Deactivating and deleting a SAML application in Yandex Identity Hub
SAML apps can be managed by users with the organization-manager.samlApplications.admin role or higher.
Deactivate the application
If you need to temporarily disable SAML-based single sign-on authentication to an external app for the users of your organization, deactivate the relevant SAML application in Yandex Identity Hub:
- Log in to Yandex Identity Hub.
- In the left-hand panel, select Apps.
- In the row with the SAML application you want to deactivate, click and select Deactivate.
- In the window that opens, confirm the operation.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
-
See the description of the CLI command for deactivating a SAML app:
yc organization-manager idp application saml application suspend --help -
Run this command:
yc organization-manager idp application saml application suspend <app_ID>Result:
id: ek0o663g4rs2******** name: test-saml-app organization_id: bpf2c65rqcl8******** group_claims_settings: group_distribution_type: NONE status: SUSPENDED created_at: "2025-10-21T10:51:28.790866Z" updated_at: "2025-10-21T11:28:09.167252Z"
Use the Application.Suspend REST API method for the Application resource or the ApplicationService/Suspend gRPC API call.
As a result, the SAML application will be deactivated and switch to the Suspended status, and the users will no longer be able to use it for authentication in the relevant external app.
Activate the application
If you need to restore the ability of your organization users to authenticate in an external app using the SAML-based single sign-on, activate the relevant SAML application in Yandex Identity Hub:
- Log in to Yandex Identity Hub.
- In the left-hand panel, select Apps.
- In the row with the SAML application you want to activate, click and select Activate.
- In the window that opens, confirm the operation.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
-
See the description of the CLI command for activating a SAML app:
yc organization-manager idp application saml application reactivate --help -
Run this command:
yc organization-manager idp application saml application reactivate <app_ID>Result:
id: ek0o663g4rs2******** name: test-saml-app organization_id: bpf2c65rqcl8******** group_claims_settings: group_distribution_type: NONE status: ACTIVE created_at: "2025-10-21T10:51:28.790866Z" updated_at: "2025-10-21T11:28:09.167252Z"
Use the Application.Reactivate REST API method for the Application resource or the ApplicationService/Reactivate gRPC API call.
As a result, the SAML application will be activated and switch to the Active status, and the users added to the application will again be able to use it for authentication in the external app.
Delete the application
To delete a SAML application:
- Log in to Yandex Identity Hub.
- In the left-hand panel, select Apps.
- In the row with the SAML application you want to delete, click and select Delete.
- In the window that opens, confirm the operation.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
-
See the description of the CLI command for deleting a SAML app:
yc organization-manager idp application saml application delete --help -
Run this command:
yc organization-manager idp application saml application delete <app_ID>
If you do not have Terraform yet, install it and configure the Yandex Cloud provider.
-
Open the Terraform configuration file and delete the fragment describing the SAML application:
Example of a SAML application description in the Terraform configuration:
resource "yandex_organizationmanager_idp_application_saml_application" "saml_app" { organization_id = "bpfd1n2bnoqr********" name = "my-saml-app" service_provider = { entity_id = "https://example.com/saml/metadata" acs_urls = [ { url = "http://localhost" } ] } } -
Apply the changes:
-
In the terminal, navigate to the configuration file directory.
-
Make sure the configuration is correct using this command:
terraform validateIf the configuration is valid, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planYou will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
-
Apply the configuration changes:
terraform apply -
Type
yesand press Enter to confirm the changes.
You can check the deletion of the resources in the Cloud Center UI.
-
Use the Application.Delete REST API method for the Application resource or the ApplicationService/Delete gRPC API call.
As a result, the SAML application will be deleted, and the users will no longer be able to use it for authentication in the external app.