Get started
Yandex Cloud Organization

Configuring an identity federation

If your company has a user and access management system (for example, Active Directory or Google Workspace), you can use it to authorize employees in Yandex Cloud Organization. In this case, you don't need to create a new Yandex account for every company employee. They can get access to Yandex.Cloud services using their corporate accounts.

Warning

The Yandex Cloud Organization service is running in Preview mode. Managing organization services is unavailable.

Identity federation is a technology with which you can implement a single sign-on system (SSO) and use corporate accounts for authorization in Organization. In this case, your corporate account management system acts as an identity provider (IdP).

In Organization, you can create an identity federation with any credential management service (identity provider) that supports the SAML protocol.

Information about user logins and passwords is stored by the identity provider. When a user logs in to Organization, they're directed to the identity provider (IdP) server for authentication. If authentication is successful, the user gets access to Yandex.Cloud services.

Creating a federation

  1. Log in to the organization's administrator account.

  2. Go to Yandex Cloud Organization.

  3. In the left panel, select Federations icon-federation.

  4. Click Create federation.

  5. Enter the federation name and description.

  6. In the Cookie lifetime field, specify the period of time during which the browser won't ask the user to re-authenticate.

  7. In the IdP Issuer field, specify the IdP server ID to be used for authentication. The IdP server must send the same ID in its response to Organization during user authentication.

    Note

    ID format depends on the type of IdP server you use (for example, Active Directory or Google Workspace).

  8. In the SSO method field, choose POST.

  9. In the Link to the IdP login page field, specify the address of the page where the browser redirects the user for authentication.

  10. Add the identity provider certificate to the created federation.

All users who log in to Yandex Cloud Organization through the identity federation using their work accounts are automatically added to the list of the organization's users.

To learn more about configuring an identity federation for different identity providers, see the Yandex Identity and Access Management documentation:

Adding a certificate

When the identity provider (IdP) informs Yandex Cloud Organization that a user has been authenticated, they sign the message with their certificate. To enable Organization to verify this certificate, add it to the created federation.

  1. Get your identity provider certificate.

    Note

    To find out how to get a certificate, see the documentation or go to the support service of your identity provider.

  2. Go to Yandex Cloud Organization.

  3. In the left panel, select Federations icon-federation.

  4. Click the name of the federation you need to add a certificate to.

  5. At the bottom of the page, click Add certificate.

  6. Enter the certificate's name and description.

  7. Choose how to add the certificate:

    • To add a certificate as a file, click Choose a file and specify the path to it.
    • To paste the contents of a copied certificate, select the Text method and paste the contents.

  8. Click Add.

Tip

Certificates have limited validity periods. Before the current certificate expires, we recommend adding a new certificate.

In this article: