here. The maximum string length in characters is 8000.
            security_settings FederationSecuritySettings
            Federation security settings.
            case_insensitive_name_ids bool
            Use case insensitive name ids.

            FederationSecuritySettings

            Field Description
            encrypted_assertions bool
            Enable encrypted assertions.

            Operation

            Field Description
            id string
            ID of the operation.
            description string
            Description of the operation. 0-256 characters long.
            created_at google.protobuf.Timestamp
            Creation timestamp.
            created_by string
            ID of the user or service account who initiated the operation.
            modified_at google.protobuf.Timestamp
            The time when the Operation resource was last modified.
            done bool
            If the value is false, it means the operation is still in progress. If true, the operation is completed, and either error or response is available.
            metadata google.protobuf.Any<UpdateFederationMetadata>
            Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
            result oneof: error or response
            The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true, exactly one of error or response is set.
              error google.rpc.Status
            The error result of the operation in case of failure or cancellation.
              response google.protobuf.Any<Federation>
            if operation finished successfully.

            UpdateFederationMetadata

            Field Description
            federation_id string
            ID of the federation that is being updated.

            Federation

            Field Description
            id string
            Required. ID of the federation. The maximum string length in characters is 50.
            folder_id string
            Required. ID of the folder that the federation belongs to. The maximum string length in characters is 50.
            name string
            Required. Name of the federation. Value must match the regular expression |[a-z][-a-z0-9]{1,61}[a-z0-9].
            description string
            Description of the federation. The maximum string length in characters is 256.
            created_at google.protobuf.Timestamp
            Creation timestamp.
            cookie_max_age google.protobuf.Duration
            Browser cookie lifetime in seconds. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. Acceptable values are 10m to 12h, inclusive.
            auto_create_account_on_login bool
            Add new users automatically on successful authentication. The user will get the resource-manager.clouds.member role automatically, but you need to grant other roles to them.
            If the value is false, users who aren't added to the cloud can't log in, even if they have authenticated on your server.
            issuer string
            Required. ID of the IdP server to be used for authentication. The IdP server also responds to IAM with this ID after the user authenticates. The maximum string length in characters is 8000.
            sso_binding enum BindingType
            Single sign-on endpoint binding type. Most Identity Providers support the POST binding type.
            SAML Binding is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols.
            • POST: HTTP POST binding.
            • REDIRECT: HTTP redirect binding.
            • ARTIFACT: HTTP artifact binding.
              sso_url string
              Required. Single sign-on endpoint URL. Specify the link to the IdP login page here. The maximum string length in characters is 8000.
              security_settings FederationSecuritySettings
              Federation security settings.
              case_insensitive_name_ids bool
              Use case insensitive Name IDs.

              FederationSecuritySettings

              Field Description
              encrypted_assertions bool
              Enable encrypted assertions.

              Delete

              Deletes the specified federation.

              rpc Delete (DeleteFederationRequest) returns (operation.Operation)

              Metadata and response of Operation:

                  Operation.metadata:DeleteFederationMetadata

                  Operation.response:google.protobuf.Empty

              DeleteFederationRequest

              Field Description
              federation_id string
              ID of the federation to delete. To get the federation ID, make a FederationService.List request. The maximum string length in characters is 50.

              Operation

              Field Description
              id string
              ID of the operation.
              description string
              Description of the operation. 0-256 characters long.
              created_at google.protobuf.Timestamp
              Creation timestamp.
              created_by string
              ID of the user or service account who initiated the operation.
              modified_at google.protobuf.Timestamp
              The time when the Operation resource was last modified.
              done bool
              If the value is false, it means the operation is still in progress. If true, the operation is completed, and either error or response is available.
              metadata google.protobuf.Any<DeleteFederationMetadata>
              Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
              result oneof: error or response
              The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true, exactly one of error or response is set.
                error google.rpc.Status
              The error result of the operation in case of failure or cancellation.
                response google.protobuf.Any<google.protobuf.Empty>
              if operation finished successfully.

              DeleteFederationMetadata

              Field Description
              federation_id string
              ID of the federation that is being deleted.

              AddUserAccounts

              Adds users to the specified federation.

              rpc AddUserAccounts (AddFederatedUserAccountsRequest) returns (operation.Operation)

              Metadata and response of Operation:

                  Operation.metadata:AddFederatedUserAccountsMetadata

                  Operation.response:AddFederatedUserAccountsResponse

              AddFederatedUserAccountsRequest

              Field Description
              federation_id string
              ID of the federation to add users. The maximum string length in characters is 50.
              name_ids[] string
              Name IDs returned by the Identity Provider (IdP) on successful authentication. These may be UPNs or user email addresses. The maximum string length in characters for each value is 1000.

              Operation

              Field Description
              id string
              ID of the operation.
              description string
              Description of the operation. 0-256 characters long.
              created_at google.protobuf.Timestamp
              Creation timestamp.
              created_by string
              ID of the user or service account who initiated the operation.
              modified_at google.protobuf.Timestamp
              The time when the Operation resource was last modified.
              done bool
              If the value is false, it means the operation is still in progress. If true, the operation is completed, and either error or response is available.
              metadata google.protobuf.Any<AddFederatedUserAccountsMetadata>
              Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
              result oneof: error or response
              The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true, exactly one of error or response is set.
                error google.rpc.Status
              The error result of the operation in case of failure or cancellation.
                response google.protobuf.Any<AddFederatedUserAccountsResponse>
              if operation finished successfully.

              AddFederatedUserAccountsMetadata

              Field Description
              federation_id string
              ID of the federation that is being altered.

              AddFederatedUserAccountsResponse

              Field Description
              user_accounts[] UserAccount
              List of users created by FederationService.AddUserAccounts request.

              UserAccount

              Field Description
              id string
              ID of the user account.
              user_account oneof: yandex_passport_user_account or saml_user_account
                yandex_passport_user_account YandexPassportUserAccount
              A YandexPassportUserAccount resource.
                saml_user_account SamlUserAccount
              A SAML federated user.

              YandexPassportUserAccount

              Field Description
              login string
              Login of the Yandex.Passport user account.
              default_email string
              Default email of the Yandex.Passport user account.

              SamlUserAccount

              Field Description
              federation_id string
              Required. ID of the federation that the federation belongs to. The maximum string length in characters is 50.
              name_id string
              Required. Name Id of the SAML federated user. The name is unique within the federation. 1-256 characters long. The string length in characters must be 1-256.
              attributes map<string,Attribute>
              Additional attributes of the SAML federated user.

              Attribute

              Field Description
              value[] string

              ListUserAccounts

              rpc ListUserAccounts (ListFederatedUserAccountsRequest) returns (ListFederatedUserAccountsResponse)

              ListFederatedUserAccountsRequest

              Field Description
              federation_id string
              Required. ID of the federation to list user accounts for. The maximum string length in characters is 50.
              page_size int64
              The maximum number of results per page to return. If the number of available results is larger than page_size, the service returns a ListFederatedUserAccountsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. Acceptable values are 0 to 1000, inclusive.
              page_token string
              Page token. To get the next page of results, set page_token to the ListFederatedUserAccountsResponse.next_page_token returned by a previous list request. The maximum string length in characters is 100.

              ListFederatedUserAccountsResponse

              Field Description
              user_accounts[] UserAccount
              List of user accounts for the specified federation.
              next_page_token string
              This token allows you to get the next page of results for list requests. If the number of results is larger than ListFederatedUserAccountsRequest.page_size, use the next_page_token as the value for the ListFederatedUserAccountsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results.

              UserAccount

              Field Description
              id string
              ID of the user account.
              user_account oneof: yandex_passport_user_account or saml_user_account
                yandex_passport_user_account YandexPassportUserAccount
              A YandexPassportUserAccount resource.
                saml_user_account SamlUserAccount
              A SAML federated user.

              YandexPassportUserAccount

              Field Description
              login string
              Login of the Yandex.Passport user account.
              default_email string
              Default email of the Yandex.Passport user account.

              SamlUserAccount

              Field Description
              federation_id string
              Required. ID of the federation that the federation belongs to. The maximum string length in characters is 50.
              name_id string
              Required. Name Id of the SAML federated user. The name is unique within the federation. 1-256 characters long. The string length in characters must be 1-256.
              attributes map<string,Attribute>
              Additional attributes of the SAML federated user.

              Attribute

              Field Description
              value[] string

              ListOperations

              Lists operations for the specified federation.

              rpc ListOperations (ListFederationOperationsRequest) returns (ListFederationOperationsResponse)

              ListFederationOperationsRequest

              Field Description
              federation_id string
              ID of the federation to list operations for. The maximum string length in characters is 50.
              page_size int64
              The maximum number of results per page to return. If the number of available results is larger than page_size, the service returns a ListFederationOperationsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. Acceptable values are 0 to 1000, inclusive.
              page_token string
              Page token. To get the next page of results, set page_token to the ListFederationOperationsResponse.next_page_token returned by a previous list request. The maximum string length in characters is 100.

              ListFederationOperationsResponse

              Field Description
              operations[] operation.Operation
              List of operations for the specified federation.
              next_page_token string
              This token allows you to get the next page of results for list requests. If the number of results is larger than ListFederationOperationsRequest.page_size, use the next_page_token as the value for the ListFederationOperationsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results.

              Operation

              Field Description
              id string
              ID of the operation.
              description string
              Description of the operation. 0-256 characters long.
              created_at google.protobuf.Timestamp
              Creation timestamp.
              created_by string
              ID of the user or service account who initiated the operation.
              modified_at google.protobuf.Timestamp
              The time when the Operation resource was last modified.
              done bool
              If the value is false, it means the operation is still in progress. If true, the operation is completed, and either error or response is available.
              metadata google.protobuf.Any
              Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
              result oneof: error or response
              The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true, exactly one of error or response is set.
                error google.rpc.Status
              The error result of the operation in case of failure or cancellation.
                response google.protobuf.Any
              The normal response of the operation in case of success. If the original method returns no data on success, such as Delete, the response is google.protobuf.Empty. If the original method is the standard Create/Update, the response should be the target resource of the operation. Any method that returns a long-running operation should document the response type, if any.
              In this article: