Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Creating a SAML application in Yandex Identity Hub

Written by
Updated at August 12, 2025

Note

This feature is at the Preview stage.

To authenticate your organization's users to external apps using SAML-based SSO, create a SAML application in Identity Hub and configure it appropriately both in Identity Hub and on your service provider side.

SAML apps can be managed by users with the organization-manager.samlApplications.admin role or higher.

Create an app

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps.
  3. In the top-right corner, click Create application and in the window that opens:

    1. Select the SAML (Security Assertion Markup Language) single sign-on method.

    2. In the Name field, specify a name for your new app. The name must be unique within the organization and follow these naming requirements:

      • It must be from 1 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    3. Optionally, in the Description field, enter a description for the new app.

    4. Optionally, add labels:

      1. Click Add label.
      2. Enter a label in key: value format.
      3. Press Enter.

    5. Click Create application.

Set up your application

To integrate an external application with the created SAML application in Identity Hub, complete the setup on the service provider side and in Identity Hub.

Set up integration on the service provider side

You can look up the values of integration settings to use on the service provider side on the app info page in the Cloud Center interface.

Depending on the options supported by your service provider, you can set the required settings manually or automatically by uploading a metadata file or specifying a metadata URL:

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Apps and then, the SAML app.

  3. On the Overview tab, under Identity provider (IdP) configuration, copy the parameter values to use on the service provider side:

    • Issuer / IdP EntityID: Unique app ID. The value must be the same on the service provider's and Identity Hub side.
    • Login URL: Address to which the service provider will send requests for user authentication.
    • Logout URL: Address to which the service provider will send the SAML request when the user logs out of the system.

  4. Download the app certificate under Application certificate by clicking Download certificate.

  5. On the service provider side, set up integration with your Identity Hub SAML application by pasting the copied parameters and adding the certificate you downloaded. If you need help, refer to your service provider's documentation or support team.

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Apps and then, the SAML app.

  3. On the Overview tab, under Identity provider (IdP) configuration, click Download metadata file.

    The downloaded XML file contains the values of all the required settings and a certificate to verify the signature of SAML responses. Upload the file to your service provider’s platform if the provider supports using metadata files to configure the application. If you need help, refer to your service provider's documentation or support team.

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Apps and then, the SAML app.

  3. On the Overview tab, under Identity provider (IdP) configuration, copy the Metadata URL field value.

    Follow the link to get values for all the required settings and a certificate to verify the signature of SAML responses. Specify the link in the settings on the service provider side if the provider supports using a metadata URL to configure the application. If you need help, refer to your service provider's documentation or support team.

Set up the SAML application in Identity Hub

Before configuring your SAML application in Identity Hub, get the required setting values from your service provider. Then, navigate to the SAML application settings in Identity Hub.

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and then, the SAML app.

  3. On the top right, click Edit and in the window that opens:

    1. In the **SP EntityID ** field, enter the unique service provider ID.

      The value must be the same on the service provider's and Identity Hub side.

    2. In the ACS URL field, specify the URL Identity Hub will send the SAML response to.

      If your service provider uses ACS indexes instead of ACS URLs, in addition to ACS URLs, you can specify the index value you got on the service provider's side.

      Optionally, use the Add URL button to specify multiple ACS URLs/indexes.

      Note

      If you have specified an index for one of the URLs in the ACS URL field settings, you must also specify indexes for all the other URLs.

    3. In the Signature mode field, select the SAML response elements that will be digitally signed:

      • Assertions: Only provided attributes will be signed. This is a default value.
      • Response: The full SAML response will be signed.
      • Assertions and Response: The full SAML response and, separately, the provided attributes will be signed.

      Warning

      The signing mode configured for the SAML app on the Identity Hub side must be the same as the signing mode on the service provider's side.

    4. Click Save.

Configure user and group attributes

You can configure the attributes Identity Hub will transmit to the service provider:

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Apps and select the required app.

  3. Navigate to the Attributes tab.

  4. To add a user group attribute, in the top-right corner of the page, click Add group attribute and do the following in the window that opens:

    1. In the Attribute name field, set a name for the user group attribute. The attribute name must be unique within your application.

    2. In the Transmitted groups field, select one of these values:

      • All grous : In a SAML response, this field will include all groups the user belongs to.

        The maximum number of groups this field can include is 1,000. If the user belongs to more groups, only the first thousand of them will be communicated to the service provider.

      • Assigned groups only: In a SAML response, this field will include only those groups that are explicitly specified on the Users and groups tab of your SAML app.

    3. Click Add.

  5. To add more user group attributes, in the top-right corner of the page, click Add attribute and do the following in the window that opens:

    1. In the Attribute name field, set an attribute name unique within your app.

    2. In the Value field, select one of these values:

      • SubjectClaims.sub: User ID. The field value is the same as the one displayed in the ID field in the organization's user list in the Cloud Center's Identity Hub interface, e.g., aje0fapf84ofj57q1r0b.
      • SubjectClaims.preferred_username: Unique login for the user. The field value is the same as the one displayed in the Username field in the organization's user list in the Cloud Center's Identity Hub interface, e.g., ivanov@example-federation.ru.
      • SubjectClaims.name: User’s full name. The field value is the same as the one displayed in the User field in the organization's user list in the Cloud Center's Identity Hub interface, e.g., Ivan Ivanov.
      • SubjectClaims.given_name: Name. The field value is the same as the one displayed in the Name field under Personal info on the user info page in the Cloud Center's Identity Hub interface, e.g., Ivan.
      • SubjectClaims.family_name: Last name. The field value is the same as the one displayed in the Surname field under Personal info on the user info page in the Cloud Center's Identity Hub interface, e.g., Ivanov.
      • SubjectClaims.email: Email address. The field value is the same as the one displayed in the Email field on the user info page in the Cloud Center's Identity Hub interface, e.g., ivanov@example-company.ru.
      • SubjectClaims.phone_number: Phone number. The field value is the same as the one displayed in the Phone field under Personal info on the user info page in the Cloud Center's Identity Hub interface, e.g., +74951234567.

      Note

      You can add any of these attribute values more than once under different names.

    3. Click Add.

  6. To modify an existing attribute, click its row and do the following in the window that opens:

    1. Edit the attribute name and/or value.

      You cannot change the name of the NameID attribute in which the user ID is provided. You can change the ID format for this attribute, unless the attribute's format is explicitly specified in the service provider's SAML request. When the format changes, the attribute value changes automatically. Possible attribute formats and values:

      • urn: oasis: names: tc: SAML: 1.1:nameid-format: emailAddress: User ID is provided in email address format in the SubjectClaims.preferred_username attribute. This is the default format.

        The uniqueness and invariability of the provided ID is not guaranteed: one organization may have two users with the same preferred_username ID. For example: a federated and a local user can have the same value for this attribute.

        If the federated user's preferred_username ID is not in email format, the provided ID will be automatically suffixed with @<identity_federation_ID> to bring it to that format.

      • urn: oasis: names: tc: SAML: 2.0:nameid-format: persistent: User ID is provided in the SubjectClaims.sub attribute in the organization's user ID format. In this case, the provided value is guaranteed to be unique and invariable.

      Warning

      If the service provider's SAML request explicitly indicates the expected user's NameID value format, then the SAML response will present the value in the format specified in the SAML request. In this case, the format value specified in the Identity Hub settings will be ignored.

    2. Click Update.

  7. To delete an existing user or group attribute, click in its row and select Delete, then confirm the deletion.

    Note

    You can delete any attributes except the required NameID attribute.

Make sure the attributes you added are also added to the SAML app's integration settings and can be processed correctly on the service provider's side.

Configure users and groups

To permit your organization's users to authenticate in external app with Identity Hub's SAML application, you need to explicitly add these users and/or user groups to the SAML application:

Note

Users and groups added to a SAML application can be managed by a user with the organization-manager.samlApplications.userAdmin role or higher.

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Apps and select the required app.

  3. Navigate to the Users and groups tab.

  4. To add a user or user group to a SAML app:

    1. Click Add users.
    2. In the window that opens, select the required user or user group.
    3. Click Add.

  5. To delete a user or user group from a SAML app:

    1. In the list of users and groups, click and select Delete next to the user or user group.
    2. Confirm the deletion.

Make sure your application works correctly

To make sure both your SAML application and service provider integration work correctly, authenticate to the external app as one of the users you added to the application.

See also

Previous
Deleting a domain
Next
Updating an app