SAML-compatible identity federations
Yandex Cloud supports SAML 2.0
This technology is called identity federation, which implies storing all usernames and passwords with a trusted Identity Provider (IdP). While a service provider (SP), e.g., Yandex Cloud, refers users to the identity provider's (IdP's) server for authentication.
If your company has a user and access management system (e.g., Active Directory or Google Workspace), you can use it to authenticate employees in Yandex Cloud Organization. In this case, you do not need to create a new Yandex account for every employee. They can get access to Yandex Cloud services using their corporate accounts.
Configuring federations in Yandex Cloud Organization
With identity federations, you can set up single sign-on (SSO) and use corporate accounts for authentication in Cloud Organization. In this case, your corporate account management system acts as an identity provider (IdP).
In Cloud Organization, you can create an identity federation with any credential management service (identity provider) that supports the SAML
Information about user logins and passwords is stored by the identity provider. When a user logs in to Cloud Organization, they are directed to the IdP server for authentication. If authentication is successful, the user gets access to Yandex Cloud services.
Since authentication takes place on the IdP server side, you can configure a more secure user data verification, such as two-factor authentication or USB tokens.
You can set up identity federations for different identity providers:
- Active Directory
- Google Workspace
- Microsoft Entra ID
- Keycloak
- Other SAML-compatible identity providers
User group mapping
Note
This feature is in the Preview stage. To get access, contact tech support
For organizations with a lot of employees, multiple users may need to be granted the same access rights to Yandex Cloud resources. In this case, it is more convenient to grant roles and permissions to a group rather than individually.
If you employ user groups in your identity provider or intend to do so, configure user group mapping between the identity provider and Cloud Organization. Users in the identity provider's groups will be granted the same access rights to Yandex Cloud resources as the corresponding groups in Cloud Organization.
Authenticating in a federation
To log in to the management console, federated users must follow the link with the federation ID:
https://console.yandex.cloud/federations/<federation_ID>
The authentication process is shown in the diagram:
-
The user opens a console login link in the browser.
-
If this is the first time the user authenticates, the console redirects them to the IdP server for authentication.
If the user was already authenticated, this information is saved in the browser cookie. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. The cookie lifetime is specified when the federation is created.
If the cookie expires, the console forwards the user to the IdP server for re-authentication.
You can also require re-authentication in the federation settings. When this option is enabled, the IdP will reauthenticate the user when the session expires in Yandex Cloud.
-
The IdP server shows the authentication page to the user. For example, it prompts them to enter their username and password.
-
The user enters the data required for authentication on the IdP server.
-
If authentication is successful, the IdP server sends the user's browser back to the management console login page.
-
The management console asks IAM whether this user is added to the cloud. If the user is added, the management console authenticates the user and redirects them to the home page.
Note
In an identity federation, the user interacts both with the IdP and the Yandex Cloud management console. This does not require network access between the IdP and Yandex Cloud.