FederationService

Calls FederationService
Get
List
Create
Update
Delete
AddUserAccounts
ListOperations

A set of methods for managing federations.

Call	Description
Get	Returns the specified federation.
List	Retrieves the list of federations in the specified folder.
Create	Creates a federation in the specified folder.
Update	Updates the specified federation.
Delete	Deletes the specified federation.
AddUserAccounts	Adds users to the specified federation.
ListOperations	Lists operations for the specified federation.

Calls FederationService

Get

Returns the specified federation.
To get the list of available federations, make a List request.

rpc Get (GetFederationRequest) returns (Federation)

GetFederationRequest

Field	Description
federation_id	string ID of the federation to return. To get the federation ID, make a FederationService.List request. The maximum string length in characters is 50.

Federation

Field	Description
id	string Required. ID of the federation. The maximum string length in characters is 50.
folder_id	string Required. ID of the folder that the federation belongs to. The maximum string length in characters is 50.
name	string Required. Name of the federation. Value must match the regular expression `\|[a-z][-a-z0-9]{1,61}[a-z0-9]`.
description	string Description of the federation. The maximum string length in characters is 256.
created_at	google.protobuf.Timestamp Creation timestamp.
cookie_max_age	google.protobuf.Duration Browser cookie lifetime in seconds. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. Acceptable values are 10m to 12h, inclusive.
auto_create_account_on_login	bool Add new users automatically on successful authentication. The user will get the `resource-manager.clouds.member` role automatically, but you need to grant other roles to them. If the value is `false`, users who aren't added to the cloud can't log in, even if they have authenticated on your server.
issuer	string Required. ID of the IdP server to be used for authentication. The IdP server also responds to IAM with this ID after the user authenticates. The maximum string length in characters is 8000.
sso_binding	enum BindingType Single sign-on endpoint binding type. Most Identity Providers support the `POST` binding type. SAML Binding is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols. `POST`: HTTP POST binding. `REDIRECT`: HTTP redirect binding. `ARTIFACT`: HTTP artifact binding.
sso_url	string Required. Single sign-on endpoint URL. Specify the link to the IdP login page here. The maximum string length in characters is 8000.
security_settings	FederationSecuritySettings Federation security settings.
case_insensitive_name_ids	bool Use case insensitive Name IDs.

FederationSecuritySettings

Field	Description
encrypted_assertions	bool Enable encrypted assertions.

List

Retrieves the list of federations in the specified folder.

rpc List (ListFederationsRequest) returns (ListFederationsResponse)

ListFederationsRequest

Field	Description
scope	oneof: `cloud_id` or `folder_id`
cloud_id	string ID of the cloud to list federations in. To get the cloud ID, make a yandex.cloud.resourcemanager.v1.CloudService.List request. The maximum string length in characters is 50.
folder_id	string ID of the folder to list federations in. To get the folder ID, make a yandex.cloud.resourcemanager.v1.FolderService.List request. The maximum string length in characters is 50.
page_size	int64 The maximum number of results per page to return. If the number of available results is larger than `page_size`, the service returns a ListFederationsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100 Acceptable values are 0 to 1000, inclusive.
page_token	string Page token. To get the next page of results, set `page_token` to the ListFederationsResponse.next_page_token returned by a previous list request. The maximum string length in characters is 50.
filter	string The field name. Currently you can use filtering only on the Federation.name field. An operator. Can be either `=` or `!=` for single values, `IN` or `NOT IN` for lists of values. The value. Must be 3-63 characters long and match the regular expression `^[a-z][-a-z0-9]{1,61}[a-z0-9]$`. The maximum string length in characters is 1000.

ListFederationsResponse

Field	Description
federations[]	Federation List of federations.
next_page_token	string This token allows you to get the next page of results for list requests. If the number of results is larger than ListFederationsRequest.page_size, use the `next_page_token` as the value for the ListFederationsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own `next_page_token` to continue paging through the results.

Federation

Field	Description
id	string Required. ID of the federation. The maximum string length in characters is 50.
folder_id	string Required. ID of the folder that the federation belongs to. The maximum string length in characters is 50.
name	string Required. Name of the federation. Value must match the regular expression `\|[a-z][-a-z0-9]{1,61}[a-z0-9]`.
description	string Description of the federation. The maximum string length in characters is 256.
created_at	google.protobuf.Timestamp Creation timestamp.
cookie_max_age	google.protobuf.Duration Browser cookie lifetime in seconds. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. Acceptable values are 10m to 12h, inclusive.
auto_create_account_on_login	bool Add new users automatically on successful authentication. The user will get the `resource-manager.clouds.member` role automatically, but you need to grant other roles to them. If the value is `false`, users who aren't added to the cloud can't log in, even if they have authenticated on your server.
issuer	string Required. ID of the IdP server to be used for authentication. The IdP server also responds to IAM with this ID after the user authenticates. The maximum string length in characters is 8000.
sso_binding	enum BindingType Single sign-on endpoint binding type. Most Identity Providers support the `POST` binding type. SAML Binding is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols. `POST`: HTTP POST binding. `REDIRECT`: HTTP redirect binding. `ARTIFACT`: HTTP artifact binding.
sso_url	string Required. Single sign-on endpoint URL. Specify the link to the IdP login page here. The maximum string length in characters is 8000.
security_settings	FederationSecuritySettings Federation security settings.
case_insensitive_name_ids	bool Use case insensitive Name IDs.

FederationSecuritySettings

Field	Description
encrypted_assertions	bool Enable encrypted assertions.

Create

Creates a federation in the specified folder.

rpc Create (CreateFederationRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:CreateFederationMetadata

Operation.response:Federation

CreateFederationRequest

Field	Description
folder_id	string ID of the folder to create a federation in. To get the folder ID, make a yandex.cloud.resourcemanager.v1.FolderService.List request. The maximum string length in characters is 50.
name	string Name of the federation. The name must be unique within the cloud. Value must match the regular expression `[a-z]([-a-z0-9]{0,61}[a-z0-9])?`.
description	string Description of the federation. The maximum string length in characters is 256.
cookie_max_age	google.protobuf.Duration Browser cookie lifetime in seconds. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. The default value is `8h`. Acceptable values are 10m to 12h, inclusive.
auto_create_account_on_login	bool Add new users automatically on successful authentication. The user will get the `resource-manager.clouds.member` role automatically, but you need to grant other roles to them. If the value is `false`, users who aren't added to the cloud can't log in, even if they have authenticated on your server.
issuer	string Required. ID of the IdP server to be used for authentication. The IdP server also responds to IAM with this ID after the user authenticates. The maximum string length in characters is 8000.
sso_binding	enum BindingType Single sign-on endpoint binding type. Most Identity Providers support the `POST` binding type. SAML Binding is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols. `POST`: HTTP POST binding. `REDIRECT`: HTTP redirect binding. `ARTIFACT`: HTTP artifact binding.
sso_url	string Required. Single sign-on endpoint URL. Specify the link to the IdP login page here. The maximum string length in characters is 8000.
security_settings	FederationSecuritySettings Federation security settings.
case_insensitive_name_ids	bool Use case insensitive Name IDs.

FederationSecuritySettings

Field	Description
encrypted_assertions	bool Enable encrypted assertions.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<CreateFederationMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<Federation> if operation finished successfully.

CreateFederationMetadata

Field	Description
federation_id	string ID of the federation that is being created.

Federation

Field	Description
id	string Required. ID of the federation. The maximum string length in characters is 50.
folder_id	string Required. ID of the folder that the federation belongs to. The maximum string length in characters is 50.
name	string Required. Name of the federation. Value must match the regular expression `\|[a-z][-a-z0-9]{1,61}[a-z0-9]`.
description	string Description of the federation. The maximum string length in characters is 256.
created_at	google.protobuf.Timestamp Creation timestamp.
cookie_max_age	google.protobuf.Duration Browser cookie lifetime in seconds. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. Acceptable values are 10m to 12h, inclusive.
auto_create_account_on_login	bool Add new users automatically on successful authentication. The user will get the `resource-manager.clouds.member` role automatically, but you need to grant other roles to them. If the value is `false`, users who aren't added to the cloud can't log in, even if they have authenticated on your server.
issuer	string Required. ID of the IdP server to be used for authentication. The IdP server also responds to IAM with this ID after the user authenticates. The maximum string length in characters is 8000.
sso_binding	enum BindingType Single sign-on endpoint binding type. Most Identity Providers support the `POST` binding type. SAML Binding is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols. `POST`: HTTP POST binding. `REDIRECT`: HTTP redirect binding. `ARTIFACT`: HTTP artifact binding.
sso_url	string Required. Single sign-on endpoint URL. Specify the link to the IdP login page here. The maximum string length in characters is 8000.
security_settings	FederationSecuritySettings Federation security settings.
case_insensitive_name_ids	bool Use case insensitive Name IDs.

FederationSecuritySettings

Field	Description
encrypted_assertions	bool Enable encrypted assertions.

Update

Updates the specified federation.

rpc Update (UpdateFederationRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:UpdateFederationMetadata

Operation.response:Federation

UpdateFederationRequest

Field	Description
federation_id	string ID of the federation to update. To get the federation ID, make a FederationService.List request. The maximum string length in characters is 50.
update_mask	google.protobuf.FieldMask Field mask that specifies which fields of the federation are going to be updated.
name	string Name of the federation. The name must be unique within the cloud. Value must match the regular expression `\|[a-z]([-a-z0-9]{0,61}[a-z0-9])?`.
description	string Description of the federation. The maximum string length in characters is 256.
cookie_max_age	google.protobuf.Duration Browser cookie lifetime in seconds. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. The default value is `8h`. Acceptable values are 10m to 12h, inclusive.
auto_create_account_on_login	bool Add new users automatically on successful authentication. The user will get the `resource-manager.clouds.member` role automatically, but you need to grant other roles to them. If the value is `false`, users who aren't added to the cloud can't log in, even if they have authenticated on your server.
issuer	string Required. ID of the IdP server to be used for authentication. The IdP server also responds to IAM with this ID after the user authenticates. The maximum string length in characters is 8000.
sso_binding	enum BindingType Single sign-on endpoint binding type. Most Identity Providers support the `POST` binding type. SAML Binding is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols. `POST`: HTTP POST binding. `REDIRECT`: HTTP redirect binding. `ARTIFACT`: HTTP artifact binding.
sso_url	string Required. Single sign-on endpoint URL. Specify the link to the IdP login page here. The maximum string length in characters is 8000.
security_settings	FederationSecuritySettings Federation security settings.
case_insensitive_name_ids	bool Use case insensitive name ids.

FederationSecuritySettings

Field	Description
encrypted_assertions	bool Enable encrypted assertions.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<UpdateFederationMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<Federation> if operation finished successfully.

UpdateFederationMetadata

Field	Description
federation_id	string ID of the federation that is being updated.

Federation

Field	Description
id	string Required. ID of the federation. The maximum string length in characters is 50.
folder_id	string Required. ID of the folder that the federation belongs to. The maximum string length in characters is 50.
name	string Required. Name of the federation. Value must match the regular expression `\|[a-z][-a-z0-9]{1,61}[a-z0-9]`.
description	string Description of the federation. The maximum string length in characters is 256.
created_at	google.protobuf.Timestamp Creation timestamp.
cookie_max_age	google.protobuf.Duration Browser cookie lifetime in seconds. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. Acceptable values are 10m to 12h, inclusive.
auto_create_account_on_login	bool Add new users automatically on successful authentication. The user will get the `resource-manager.clouds.member` role automatically, but you need to grant other roles to them. If the value is `false`, users who aren't added to the cloud can't log in, even if they have authenticated on your server.
issuer	string Required. ID of the IdP server to be used for authentication. The IdP server also responds to IAM with this ID after the user authenticates. The maximum string length in characters is 8000.
sso_binding	enum BindingType Single sign-on endpoint binding type. Most Identity Providers support the `POST` binding type. SAML Binding is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols. `POST`: HTTP POST binding. `REDIRECT`: HTTP redirect binding. `ARTIFACT`: HTTP artifact binding.
sso_url	string Required. Single sign-on endpoint URL. Specify the link to the IdP login page here. The maximum string length in characters is 8000.
security_settings	FederationSecuritySettings Federation security settings.
case_insensitive_name_ids	bool Use case insensitive Name IDs.

FederationSecuritySettings

Field	Description
encrypted_assertions	bool Enable encrypted assertions.

Delete

Deletes the specified federation.

rpc Delete (DeleteFederationRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:DeleteFederationMetadata

Operation.response:google.protobuf.Empty

DeleteFederationRequest

Field	Description
federation_id	string ID of the federation to delete. To get the federation ID, make a FederationService.List request. The maximum string length in characters is 50.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<DeleteFederationMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<google.protobuf.Empty> if operation finished successfully.

DeleteFederationMetadata

Field	Description
federation_id	string ID of the federation that is being deleted.

AddUserAccounts

Adds users to the specified federation.

rpc AddUserAccounts (AddFederatedUserAccountsRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:AddFederatedUserAccountsMetadata

Operation.response:AddFederatedUserAccountsResponse

AddFederatedUserAccountsRequest

Field	Description
federation_id	string ID of the federation to add users. The maximum string length in characters is 50.
name_ids[]	string Name IDs returned by the Identity Provider (IdP) on successful authentication. These may be UPNs or user email addresses. The maximum string length in characters for each value is 1000.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<AddFederatedUserAccountsMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<AddFederatedUserAccountsResponse> if operation finished successfully.

AddFederatedUserAccountsMetadata

Field	Description
federation_id	string ID of the federation that is being altered.

AddFederatedUserAccountsResponse

Field	Description
user_accounts[]	UserAccount List of users created by FederationService.AddUserAccounts request.

UserAccount

Field	Description
id	string ID of the user account.
user_account	oneof: `yandex_passport_user_account` or `saml_user_account`
yandex_passport_user_account	YandexPassportUserAccount A YandexPassportUserAccount resource.
saml_user_account	SamlUserAccount A SAML federated user.

YandexPassportUserAccount

Field	Description
login	string Login of the Yandex.Passport user account.
default_email	string Default email of the Yandex.Passport user account.

SamlUserAccount

Field	Description
federation_id	string Required. ID of the federation that the federation belongs to. The maximum string length in characters is 50.
name_id	string Required. Name Id of the SAML federated user. The name is unique within the federation. 1-256 characters long. The string length in characters must be 1-256.
attributes	map<string,Attribute> Additional attributes of the SAML federated user.

Attribute

Field	Description
value[]	string

ListOperations

Lists operations for the specified federation.

rpc ListOperations (ListFederationOperationsRequest) returns (ListFederationOperationsResponse)

ListFederationOperationsRequest

Field	Description
federation_id	string ID of the federation to list operations for. The maximum string length in characters is 50.
page_size	int64 The maximum number of results per page to return. If the number of available results is larger than `page_size`, the service returns a ListFederationOperationsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. Acceptable values are 0 to 1000, inclusive.
page_token	string Page token. To get the next page of results, set `page_token` to the ListFederationOperationsResponse.next_page_token returned by a previous list request. The maximum string length in characters is 100.

ListFederationOperationsResponse

Field Description

operations[] operation.Operation
List of operations for the specified federation.

next_page_token string
This token allows you to get the next page of results for list requests. If the number of results is larger than ListFederationOperationsRequest.page_size, use the next_page_token as the value for the ListFederationOperationsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results.

Field	Description
operations[]	operation.Operation List of operations for the specified federation.
next_page_token	string This token allows you to get the next page of results for list requests. If the number of results is larger than ListFederationOperationsRequest.page_size, use the `next_page_token` as the value for the ListFederationOperationsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own `next_page_token` to continue paging through the results.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any The normal response of the operation in case of success. If the original method returns no data on success, such as Delete, the response is google.protobuf.Empty. If the original method is the standard Create/Update, the response should be the target resource of the operation. Any method that returns a long-running operation should document the response type, if any.