Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Tutorials
    • All tutorials
    • Differentiation of access permissions for user groups
    • Creating an L7 load balancer with a Smart Web Security security profile through an Application Load Balancer Ingress controller
    • Centralized online publication and app protection against DDoS attacks
    • Delivering logs from a VM instance to Cloud Logging
    • Storing load balancer logs to PostgreSQL
    • Secure storage of GitLab CI passwords as Yandex Lockbox secrets
    • Service account with an OS Login profile for VM management via Ansible
    • Transferring logs from Container Optimized Image to Cloud Logging
    • Adding an HTML page to work with SmartCaptcha
    • Creating an L7 load balancer with a security profile
    • Alert settings in Monitoring
    • Exporting audit logs to MaxPatrol SIEM
    • Exporting audit logs to SIEM Splunk systems
    • Uploading audit logs to ArcSight SIEM
      • Authentication using Active Directory
      • Authentication using Google Workspace
      • Authentication using Microsoft Entra ID
      • Authentication using Keycloak
    • Server-side encryption for an Object Storage bucket
    • Encrypting secrets in Hashicorp Terraform
    • Managing KMS keys with Hashicorp Terraform
    • Auto Unseal in Hashicorp Vault

In this article:

  • Getting started
  • Create a federation in your organization
  • Specify certificates for the federation
  • Create a relying party trust
  • Configure Claims Mapping
  • Add users to your organization
  • Test authentication
  • What's next
  1. Security
  2. Managing identity federations
  3. Authentication using Active Directory

Authentication using Active Directory

Written by
Yandex Cloud
Updated at May 13, 2025
  • Getting started
  • Create a federation in your organization
  • Specify certificates for the federation
    • Create a relying party trust
    • Configure Claims Mapping
  • Add users to your organization
  • Test authentication
  • What's next

With an identity federation, you can set up Single Sign-On (SSO) and use Microsoft Active Directory in conjunction with Microsoft Active Directory Federation Services (AD FS) for cloud authentication.

To configure SSO:

  1. Create a federation in your organization.

  2. Specify certificates for the federation.

  3. Add users to your organization.

  4. Test authentication.

Getting startedGetting started

To follow the steps in this section, you will need:​

  1. An operational AD FS farm.

    If you do not have the an AD FS farm configured yet, follow these steps to set one up:

    1. Deploy and configure Active Directory Domain Services (AD DS) if you have not already done so. You must have AD AS to deploy AD FS.

    2. Deploy and configure an AD FS farm of one or more servers.

      Tip

      Add multiple servers to your AD FS farm for fault tolerance.

      In which case SSO will be available even if some of the servers go down.

  2. A valid SSL certificate for use in AD FS. If you do not have a valid certificate, get one.

    To prevent browsers from blocking the authentication page when using SSO, the certificate must satisfy the following requirements:

    • The certificate must be trusted by devices and users within the Active Directory forest.

    • The certificate's Subject Name property and Alternative Name extension must contain the AD FS farm's FQDN.

      How to get a farm FQDN
      1. Connect to any server in the AD FS farm and open the PowerShell console.

      2. Get the federation service endpoint:

        Get-AdfsEndpoint -AddressPath /adfs/ls/ | Select FullUrl
        

        The endpoint contains the FQDN of the AD FS farm and has the following format:

        https://<AD_FS_farm_FQDN>/adfs/ls/
        

Create a federation in your organizationCreate a federation in your organization

To create a federation:

Cloud Center interface
CLI
Terraform
API
  1. Go to Yandex Cloud Organization.

  2. In the left-hand panel, select Federations.

  3. Click Create federation in the top-right corner of the page.

  4. Give your federation a name. It must be unique within the folder.

  5. You can also add a description, if required.

  6. In the Cookie lifetime field, specify the time before the browser asks the user to re-authenticate.

  7. In the IdP Issuer field, specify a link in http://<AD_FS_farm_FQDN>/adfs/services/trust format.

    How to get a farm FQDN
    1. Connect to any server in the AD FS farm and open the PowerShell console.

    2. Get the federation service endpoint:

      Get-AdfsEndpoint -AddressPath /adfs/ls/ | Select FullUrl
      

      The endpoint contains the FQDN of the AD FS farm and has the following format:

      https://<AD_FS_farm_FQDN>/adfs/ls/
      
  8. In the Single Sign-On method field, choose POST.

  9. In the Link to the IdP login page field, specify a link in https://<AD_FS_farm_FQDN>/adfs/ls/ format.

    You can only use HTTP and HTTPS in a link.

  10. Enable Automatically create users to add authenticated users to your organization automatically. If this option is disabled, the user will not be able to use Yandex Cloud until they are added to the organization manually.

    A federated user is created automatically only when they log in to a cloud for the first time. If you removed a user from the federation, you can only add them back manually.

  11. To make sure all authentication requests from Yandex Cloud contain a digital signature, enable the Sign authentication requests option. To complete this configuration, you will need to install a Yandex Cloud certificate for your IdP.

    In the SAML certificates block that appears, you will see the information about the current Yandex Cloud SAML certificate.

    Click Download and save the downloaded certificate file. You will need to upload it to you IdP server.

    Tip

    Track certificate expiration dates and always install a new certificate before the current one expires. Make sure to download the re-issued Yandex Cloud SAML certificate and install it on the IdP provider's side and in your federation well in advance.

    You can download and install a Yandex Cloud certificate even after creating a federation.

  12. Enable Mandatory re-authentication (ForceAuthn) in IdP to set ForceAuthn to true in the SAML authentication request. If enabled, the IdP will request the user to re-authenticate once the Yandex Cloud session expires.

  13. Click Create federation.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the create federation command:

    yc organization-manager federation saml create --help
    
  2. Create a federation:

    yc organization-manager federation saml create --name my-federation \
      --organization-id <organization_ID> \
      --auto-create-account-on-login \
      --cookie-max-age 12h \
      --issuer "http://example.com/adfs/services/trust" \
      --sso-url "https://example.com/adfs/ls/" \
      --sso-binding POST \
      --encrypted-assertions \
      --force-authn
    

    Where:

    • --name: Federation name. It must be unique within the folder.

    • --organization-id: Organization ID.

    • --auto-create-account-on-login: Option enabling the automatic creation of new cloud users after authentication using an identity provider (IdP).

      This option makes it easier to create users; however, users created this way will not be able to do anything with cloud resources. This does not apply to the resources for which roles are assigned to the All users or All authenticated users public group.

      If this option is off, users not added to the organization will not be able to log in to the management console, even if authenticated via an identity provider. In this case, you can manage a list of users allowed to use Yandex Cloud resources.

    • --cookie-max-age: Time before the browser asks the user to re-authenticate.

    • --issuer: ID of the identity provider that will be used for authentication.

      Specify a link in http://<AD_FS_farm_FQDN>/adfs/services/trust format.

      How to get a farm FQDN
      1. Connect to any server in the AD FS farm and open the PowerShell console.

      2. Get the federation service endpoint:

        Get-AdfsEndpoint -AddressPath /adfs/ls/ | Select FullUrl
        

        The endpoint contains the FQDN of the AD FS farm and has the following format:

        https://<AD_FS_farm_FQDN>/adfs/ls/
        
    • --sso-url: URL of the page the browser has to redirect the user to for authentication.

      Specify a link in https://<AD_FS_farm_FQDN>/adfs/ls/ format.

      You can only use HTTP and HTTPS in a link.

    • --sso-binding: Single sign-on binding type. Most identity providers support the POST binding type.

    • (Optional) --encrypted-assertions: Flag enabling a digital signature for authentication requests.

      If set to true, all authentication requests from Yandex Cloud will contain a digital signature.

      You can download and install a Yandex Cloud certificate even after creating a federation.

    • (Optional) --force-authn: When the Yandex Cloud session expires, your IdP will prompt the user to re-authenticate.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. Specify the federation parameters in the configuration file.

    Here is the configuration file example:

    resource "yandex_organizationmanager_saml_federation" federation {
      name            = "my-federation"
      organization_id = "<organization_ID>"
      auto_create_account_on_login = "true"
      issuer          = "http://example.com/adfs/services/trust"
      sso_url         = "https://example.com/adfs/ls/"
      sso_binding     = "POST"
      security_settings {
        encrypted_assertions = "true"
        force_authn          = "true"
      }
    }
    

    Where:

    • name: Federation name. It must be unique within the folder.

    • description: Federation description.

    • organization_id: Organization ID.

    • labels: Set of key/value label pairs assigned to the federation.

    • issuer: Identity provider (IdP) ID that will be used for authentication.

      Specify a link in http://<AD_FS_farm_FQDN>/adfs/services/trust format.

      How to get a farm FQDN
      1. Connect to any server in the AD FS farm and open the PowerShell console.

      2. Get the federation service endpoint:

        Get-AdfsEndpoint -AddressPath /adfs/ls/ | Select FullUrl
        

        The endpoint contains the FQDN of the AD FS farm and has the following format:

        https://<AD_FS_farm_FQDN>/adfs/ls/
        
    • sso_binding: Single sign-on binding type. Most identity providers support the POST binding type.

    • sso_url: URL of the page the browser has to redirect the user to for authentication.

      Specify a link in https://<AD_FS_farm_FQDN>/adfs/ls/ format.

      You can only use HTTP and HTTPS in a link.

    • cookie_max_age: Time in seconds before the browser asks the user to re-authenticate. The default value is 8 hours.

    • auto_create_account_on_login: Option enabling the automatic creation of new cloud users after authentication using an identity provider.

      This option makes it easier to create users; however, users created this way will not be able to do anything with cloud resources. This does not apply to the resources for which roles are assigned to the All users or All authenticated users public group.

      If this option is off, users not added to the organization will not be able to log in to the management console, even if authenticated via an identity provider. In this case, you can manage a list of users allowed to use Yandex Cloud resources.

    • case_insensitive_name_ids: Toggles username case sensitivity.
      If this option is enabled, the IDs of federated user names will be case-insensitive.

    • security_settings: Federation security settings:

      • encrypted_assertions: Sign authentication requests.

        If this option is enabled, all authentication requests from Yandex Cloud will have a digital signature.

        You can download and install a Yandex Cloud certificate even after creating a federation.

      • force-authn: When the Yandex Cloud session expires, your IdP will prompt the user to re-authenticate. This is an optional parameter.

    For more information about the yandex_organizationmanager_saml_federation resource parameters, see the provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan
      

    If the configuration is described correctly, the terminal displays the federation parameters. If the configuration contains any errors, Terraform will point them out.

  3. Create a federation.

    1. If the configuration does not contain any errors, run this command:

      terraform apply
      
    2. Confirm you want to create a federation.

    This will create a federation in the specified organization. You can check the new federation and its settings in the organization's Federations section.

  1. Create a file with the request body, e.g., body.json:

    {
      "name": "my-federation",
      "organizationId": "<organization_ID>",
      "autoCreateAccountOnLogin": true,
      "cookieMaxAge":"43200s",
      "issuer": "http://example.com/adfs/services/trust",
      "ssoUrl": "https://example.com/adfs/ls/",
      "ssoBinding": "POST",
      "securitySettings": {
        "encryptedAssertions": true,
        "forceAuthn": true
      }
    }
    

    Where:

    • name: Federation name. It must be unique within the folder.

    • organizationId: Organization ID.

    • autoCreateAccountOnLogin: Option enabling the automatic creation of new cloud users after authentication using an identity provider (IdP).

      This option makes it easier to create users; however, users created this way will not be able to do anything with cloud resources. This does not apply to the resources for which roles are assigned to the All users or All authenticated users public group.

      If this option is off, users not added to the organization will not be able to log in to the management console, even if authenticated via an identity provider. In this case, you can manage a list of users allowed to use Yandex Cloud resources.

    • cookieMaxAge: Time before the browser asks the user to re-authenticate.

    • issuer: ID of the identity provider that will be used for authentication.

      Specify a link in http://<AD_FS_farm_FQDN>/adfs/services/trust format.

      How to get a farm FQDN
      1. Connect to any server in the AD FS farm and open the PowerShell console.

      2. Get the federation service endpoint:

        Get-AdfsEndpoint -AddressPath /adfs/ls/ | Select FullUrl
        

        The endpoint contains the FQDN of the AD FS farm and has the following format:

        https://<AD_FS_farm_FQDN>/adfs/ls/
        
    • ssoUrl: URL of the page the browser has to redirect the user to for authentication.

      Specify a link in https://<AD_FS_farm_FQDN>/adfs/ls/ format.

      You can only use HTTP and HTTPS in a link.

    • ssoBinding: Single sign-on binding type. Most identity providers support the POST binding type.

    • encryptedAssertions: Flag enabling a digital signature for authentication requests.

      If set to true, all authentication requests from Yandex Cloud will contain a digital signature.

      You can download and install a Yandex Cloud certificate even after creating a federation.

    • forceAuthn: Parameter that requires user re-authentication once a session expires in Yandex Cloud.

  2. To create a federation, use the create REST API method for the Federation resource or the FederationService/Create gRPC API call and provide a file with the query parameters in your query.

    Query example:

    curl \
      --request POST \
      --header "Content-Type: application/json" \
      --header "Authorization: Bearer <IAM_token>" \
      --data '@body.json' \
      https://organization-manager.api.cloud.yandex.net/organization-manager/v1/saml/federations
    

    Response example:

    {
     "done": true,
     "metadata": {
      "@type": "type.googleapis.com/yandex.cloud.organization-manager.v1.saml.CreateFederationMetadata",
      "federationId": "ajeobmje4dgj********"
     }
    

    The federationId property contains the ID of the federation you created. Save it for later use.

Specify certificates for the federationSpecify certificates for the federation

When informing Yandex Cloud Organization that a user has been authenticated, the identity provider signs the message with its own certificate. To enable Cloud Organization to verify this certificate, add it to your federation:

  1. Get an AD FS farm certificate:

    MMC snap-in
    PowerShell
    1. Connect to any server in the AD FS farm and open Server Manager.

    2. Open the AD FS management console: Tools → AD FS Management.

    3. In the window that opens, click Services → Certificates in the tree on the left.

    4. Right-click the certificate in the Token-signing section and select View certificate.

    5. In the window that opens, go to the Details tab.

    6. Click the Copy to file button.

    7. Click Next.

    8. Select the format Base-64 encoded X.509 (.CER) and click Next.

    9. Specify where to save the certificate and under what name, then click Next.

    10. Check the certificate export settings and click Finish.

    1. Connect to any server in the AD FS farm and open the PowerShell console.

    2. Get a Token-Signing certificate in Base64 format. To do this, run these commands, specifying the path you want to save the certificate at:

      $ADFS_CERT_PATH = "<path_to_certificate>/adfs_certificate.cer"
      
      $TEMP_CERT = (Get-AdfsCertificate -CertificateType Token-Signing |
                      where {$_.IsPrimary -eq $true} | Select-Object -First 1
                   ).Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
      
      @(
          '-----BEGIN CERTIFICATE-----'
          [System.Convert]::ToBase64String($TEMP_CERT, 'InsertLineBreaks')
          '-----END CERTIFICATE-----'
      ) | Out-File -FilePath $ADFS_CERT_PATH -Encoding ascii
      
      

      The certificate will be saved as adfs_certificate.cer.

  2. Add the farm certificate to the federation:

    Cloud Center interface
    CLI
    API
    1. Log in to Yandex Cloud Organization.

    2. In the left-hand panel, select Federations.

    3. Click the row with the federation you want to add a certificate to.

    4. Click Adding a certificate under Certificates at the bottom of the page.

    5. Enter certificate name and description.

    6. Choose how to add a certificate:

      • To add a certificate as a file, click Choose a file and specify the path to it.
      • To paste the contents of a copied certificate, select the Text method and paste the contents.
    7. Click Add.

    If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

    The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

    1. View the description of the add certificate command:

      yc organization-manager federation saml certificate create --help
      
    2. Add a federation certificate by specifying the certificate file path:

      yc organization-manager federation saml certificate create --federation-name my-federation \
        --name "my-certificate" \
        --certificate-file test.pem
      

    To add a certificate, use the create method for the Certificate resource:

    1. Create the request body by specifying the contents of the certificate's data property:

      {
        "federationId": "<federation_ID>",
        "name": "my-certificate",
        "data": "MII...=="
      }
      
    2. Send the request to add the certificate:

      export IAM_TOKEN=CggaAT********
      curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${IAM_TOKEN}" \
        -d '@body.json' \
        "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/saml/certificates"
      

Tip

Make sure to reissue certificates and add them to a federation in a timely manner.

To keep track of when your certificate expires, subscribe to notifications from the organization. Subscribed users get notifications 60, 30, and 5 days before the certificate expires and after its expiration.

Configure the AD FS farm to notify Yandex Cloud of every successful authentication and then redirect the user to the console. To set up a farm, you will need information about the federation you created earlier.

Note

This setup guide is for Windows Server 2016; for other versions the steps may be different.

To configure a farm:

  1. Create a relying party trust.

  2. Configure Claims Mapping.

Create a relying party trustCreate a relying party trust

Create a relying party trust so that Yandex Cloud can use AD FS for authentication:

  1. Connect to any server in the AD FS farm and open Server Manager.

  2. Open the AD FS management console: Tools → AD FS Management.

  3. In the list of actions, select Add Relying Party Trust.

    The wizard window opens.

  4. At the Welcome step, select Claims aware and click Start.

  5. At the Select Data Source step, select Enter data about the relying party manually and click Next.

  6. At the Specify Display Name step, enter a name, e.g., Yandex Cloud and click Next.

  7. Skip the Configure Certificate step by clicking Next. You will configure certificates later.

  8. At the Configure URL step, select Enable support for the SAML 2.0 WebSSO protocol and specify the ACS URL to redirect users to after successful authentication.

    How to get a federation ID
    1. Log in to Yandex Cloud Organization.
    2. In the left-hand panel, select Federations.
    3. Select the required federation and copy the Identifier field value on the federation info page.
    How to get the federation ACS URL
    1. Log in to Yandex Cloud Organization.

    2. In the left-hand panel, select Federations.

    3. Select the required federation and copy the ACS URL field value on the federation info page.

    image

    Then click Next.

  9. At the Configure Identifiers step, enter the same redirect URL as an identifier and click Add. Then click Next.

  10. At the Choose Access Control Policy step, choose who can authenticate using this federation. By default, the Permit for everyone policy is selected enabling access for all users.

    You can choose a different policy. For example, to grant access to a specific group of users, select Permit specific group and click <parameter> to select the groups to get the access permission. Read more about access control policies.

    image

    After you select a policy, click Next.

  11. At the Ready to Add Trust step, check the entered data and click Close.

  12. (Optional) If you enabled Sign authentication requests when creating the federation in Yandex Cloud Organization, configure the associated relying party trust parameters:

    1. Open the context menu of the relying party trust you created and select Properties.

      This will open the window with relying party trust properties.

    2. Go to the Encryption tab and add the Yandex Cloud SAML certificate you downloaded earlier to sign authentication requests:

      1. Click Browse.

      2. Select the certificate file, such as YandexCloud.cer.

        If you did not download a SAML certificate when creating the federation, you can download it on the Yandex Cloud Organization federation info page by clicking Download certificate in the Sign authentication requests field.

    3. Go to the Signature tab and add the same certificate:

      1. Click Add.
      2. Select the certificate file.
    4. Click OK.

    5. Enable required claim encryption and request signing for the created relying party trust:

      Set-AdfsRelyingPartyTrust `
          -TargetName "Yandex Cloud" `
          -EncryptClaims $true `
          -SignedSamlRequestsRequired $true `
          -SamlResponseSignature MessageAndAssertion
      
  13. (Optional) If you enabled Mandatory re-authentication (ForceAuthn) in IdP when creating the federation in Yandex Cloud Organization, enable forced authentication on the relying party trust side:

    Set-AdfsRelyingPartyTrust `
        -TargetName "Yandex Cloud" `
        -AlwaysRequireAuthentication $true
    

Configure Claims MappingConfigure Claims Mapping

When AD FS authenticates a user, it sends a SAML message to Yandex Cloud confirming successful authentication. The message must contain the Name ID that uniquely identifies the user and may also contain other user data, such as name, email, etc. For this you need to configure mapping between the user attributes and Outgoing Claim Types.

Review the list of data, attributes, and types of outgoing claimsReview the list of data, attributes, and types of outgoing claims

User data Comment Outgoing Claim Type
Unique user ID Required attribute. We recommend using one of the unique and fixed Active Directory user attributes: User-Principal-Name, Object-Sid, Object-Guid, or an email address. Name ID
List of groups the user belongs to. This list is used for group mapping when authenticating the user in Yandex Cloud.

Use a Token-Groups family attribute.

Depending on the attribute you select, the group list format will vary.
For example, if using Token-Groups - Unqualified Names, short group names will be provided (e.g., adfs_group, Domain Users) that do not specify the domain.

For an example of how to configure group mapping, see User group mapping in Microsoft Active Directory Federation Services.
Group
Surname Displayed in Yandex Cloud services. We recommend using the Surname attribute.
Value length limit: 64 characters.
Surname
Name Displayed in Yandex Cloud services. We recommend using the Given-Name attribute.
Value length limit: 64 characters.
Given Name
Full name Displayed in Yandex Cloud services. Example: Ivan Ivanov.
We recommend using the Display-Name attribute.
Value length limit: 64 characters.
Name
Email Used to send notifications from Yandex Cloud services. Example: ivanov@example.com.
We recommend using the E-Mail-Address attribute.
Value length limit: 256 characters.
E-Mail Address
Phone Used to send notifications from Yandex Cloud services. Example: +71234567890
We recommend using the Telephone-Number attribute.
Value length limit: 64 characters.
phone
Profile image Displayed in Yandex Cloud services.
We recommend using the thumbnailPhoto attribute. How to add a profile image.
Value length limit: 204800 characters.
thumbnailPhoto

Configure attribute and claim mappingsConfigure attribute and claim mappings

Note

Yandex Cloud limits the length of values for some attributes containing user data.

If a value exceeds the limit, its over-the-limit portion will be discarded.

There is an exception: the thumbnailPhoto attribute which stores the user's avatar. If the value of this attribute exceeds the limit, it will be discarded entirely, and the avatar will not be uploaded.

Configure mapping:

  1. In the AD FS management console, under Relying Party Trusts, right-click the relying party trust created earlier and select Edit Claim Issuance Policy.

  2. In the window that opens, click Add Rule.

  3. Select Send LDAP Attributes as Claims and click Next.

  4. On the next page, set up the data to send in the message:

    1. In the Claim rule name field, enter a name for the rule, e.g., Claims mapping.

    2. In the Attribute Store field, click Active Directory.

    3. Configure mapping for the mandatory Name ID claim by adding an entry to the Mapping of LDAP attributes list:

      1. Select the Name ID claim type in the Outgoing Claim Type column.

      2. Select the required attribute in the LDAP Attribute column.

        You can select either one of the recommended attributes or another attribute. The selected attribute must be permanent and unique to ensure unambiguous user identification.

        Warning

        If user ID changes, the user will have to get a new federation account created and will lose access to previous settings and data in Yandex Cloud.

    4. Similarly, configure mapping for the Group claim if you are using user group mapping.

    5. Similarly, configure mappings for the Name and E-Mail Address claims if you want the user to be able to contact Yandex Cloud support from the management console.

    6. (Optional) Similarly, configure mappings for other claims. The actual list of mappings depends on what user data you need to deliver to the Yandex Cloud side after authentication.

      How to save a user's avatar image to the thumbnailPhoto attribute
      1. Prepare images to use as your avatar.

        Make sure the image meets the following requirements:

        • Maximum image file size: 100 KB.
        • Recommended image file size: up to 10 KB; recommended image size: up to 96×96 pixels.
      2. Start PowerShell.

      3. Connect the Active Directory Module for Windows PowerShell using this command:

        Import-Module ActiveDirectory
        
      4. To add a profile image for a single user, run this command:

        Set-ADUser <username> -Replace @{thumbnailPhoto=([byte[]](Get-Content "<path_to_image>" -Encoding byte))}
        
      5. To bulk add profile images for multiple users:

        1. Create a CSV file with a list of usernames and image paths.

          Sample CSV file:

          AD_username, Photo
          smith, C:\Photo\smith.jpg
          jones, C:\Photo\jones.jpg
          
        2. Run this command:

          Import-Csv <path_to_CSV_file> |%{Set-ADUser -Identity $_.AD_username -Replace @{thumbnailPhoto=([byte[]](Get-Content $_.Photo -Encoding byte))}}
          

      If you need to configure mappings for phone and thumbnailPhoto, enter the names of these outgoing claim types manually in the Outgoing Claim Type field. You cannot select these types from the drop-down list:

      image

  5. Click Finish, then click OK to close the Edit Claim Issuance Policy window.

Add users to your organizationAdd users to your organization

If you did not enable the Automatically create users option when creating the federation, you will have to add federated users to your organization manually.

To do this, you need to know the user's name IDs returned by the identity provider together with the successful authentication response. These are usually the users' primary email addresses. If you do not know what the identity provider returns as the name ID, contact the administrator who had configured authentication for your federation.

If the Automatically create users option is enabled, a federation will only add users logging in to a cloud for the first time. If a federated user has been removed, they can only be added again manually.

A user can be added by the organization administrator (the organization-manager.admin role) or owner (the organization-manager.organizations.owner role). To learn how to grant a role to a user, see the Roles section.

Note

To enable a user to access the management console, assign them a role for the cloud or organization. For added security, you can assign one of the least priveleged roles, such as resource-manager.clouds.member. However, you may also assign other roles if you know which permissions you want to grant to the invited users.

To grant these permissions to all the organization users at once, assign the role to the All users in organization X system group. When using the CLI or API, no additional roles are required.

To add federation users to an organization:

Cloud Center interface
CLI
API
  1. Go to Yandex Cloud Organization.

  2. In the left-hand panel, select Users.

  3. In the top-right corner, click More and select Add federated users.

  4. Select the identity federation to add users from.

  5. List the name IDs of users, separating them with spaces or line breaks.

  6. Click Add. This will give the users access to the organization.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the add user command:

    yc organization-manager federation saml add-user-accounts --help
    
  2. Add users by listing their name IDs separated by a comma:

    yc organization-manager federation saml add-user-accounts --name my-federation \
      --name-ids=alice@example.com,bob@example.com,charlie@example.com
    
  1. Create a file with the request body, e.g., body.json. In the request body, specify the array of name IDs of users you want to add:

    {
      "nameIds": [
        "alice@example.com",
        "bob@example.com",
        "charlie@example.com"
      ]
    }
    
  2. Send the request by specifying the federation ID in the parameters:

    curl \
      --request POST \
      --header "Content-Type: application/json" \
      --header "Authorization: Bearer <IAM_token>" \
      --data '@body.json' \
      https://organization-manager.api.cloud.yandex.net/organization-manager/v1/saml/federations/<federation_ID>:addUserAccounts
    

Test authenticationTest authentication

Now that you are done configuring SSO, test authentication:

  1. Open the browser in guest or incognito mode for a clean new user simulation.

  2. Follow the URL to log in to the management console:

    https://console.yandex.cloud/federations/<federation_ID>
    
    How to get a federation ID
    1. Log in to Yandex Cloud Organization.
    2. In the left-hand panel, select Federations.
    3. Select the required federation and copy the Identifier field value on the federation info page.

    The browser forwards you to the AD FS authentication page, which by default looks like this:

    image

  3. Enter your authentication data. By default, you must enter the UPN and password. Then click Sign in.

  4. On successful authentication, AD FS will redirect you to the ACS URL you specified in the AD FS relying party trust settings, and from there to the management console home page. In the top-right corner, you can see that you are logged in to the console under an Active Directory account.

What's nextWhat's next

  • Assign roles to the new users

Was the article helpful?

Previous
Uploading audit logs to ArcSight SIEM
Next
Authentication using Google Workspace
Yandex project
© 2025 Yandex.Cloud LLC