SAML-compatible identity federations

Yandex Cloud supports SAML 2.0-based identity federations. This is a popular markup language to enable Single Sign-On (SSO), a technology that allows users to access multiple apps without having to enter their username and password every time. For example, whenever you visit a website and see the Sign in with Yandex, Google or Facebook buttons, you are dealing with single sign-on authentication.

This technology is called identity federation, which implies storing all usernames and passwords with a trusted Identity Provider (IdP). While a service provider (SP), e.g., Yandex Cloud, refers users to the identity provider's (IdP's) server for authentication.

If your company has a user and access management system (e.g., Active Directory or Google Workspace), you can use it to authenticate employees in Yandex Cloud Organization. In this case, you do not need to create a new Yandex account for every employee. They can get access to Yandex Cloud services using their corporate accounts.

Configuring federations in Yandex Cloud OrganizationConfiguring federations in Yandex Cloud Organization

With identity federations, you can set up single sign-on (SSO) and use corporate accounts for authentication in Cloud Organization. In this case, your corporate account management system acts as an identity provider (IdP).

In Cloud Organization, you can create an identity federation with any credential management service (identity provider) that supports the SAML protocol.

Information about user logins and passwords is stored by the identity provider. When a user logs in to Cloud Organization, they are directed to the IdP server for authentication. If authentication is successful, the user gets access to Yandex Cloud services.

Since authentication takes place on the IdP server side, you can configure a more secure user data verification, such as two-factor authentication or USB tokens.

You can set up identity federations for different identity providers:

• Active Directory
• Google Workspace
• Microsoft Entra ID
• Keycloak
• Other SAML-compatible identity providers

User group mappingUser group mapping

For organizations with a lot of employees, multiple users may need to be granted the same access rights to Yandex Cloud resources. In this case, it is more convenient to grant roles and permissions to a group rather than individually.

If you employ user groups in your identity provider or intend to do so, configure user group mapping between the identity provider and Cloud Organization. Users in the identity provider's groups will be granted the same access rights to Yandex Cloud resources as the corresponding groups in Cloud Organization.

Authenticating in a federationAuthenticating in a federation

To log in to the management console, federated users must follow the link with the federation ID:

https://console.yandex.cloud/federations/<federation_ID>

The authentication process is shown in the diagram:

1. The user opens a console login link in the browser.

2. If this is the first time the user authenticates, the console redirects them to the IdP server for authentication.

   If the user was already authenticated, this information is saved in the browser cookie. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. The cookie lifetime is specified when the federation is created.

   If the cookie expires, the console forwards the user to the IdP server for re-authentication.

   You can also require re-authentication in the federation settings. When this option is enabled, the IdP will reauthenticate the user when the session expires in Yandex Cloud.

3. The IdP server shows the authentication page to the user. For example, it prompts them to enter their username and password.

4. The user enters the data required for authentication on the IdP server.

5. If authentication is successful, the IdP server sends the user's browser back to the management console login page.

6. The management console asks IAM whether this user is added to the cloud. If the user is added, the management console authenticates the user and redirects them to the home page.