SAML-compatible identity federations

Yandex Cloud supports SAML 2.0-based identity federations. This is a popular markup language to enable Single Sign-On (SSO), a technology that allows users to access multiple apps without having to enter their username and password every time. For example, whenever you visit a website and see the Sign in with Yandex, Google or Facebook buttons, you are dealing with single sign-on authentication.

This technology is called identity federation, which implies storing all usernames and passwords with a trusted Identity Provider (IdP). While a service provider (SP), e.g., Yandex Cloud, refers users to the identity provider's (IdP's) server for authentication.

If your company has a user and access management system (e.g., Active Directory or Google Workspace), you can use it to authenticate employees in Yandex Cloud Organization. In this case, you do not need to create a new Yandex account for every employee. They can get access to Yandex Cloud services using their corporate accounts.

Configuring federations in Yandex Cloud OrganizationConfiguring federations in Yandex Cloud Organization

Using identity federations, you can configure a single sign-on (SSO) system and use corporate accounts for authentication in Cloud Organization. In this case, your corporate account management system acts as an identity provider (IdP).

In Cloud Organization, you can create an identity federation with any credential management service (identity provider) that supports the SAML protocol.

Information about user logins and passwords is stored by the identity provider. When a user logs in to Cloud Organization, they are directed to the identity provider (IdP) server for authentication. If authentication is successful, the user gets access to Yandex Cloud services.

Since authentication takes place on the IdP server side, you can configure a more secure user data verification, such as two-factor authentication or USB tokens.

You can set up identity federations for different identity providers:

• Active Directory.
• Google Workspace.
• Microsoft Entra ID.
• Keycloak.
• Other SAML-compatible identity providers.

Signing authentication requestsSigning authentication requests

You can enable signing authentication requests with a digital signature for additional security. You need to additionally set up a relying party trust between your Cloud Organization identity federation and your identity provider (IdP).

Setting up a relying party trust between an identity federation and an IdPSetting up a relying party trust between an identity federation and an IdP

You set up a relying party trust between an Cloud Organization identity federation and an identity provider in two steps:

• Setting up a relying party trust on the identity federation side.

  When informing Cloud Organization that a user has been authenticated, the identity provider signs the message with its own certificate. For Cloud Organization to verify the signature, download and add the certificate to your identity federation.

  Tip

  Make sure to reissue certificates and add them to a federation in a timely manner.

  To keep track of when your certificate expires, subscribe to notifications from the organization. Subscribed users get notifications 60, 30, and 5 days before the certificate expires and after its expiration.

• Setting up a relying party trust on the IdP server side.

  When the Cloud Organization identity federation sends a request to the identity provider, it signs such requests with a Yandex Cloud SAML certificate. For the identity provider to be able to verify the signature, download and add a Yandex Cloud SAML certificate to your IdP server.

  A Yandex Cloud SAML certificate is valid for 5 years. You can view the certificate expiration date when creating an identity federation or updating its settings.

  Yandex Cloud generates a new SAML certificate automatically before the previous certificate's expiration date. Make sure to start using the new SAML certificate before the previous one expires.

User group mappingUser group mapping

In organizations with a lot of users, you may need to grant the same access permissions for Yandex Cloud resources to multiple users at once. In this case, it is more convenient to grant roles and permissions to a group rather than individually.

If you have configured user groups in your identity provider or plan to do so, set up user group mapping between the identity provider and Cloud Organization. Users in the identity provider's groups will be granted the same access permissions to Yandex Cloud resources as their respective groups in Cloud Organization.

Authenticating in a federationAuthenticating in a federation

To log in to the management console, federated users must follow the link with the federation ID:

https://console.yandex.cloud/federations/<federation_ID>

The authentication process is shown in the diagram:

1. The user opens a console login link in the browser.

2. If this is the first time the user authenticates, the console redirects them to the IdP server for authentication.

   If the user was already authenticated, this information is saved in the browser cookie. If the cookie is still valid, the management console authenticates the user immediately and redirects them to the home page. The cookie lifetime is specified when the federation is created.

   If the cookie expires, the console forwards the user to the IdP server for re-authentication.

   You can also require re-authentication in the federation settings. When this option is enabled, the IdP will reauthenticate the user when the session expires in Yandex Cloud.

3. The IdP server shows the authentication page to the user. For example, it prompts them to enter their username and password.

4. The user enters the data required for authentication on the IdP server.

5. If authentication is successful, the IdP server sends the user's browser back to the management console login page.

6. The management console asks IAM whether this user is added to the cloud. If the user is added, the management console authenticates the user and redirects them to the home page.