Setting up access for SAML app users in Yandex Identity Hub
To grant access to a SAML app, assign roles to subjects. Learn what roles the service has and assign the required ones.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
-
See the description of the CLI command for assigning roles to SAML app users:
yc organization-manager idp application saml application set-access-bindings --help -
Get a list of SAML apps and their IDs:
yc organization-manager idp application saml application list --organization-id <organization_ID>Where
--organization-idis the ID of the organization you need the list of SAML apps for. -
Get the ID of the user, service account, or user group you are assigning roles to.
-
Using the
yc organization-manager idp application saml application set-access-bindingscommand, assign the following roles:-
To a Yandex account user or local user:
yc organization-manager idp application saml application set-access-bindings \ --id <app_ID> \ --access-binding role=<role>,user-account-id=<user_ID> -
To all users of a federation:
yc organization-manager idp application saml application set-access-bindings \ --id <app_ID> \ --access-binding role=<role>,federation-users=<federation_ID> -
To all users of an organization:
yc organization-manager idp application saml application set-access-bindings \ --id <app_ID> \ --access-binding role=<role>,organization-users=<organization_ID> -
To a service account:
yc organization-manager idp application saml application set-access-bindings \ --id <app_ID> \ --access-binding role=<role>,service-account-id=<service_account_ID> -
To a user group:
yc organization-manager idp application saml application set-access-bindings \ --id <app_ID> \ --access-binding role=<role>,group-members=<group_ID> -
To all authenticated users (the
All authenticated userspublic group):yc organization-manager idp application oauth application set-access-bindings \ --id <app_ID> \ --access-binding role=<role>,all-authenticated-users
Provide a separate
--access-bindingparameter for each role. Here is an example:yc organization-manager idp application oauth application set-access-bindings \ --id <app_ID> \ --access-binding role=<role1>,service-account-id=<service_account_ID> \ --access-binding role=<role2>,service-account-id=<service_account_ID> \ --access-binding role=<role3>,service-account-id=<service_account_ID> -
Use the Application.SetAccessBindings REST API method for the Application resource or the ApplicationService/SetAccessBindings gRPC API call.